Introduction To Ipv6 Acl; Effective Period Of An Ipv4 Acl; Ip Fragments Filtering With Ipv4 Acl; Ipv6 Acl Classification - H3C S7500E Series Operation Manual
S7500e series
Hide thumbs
Also See for H3C S7500E Series:
- Command manual (1565 pages) ,
- Command reference manual (368 pages) ,
- Installation manual (182 pages)
Table of Contents
Advertisement
Operation Manual – ACL
H3C S7500E Series Ethernet Switches
II. Benefits of using the step
With the step and rule numbering/renumbering mechanism, you do not need to assign
rules numbers when defining them. The system will assign a newly defined rule a
number that is the smallest multiple of the step bigger than the currently biggest number.
For example, with a step of five, if the biggest number is currently 28, the newly defined
rule will get a number of 30. If the ACL has no rule defined already, the first defined rule
will get a number of 0.
Another benefit of using the step is that it allows you to insert new rules between
existing ones as needed. For example, after creating four rules numbered 0, 5, 10, and
15 in an ACL with a step of five, you can insert a rule numbered 1.
1.2.5 Effective Period of an IPv4 ACL
You can control when a rule can take effect by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however,
can take effect only after the time range is defined and comes active.
1.2.6 IP Fragments Filtering with IPv4 ACL
Traditional packet filtering performs match operation on, rather than all IP fragments,
the first ones only. All subsequent non-first fragments are handled in the way the first
fragments are handled. This causes security risk as attackers may fabricate non-first
fragments to attack your network.
A rule defined with the fragment keyword applies to only IP fragments. Note that a rule
defined with the fragment keyword matches non-last IP fragments on an SA Series
LPUs (line processing units) (for example, LSQ1FP48SA) or EA Series LPUs (for
example, LSQ1GP12EA) while matching non-first IP fragments on an SC Series LPUs
(for example, LSQ1GP24SC). For detailed information about types of LPUs, refer to the
installation manual.
1.3 Introduction to IPv6 ACL
This section covers these topics:
IPv6 ACL Classification
IPv6 ACL Naming
IPv6 ACL Match Order
IPv6 ACL Step
Effective Period of an IPv6 ACL
1.3.1 IPv6 ACL Classification
IPv6 ACLs, identified by ACL numbers, fall into three categories, as show in
1-5
Chapter 1 ACL Overview
Table
1-2.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
