Effective Period Of An Ipv4 Acl; Ip Fragments Filtering With Ipv4 Acl; Introduction To Ipv6 Acl; Ipv6 Acl Classification - H3C S5500-EI series Operation Manual

Hide thumbs Also See for S5500-EI series:

Table of Contents

Operation Manual – ACL

H3C S5500-EI Series Ethernet Switches

newly defined rule will get a number of 30. If the ACL has no rule defined already, the

first defined rule will get a number of 0.

Another benefit of using the step is that it allows you to insert new rules between

existing ones as needed. For example, after creating four rules numbered 0, 5, 10, and

15 in an ACL with a step of five, you can insert a rule numbered 1.

1.2.5 Effective Period of an IPv4 ACL

You can control when a rule can take effect by referencing a time range in the rule.

A referenced time range can be one that has not been created yet. The rule, however,

can take effect only after the time range is defined and comes active.

Traditional packet filtering performs match operation on, rather than all IP fragments,

the first ones only. All subsequent non-first fragments are handled in the way the first

fragments are handled. This causes security risk as attackers may fabricate non-first

fragments to attack your network.

As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that

the rule applies to non-first fragment packets only, and does not apply to non-fragment

packets or the first fragment packets. ACL rules that do not contain this keyword is

applicable to both non-fragment packets and fragment packets.

This section covers these topics:

IPv6 ACL Naming

IPv6 ACL Match Order

IPv6 ACL Step

Effective Period of an IPv6 ACL

1.3.1 IPv6 ACL Classification

IPv6 ACLs, identified by ACL numbers, fall into three categories, as show in

Table 1-2 IPv6 ACL categories

Table of Contents