12
IPv4 fragments filtering with ACLs
Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all
subsequent non-first fragments to pass through. This mechanism resulted in security risks,
because attackers may fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
Filters all fragments by default, including non-first fragments.
Provides standard and exact match modes for matching ACLs that contain
advanced attributes such as TCP/UDP port number and ICMP type. Standard
match is the default mode. It considers only Layer 3 attributes. Exact match
considers all header attributes defined in IPv4 ACL rules.
ACL configuration task list
IPv4 ACL configuration task list
Complete the following tasks to configure an IPv4 ACL:
Creating a time range (Optional)
The following four tasks are required: (Configure at least one task.)
Configuring a WLAN ACL
Configuring an IPv4 basic ACL
Configuring an IPv4 advanced ACL
Configuring an Ethernet frame header ACL
Copying an IPv4 ACL (Optional)
IPv6 ACL configuration task list
Complete the following tasks to configure an IPv6 ACL:
Creating a time range (Optional)
The following two tasks are required: (Configure at least one task.)
Configuring an IPv6 basic ACL
Configuring an IPv6 advanced ACL
Copying an IPv6 ACL (Optional)
To Next Page
Loading...
Need help?
General
