EasyManuals Logo
Home>HPE>Network Router>FlexNetwork MSR Series

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #352 background imageLoading...
Page #352 background image
339
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Specify the default filtering
action of the firewall.
firewall ipv6 default
{
deny
|
permit
}
Optional.
permit
(permit packets to pass
the firewall) by default.
Enabling fragment inspection
Exact match can be implemented only after fragment inspection is enabled. In doing so, packet-filter
firewall records the status of the fragment and performs exact match to information of layer 3 or
above based on advanced ACL rules.
The packet-filter firewall records the status of fragments at the price of system resource consumption.
If exact match is not required, you can disable fragments inspection to improve system performance
and reduce system overhead.
Enabling IPv4 fragment inspection
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable IPv4 fragment inspection.
firewall fragments-inspect
Disabled by default.
Enabling IPv6 fragment inspection
After this function is enabled, if the first fragment is discarded when the IPv6 fragments of all
interfaces match against IPv6 ACL, all the non-first fragments will be discarded too. If not, the
protocol information carried in the first fragment will be added into the non-first fragments before the
matching procedure starts.
To enable the IPv6 fragment inspection function:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable IPv6 fragment
inspection.
firewall ipv6 fragments-inspect
Disabled by default.
Configuring the high and low thresholds for fragment
inspection
If fragment inspection is enabled and exact match is applied, the efficiency of packet filtering might
reduce, especially when matching items are numerous. Therefore, it is necessary to set the high and
low thresholds for fragment inspection. Thus, when the number of fragment status recorded reaches
the upper limit, earlier items can be deleted (from the earliest) until the number reduces to the lower
limit.
To configure the high and low thresholds for fragment inspection:
Step Command Remarks
1. Enter system view.
system-view
N/A

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals