340
Step Command Remarks
2. Configure the high and low
thresholds for fragment
inspection.
firewall
fragments-inspect
[
high
|
low
] { number
|
default
}
Optional.
By default, the high threshold for
the number of fragment status
records is 2000, and the low
threshold for the number of
fragment status records is 1500.
Configuring packet filtering on an interface
Perform this task to apply ACLs to an interface to filter packets on the interface. When an ACL is
applied to an interface, the time range-based filtering will also work at the same time. You can specify
separate access rules for inbound and outbound packets.
Basic ACLs match packets based only on source IP addresses.
Advanced ACLs match packets based on source IP addresses, destination IP addresses, packet
priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN
priority), and link layer protocol type.
An advanced ACL supports the following match modes:
• Normal match—Matches Layer 3 information. Non-layer 3 information is ignored. The default
mode is normal match mode.
• Exact match—Matches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments.
Follow these restrictions and guidelines when you configure packet filtering on an interface:
• You cannot enable packet filtering on a member interface of an aggregation group. If an
interface is enabled with packet filtering, you cannot add the interface to an aggregation group.
• You can apply only one ACL to filter packets in one direction of an interface.
Configuring IPv4 packet filtering on an interface
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Configure IPv4 packet
filtering on an interface.
firewall packet-filter
{ acl-number |
name
acl-name }
{
inbound
|
outbound
}
[
match-fragments
{
exactly
|
normally
} ]
IPv4 packets are not filtered by
default.
Configuring IPv6 packet filtering on an interface
IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering in the inbound or outbound direction of an interface so that the interface filters packets that
match the IPv6 ACL rules.
You can apply only one IPv6 ACL to filter packets in one direction of an interface.
To configure IPv6 packet filtering on an interface:
To Next Page
Loading...
Need help?
General
