beautypg.com

Ip fragments filtering with ipv4 acl, Ipv4 acl acceleration, Configuring an acl – H3C Technologies H3C SecPath F1000-E User Manual

Page 482: Configuration task list

background image

4

IP Fragments Filtering with IPv4 ACL

Traditional packet filtering performs match operation on only the first fragments. All subsequent non-first

fragments are allowed to pass through. As attackers may fabricate non-first fragments to attack your

network, this results in security risks:

IP-based filtering on all fragments.

Standard match and exact match of ACLs containing advanced information such as TCP/UDP port
number and ICMP type. The default is standard match.

NOTE:

Standard match considers only Layer 3 attributes.

Exact match considers all ACL rule criteria.

These two ACL rule matching approaches are available only on firewalls.

IPv4 ACL Acceleration

Session-based service processing usually performs policy matching for the first packets and processes

the subsequent packets based on the additional session information maintained. This accelerates the

processing speed of subsequent packets but cannot improve the matching speed of the first packets.
When a large number of users try to connect to the device at the same time, ACL rule search is

performed before each connection is established. If the ACL contains large amounts of rules, the search

process may take a very long period of time. As a result, user connections may not be established in a

very long period of time.
The ACL acceleration feature can speed the matching process of an ACL that contains a large number
of rules, improving the forwarding performance and connection setup performance of the device:

Without ACL acceleration: The system performs a linear search on all rules for packet matching. If
the ACL has a large number of rules and one of the last ones is matched, the matching

performance will be very low.

With ACL acceleration: The system reorganizes and saves the rules using four levels of hash tables,
which is called a quick lookup database. This mechanism can improve the matching speed

dramatically.

As a quick lookup database uses the system memory, you are recommended to enable ACL

acceleration only when there are a large number of ACL rules (for example, when there are more than

1000 rules). If the amount of ACL rules is not big, enabling ACL acceleration helps little in improving

matching speed, but will consume a great deal of memory.

Configuring an ACL

Configuration Task List

Perform the tasks in

Table 2

to configure an ACL.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: