Automatic rule numbering and renumbering, Fragments filtering with acls, Acl configuration task list – H3C Technologies H3C SecBlade NetStream Cards User Manual
Page 146: Configuring an acl, Configuring an ipv4 basic acl
131
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6 and 8.
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification, for example, filters non-first fragments only.
ACL configuration task list
Complete the following tasks to configure an ACL:
Task Remarks
Required
Configure at least one task.
Configuring an IPv4 advanced ACL
Configuring an Ethernet frame header ACL
Optional
Enabling ACL acceleration for an IPv4 ACL
Optional
Optional
Configuring an ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
Follow these steps to configure an IPv4 basic ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––