385
•
Absolute time range
—Represents only a period of time and does not recur.
IPv4 fragments filtering with ACLs
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To improve network security, ACL filters all packets by default, including fragments and
non-fragmented packets. Meanwhile, to improve match efficiency, you can modify ACL rules. For
example, you can configure ACL rules to filter non-first fragments only.
Configuration guidelines
When you configure an ACL, follow these guidelines:
•
You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
•
You can only modify the existing rules of an ACL that uses the match order of
config
. When
modifying a rule of such an ACL, you can choose to change just some of the settings, in which
case the other settings remain the same.
Recommend ACL configuration procedures
Recommended IPv4 ACL configuration procedure
Step
Remarks
1.
Optional.
Add a time range. A rule referencing a time range
takes effect only during the specified time range.
2.
Required.
Add an IPv4 ACL. The category of the added
ACL depends on the ACL number that you
specify.
3.
Configuring a rule for a basic IPv4 ACL
Required.
Complete one of the following tasks according to
the ACL category.
4.
Configuring a rule for an advanced IPv4 ACL
.
5.
Configuring a rule for an Ethernet frame header
ACL
.
Recommended IPv6 ACL configuration procedure
Step Remarks
1.
Optional.
Add a time range. A rule referencing a time range takes
effect only during the specified time range.
2.
Required.
Add an IPv6 ACL. The category of the added IPv6 ACL
depends on the ACL number that you specify.
3.
Configuring a rule for a basic IPv6 ACL
Required.
Summary of Contents for FlexNetwork NJ5000
Page 12: ...x Index 440 ...
Page 39: ...27 Figure 16 Configuration complete ...
Page 67: ...55 Figure 47 Displaying the speed settings of ports ...
Page 78: ...66 Figure 59 Loopback test result ...
Page 158: ...146 Figure 156 Creating a static MAC address entry ...
Page 183: ...171 Figure 171 Configuring MSTP globally on Switch D ...
Page 243: ...231 Figure 237 IPv6 active route table ...