Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
351352353354355356357358359360
346
Ste
p
Command
Remarks
2. Specify the default filtering
action of the firewall.
In standalone mode:
firewall default { deny | permit } { all |
slot slot-number }
In IRF mode:
firewall default { deny | permit } { all |
chassis chassis-number slot
slot-number }
Optional.
permit (permit packets to pass
the firewall) by default.
Use the deny action with
caution. If you specify the
deny action, routing protocol
packets are denied, resulting
in network disconnectivity.
IPv6 application
To configure the default filtering action of the IPv6 firewall:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the default filtering
action of the firewall.
firewall ipv6 default { deny |
permit }
Optional.
permit (permit packets to pass the
firewall) by default.
Use the deny action with caution. If
you specify the deny action,
routing protocol packets are
denied, resulting in network
disconnectivity.
Configuring packet filtering on an interface
When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the
Layer 3 source IP addresses only to analyze and process data packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules
according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
You cannot enable packet filtering on an aggregation member port. You cannot add an interface with
packet filtering enabled to an aggregation group.
Configuring IPv4 packet filtering on an interface
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure IPv4 packet filtering
on an interface.
firewall packet-filter { acl-number |
name acl-name } { inbound |
outbound }
IPv4 packets are not filtered by
default.