Command Reference Guide

3Com Router 3000 Ethernet Family

Chapter 4 Firewall Configuration Commands

3Com Corporation

4-4

Parameter

none

Description

Use the firewall fragments-inspect command to enable fragment inspection switch.

Use the undo firewall fragments-inspect command to disable fragment inspection

switch.

By default, fragment inspection switch is disabled.

This command is the premise of realizing exact match. Only after fragment inspection

switch is enabled, can fragment exact match be implemented. Packet filtering firewall

will record the status of a fragment, and perform the exact matching to advanced ACL

rules according to the information beyond the layer 3 (IP layer).

Packet filtering firewall will consume some system resources for recording the fragment

status. If the exact match mode is not used, you are recommended to disable this

function so as to improve the running efficiency of system and reduce the system cost.

Only when the fragment packet inspection is enabled, can the exact match really take

effect.

Related command: display firewall fragments-inspect and firewall packet-filter.

Example

# Enable the fragment inspection switches

[3Com] firewall fragments-inspect

4.1.6 firewall fragments-inspect { high | low }

Syntax

firewall fragments-inspect { high | low } { default | number }

undo firewall fragments-inspect { high | low }

View

System view

Parameter

high number: Specifies the high threshold of the fragment status records. It is in the

range from 100 to 10000.

low number: Specifies the low threshold of the fragment status records. It is in the

range from 100 to 10000.