Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 3000 Router Series
1111111211131114111511161117111811191120
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 4 Firewall Configuration Commands
3Com Corporation
4-6
match-fragments: Specify the matching mode of fragments. This parameter can only
be applied to advanced ACLs.
normally: Normal matching mode, the default mode.
exactly: Exact matching mode.
Description
Use the firewall packet-filter command to apply the access control list to the
corresponding interface.
Use the undo firewall packet-filter command to delete the corresponding setting.
Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can
only use the parameter outbound.
Packet-filtering on VRP platform can filter fragment packets, which matches and filters
all fragment packets on layer 3 (IP layer) by source IP address, destination IP address
etc. It also provides standard matching and exact matching for advanced ACL rules that
contain extended information such as TCP/UDP port number and type of ICMP.
The standard matching matches layer 3 information and special information such as
time range and vpn-instance, and neglects layer 4 Information. The exact matching
matches packets according to all filtering rules of an advanced ACL, including layer 3
and layer 4 information, time range, and vpn-instance. If an advanced ACL includes
layer 4 filtering rules but the interface employs the default standard matching mode, the
layer 4 filtering rules do not take effect.
For the layer 4 matching rules in an advanced ACL to take effect, you must first
configure the firewall fragments-inspect command on the firewall to enable fragment
inspection, making the firewall record the layer 4 information in the first fragment of a
packet to obtain complete matching information about the non-first-fragments. In
addition, you must configure the interface to filter fragments by exactly matching all the
rules in the ACL.
Related command: acl, display acl, and firewall fragments-inspect.
Example
# Apply ACL 1001 to the Serial1/0/0 interface to filter the packets forwarded by the
interface.
[3Com-Serial1/0/0] firewall packet-filter 1001 outbound
4.1.8 reset firewall-statistics
Syntax
reset firewall-statistics { all | interface type number }