R2511-HP MSR Router Series Security Configuration Guide(V5)
345
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the IPv6 firewall function.
firewall ipv6 enable Disabled by default.
Configuring the default filtering action of the firewall
The default filtering action configuration is used for the firewall to determine whether to permit a data
packet to pass or deny the packet when there is no appropriate criterion for judgment.
IPv4 application
To configure the default filtering action of the IPv4 firewall:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the default filtering
action of the firewall.
firewall default { deny | permit }
Optional.
permit (permit packets to pass the
firewall) by default.
IPv6 application
To configure the default filtering action of the IPv6 firewall:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the default filtering
action of the firewall.
firewall ipv6 default { deny |
permit }
Optional.
permit (permit packets to pass the
firewall) by default.
Enabling fragment inspection
Exact match can be implemented only after fragment inspection is enabled. In doing so, packet-filter
firewall records the status of the fragment and performs exact match to information of layer 3 or above
based on advanced ACL rules.
The packet-filter firewall records the status of fragments at the price of system resource consumption. If
exact match is not required, you can disable fragments inspection to improve system performance and
reduce system overhead.
Enabling IPv4 fragment inspection
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable IPv4 fragment inspection.
firewall fragments-inspect Disabled by default.
Enabling IPv6 fragment inspection
After this function is enabled, if the first fragment is discarded when the IPv6 fragments of all interfaces
match against IPv6 ACL, all the non-first fragments will be discarded too. If not, the protocol information