R2511-HP MSR Router Series Security Configuration Guide(V5)
346
carried in the first fragment will be added into the non-first fragments before the matching procedure
starts.
To enable the IPv6 fragment inspection function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable IPv6 fragment inspection.
firewall ipv6 fragments-inspect Disabled by default.
Configuring the high and low thresholds for fragment
inspection
If fragment inspection is enabled and exact match is applied, the efficiency of packet filtering might
reduce, especially when matching items are numerous. Therefore, it is necessary to set the high and low
thresholds for fragment inspection. Thus, when the number of fragment status recorded reaches the upper
limit, earlier items can be deleted (from the earliest) until the number reduces to the lower limit.
To configure the high and low thresholds for fragment inspection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure the high and low
thresholds for fragment
inspection.
firewall fragments-inspect [ high |
low ] { number | default }
Optional.
By default, the high threshold for
the number of fragment status
records is 2000, and the low
threshold for the number of
fragment status records is 1500.
Configuring packet filtering on an interface
Perform this task to apply ACLs to an interface to filter packets on the interface. When an ACL is applied
to an interface, the time range-based filtering will also work at the same time. You can specify separate
access rules for inbound and outbound packets.
Basic ACLs match packets based only on source IP addresses.
Advanced ACLs match packets based on source IP addresses, destination IP addresses, packet priorities,
protocols over IP, and other protocol header information, such as TCP/UDP source and destination port
numbers, TCP flags, ICMP message types, and ICMP message codes.
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
An advanced ACL supports the following match modes:
• Normal match—Matches Layer 3 information. Non-layer 3 information is ignored. The default
mode is normal match mode.
• Exact match—Matches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments.