R2511-HP MSR Router Series Security Configuration Guide(V5)
347
Follow these restrictions and guidelines when you configure packet filtering on an interface:
• You cannot enable packet filtering on a member interface of an aggregation group. If an interface
is enabled with packet filtering, you cannot add the interface to an aggregation group.
• You can apply only one ACL to filter packets in one direction of an interface.
Configuring IPv4 packet filtering on an interface
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure IPv4 packet filtering
on an interface.
firewall packet-filter { acl-number |
name acl-name } { inbound |
outbound } [ match-fragments
{ exactly | normally } ]
IPv4 packets are not filtered by
default.
Configuring IPv6 packet filtering on an interface
IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering in the inbound or outbound direction of an interface so that the interface filters packets that
match the IPv6 ACL rules.
You can apply only one IPv6 ACL to filter packets in one direction of an interface.
To configure IPv6 packet filtering on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure IPv6 packet filtering
on an interface.
firewall packet-filter ipv6
{ acl6-number | name acl6-name }
{ inbound | outbound }
IPv6 packets are not filtered by
default.
Configuring Ethernet frame filtering
The Ethernet frame filtering configuration on an interface is effective only after you add the interface into
a bridge group.
You can apply only one ACL in one direction of an interface to filter Ethernet frames.
The following matrix shows the feature and router compatibility:
Feature
MSR90
0
MSR93
X
MSR20-
1
X
MSR20 MSR30 MSR50
MSR10
00
Ethernet frame filtering
on an interface
Yes Yes No Yes Yes Yes Yes
To configure Ethernet frame filtering: