3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

801

802

803

804

805

806

807

808

809

810

IPv6 ACL 803

For example, the rule with the source IP address wildcard 0.0.0.255 is compared

prior to the rule with the source IP address wildcard 0.0.255.255.

Depth-first match for an Ethernet frame header IPv4 ACL

The following shows how your device performs depth-first match in an Ethernet

frame header ACL:

1 Sort rules by source MAC address mask first and compare packets against the rule

configured with more ones in the source MAC address mask prior to other rules.

2 If two rules are present with the same number of ones in their source MAC

address masks, look at the destination MAC address masks. Then, compare

packets against the rule configured with more ones in the destination MAC

address mask prior to the other.

3 If the numbers of ones in the destination MAC address masks are the same, the

one configured first is compared prior to the other.

For example, the rule with source MAC address mask FFFF-FFFF-0000 is compared

prior to the rule with source MAC address mask FFFF-0000-0000.

The match order for a user-defined ACL can only be config.

The comparison of a packet against an ACL stops once a match is found. The

packet is then processed as per the rule.

IP Fragments Filtering

with IPv4 ACL

Traditional packet filtering performs match operation on, rather than all IP

fragments, the first ones only. All subsequent non-first fragments are handled in

the way the first fragments are handled. This causes security risk as attackers may

fabricate non-first fragments to attack your network.

To address the risk, the following packet filtering functions are delivered:

■ IP-based filtering on all fragments.

■ Standard match and exact match for ACLs containing advanced information

such as TCP/UDP port number and ICMP type. The default approach is standard

match.

■ Standard match considers only Layer 3 information.

■ Exact match considers all header information defined in ACL rules.

IPv6 ACL This section covers these topics:

■ “IPv6 ACL Classification” on page 803

■ “IPv6 ACL Naming” on page 804

■ “IPv6 ACL Match Order” on page 804

IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into the following three categories:

■ Basic IPv6 ACL, based on source IPv6 address. Basic IPv6 ACLs are numbered

2000 through 2999.