Automatic rule numbering and re-numbering, Implementing time-based acl rules, Ipv4 fragments filtering with acls – H3C Technologies H3C S7500E Series Switches User Manual

1-5

example, the default ACL rule numbering step is 5. If you do assign IDs to rules you are creating, they

are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert

between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are

matched in ascending order of rule ID.

Automatic rule numbering and re-numbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step

to the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,

and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule

will be numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five

rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be

renumbered 0, 2, 4, 6 and 8.

Likewise, after you restore the default step, ACL rules are renumbered in the default step. Assume that

there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the

rules are renumbered 0, 5, 15, and 15.

Implementing Time-Based ACL Rules

You can implement ACL rules based on the time of day by applying a time range to them. A time-based

ACL rule takes effect only in any time periods specified by the time range.

Two basic types of time range are available:

z

Periodic time range, which recurs periodically on a day or days of the week.

z

Absolute time range, which represents only a period of time and does not recur.

You may apply a time range to ACL rules before or after you create it. However, the rules using the

time range can take effect only after you define the time range.

IPv4 Fragments Filtering with ACLs

Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent

non-first fragments to pass through. This mechanism resulted in security risks, because attackers may

fabricate non-first fragments to attack networks.

A rule defined with the fragment keyword applies to only IP fragments. Note that a rule defined with

the fragment keyword matches non-last IP fragments on an SA or EA Series LPUs while matching

non-first IP fragments on an SC, EB, or SD Series LPUs. For detailed information about types of LPUs,

see the installation manual.

ACL Configuration Task List

IPv4 configuration task list

Complete the following tasks to configure an IPv4 ACL: