Automatic rule numbering and renumbering, Fragments filtering with acls, Acl configuration task list – H3C Technologies H3C SecBlade NetStream Cards User Manual

131

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,

and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is

numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,

4, 6 and 8.

Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first

fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:

•

Filters all fragments by default, including non-first fragments.

•

Allows for matching criteria modification, for example, filters non-first fragments only.

ACL configuration task list

Complete the following tasks to configure an ACL:

Task Remarks

Configuring an IPv4 basic ACL

Required
Configure at least one task.

Configuring an IPv4 advanced ACL

Configuring an Ethernet frame header ACL

Copying an IPv4 ACL

Optional

Enabling ACL acceleration for an IPv4 ACL

Optional

Packet filtering with ACLs

Optional

Configuring an ACL

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.
Follow these steps to configure an IPv4 basic ACL:

To do…

Use the command…

Remarks

Enter system view

system-view

––