3com S7906E 安装指导
1-5
A referenced time range can be one that has not been created yet. The rule, however, can take effect
only after the time range is defined and comes active.
IP Fragments Filtering with IPv4 ACL
Traditional packet filtering performs match operation on, rather than all IP fragments, the first ones only.
All subsequent non-first fragments are handled in the way the first fragments are handled. This causes
security risk as attackers may fabricate non-first fragments to attack your network.
A rule defined with the fragment keyword applies to only IP fragments. Note that a rule defined with the
fragment keyword matches non-last IP fragments on an SA or EA Series LPUs while matching non-first
IP fragments on an SC, EB, or SD Series LPUs. For detailed information about types of LPUs, refer to
the 3Com S7900E Family Getting Started Guide.
Introduction to IPv6 ACL
This section covers these topics:
z
z
z
z
z
IPv6 ACL Classification
IPv6 ACLs, identified by ACL numbers, fall into three categories, as show in
.
Table 1-2 IPv6 ACL categories
Category
ACL number
Matching criteria
Basic IPv6 ACL
2000 to 2999
Source IPv6 address
Advanced IPv6 ACL
3000 to 3999
Source IPv6 address, destination
IPv6 address, protocol carried on
IPv6, and other Layer 3 or Layer 4
protocol header fields
IPv6 address, protocol carried on
IPv6, and other Layer 3 or Layer 4
protocol header fields
IPv6 ACL Naming
When creating an IPv6 ACL, you can specify a unique name for it. Afterwards, you can identify the IPv6
ACL by its name.
An IPv6 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating
an ACL, you cannot specify a name for it, nor can you change or remove the name of the ACL.