452
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6, and 8.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
The following basic types of time range are available:
• Periodic time range—Recurs periodically on a day or days of the week.
• Absolute time range—Represents only a period of time and does not recur.
IPv4 fragments filtering with ACLs
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To improve network security, ACL filters all packets by default, including fragments and non-fragmented
packets. Meanwhile, to improve match efficiency, you can modify ACL rules. For example, you can
configure ACL rules to filter non-first fragments only.
Configuration guidelines
When you configure an ACL, follow these guidelines:
• You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
• You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you can choose to change just some of the settings, in which case
the other settings remain the same.
Recommend ACL configuration procedures
Recommended IPv4 ACL configuration procedure
Ste
To Next Page
Loading...
Need help?
General
