Operation Manual – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-2
I. Depth-first match order for rules of a basic ACL
1) Range of source IP address: The smaller the source IP address range (that is, the
more the number of zeros in the wildcard mask), the higher the match priority.
2) Fragment keyword: A rule with the fragment keyword is prior to others.
3) If the above two conditions are identical, the earlier configured rule applies.
II. Depth-first match order for rules of an advanced ACL
1) Protocol range: A rule which has specified the types of the protocols carried by IP
is prior to others.
2) Range of source IP address: The smaller the source IP address range (that is, the
more the number of zeros in the wildcard mask), the higher the match priority.
3) Range of destination IP address. The smaller the destination IP address range
(that is, the more the number of zeros in the wildcard mask), the higher the match
priority.
4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the
range, the higher the match priority.
5) Number of parameters: the more the parameters, the higher the match priority.
If rule A and rule B are still the same after comparison in the above order, the weighting
principles will be used in deciding their priority order. Each parameter is given a fixed
weighting value. This weighting value and the value of the parameter itself will jointly
decide the final matching order. Involved parameters with weighting values from high to
low are icmp-type, established, dscp, tos, precedence, fragment. Comparison
rules are listed below.
z The smaller the weighting value left, which is a fixed weighting value minus the
weighting value of every parameter of the rule, the higher the match priority.
z If the types of parameter are the same for multiple rules, then the sum of
parameters’ weighting values of a rule determines its priority. The smaller the sum,
the higher the match priority.
1.1.2 Ways to Apply an ACL on a Switch
I. Being applied to the hardware directly
In the switch, an ACL can be directly applied to hardware for packet filtering and traffic
classification. In this case, the rules in an ACL are matched in the order determined by
the hardware instead of that defined in the ACL. For H3C S3100 series Ethernet
switches, the earlier the rule applies, the higher the match priority.
ACLs are directly applied to hardware when they are used for:
z Implementing QoS
z Filtering the packets to be forwarded
To Next Page
Loading...
Need help?
General