Huawei quidway s3526 series Getting Started page 404

Command Manual - QoS/ACL
Quidway S3500 Series Ethernet Switches
You can use the acl command to create an ACL and specify its name with "acl-name"
and its type with the keywords "advanced", "basic", "link". For both numbered and
named ACL, you can use the rule command to add rules for them after entering ACL
view. (Use the quit command to exit ACL view.) An ACL may contain multiple rules and
the traffic classification rules concern different ranges, which brings forward the issue of
match order when a data packet matches more than one rule.
Using the match-order parameter, you can configure to follow the user configuration
order (as defaulted) or depth-first order (matching the rule with smaller range first) to
match the rules. After specified the match order of an ACL, you cannot change it,
unless delete all its rules and specify the order again. Note that, the match order of ACL
can only be effective in the case ACL is cited by software to filter and classify data.
Due the chips installed, the hardware match order of ACL's sub-rule is different in
different switch models. The details are listed in the following table.
Table 1-1 Hardware match order of ACL's sub-rule
Switch
S3526
Note:
For S3526 series switches, packet-filter function only supports rules which action is
deny, and other QoS functions such as configure priority marking, configure traffic
mirroring and configure traffic statistics supports rules which action is permit. But in
some case the permit ACL and deny ACL can be matched for the same time. For
example, ACL 3000 has rule 0 and rule 1, rule 0 is deny rule, rule 1 is permit rule.
Packet-filter function cites ACL 100 rule 0, traffic statistics cites ACL 100 rule 1, then
match order is first match the deny rule then permit rule.
For related configurations, refer to the command rule.
Example
# Configure to follow depth-first order to match the rules of ACL 1.
[Quidway] acl number 1 match-order auto
Hardware match order of ACL's sub-rule
An ACL is configured with multiple sub-rules. The deny sub-rules
are matched first, and then are the permit sub-rules. Exact match
mode is used for the permit sub-rules: the sub-rule with the more
accurate range is matched first, for example, ACL 3000 has rule 0
and rule 1, the definition of rule 0 is "rule 0 permit ip source 1.1.1.1
0.0.255.255 destination 2.2.2.2 0.0.255.255", the definition of rule 1
is "rule 1 permit ip source 1.1.1.1 0.0.0.255 destination 2.2.2.2
0.0.0.255", then the rule 1 is more accurate, it will be matched first.
Huawei Technologies Proprietary
1-2
Chapter 1 ACL Commands