Acl Rule Numbering Step - H3C S7500E Series Configuration Manual
Hide thumbs
Also See for S7500E Series:
- Command manual (1565 pages) ,
- Operation manual (1344 pages) ,
- Command reference manual (368 pages)
Table of Contents
Advertisement
ACL category
IPv4 advanced ACL
IPv6 basic ACL
IPv6 advanced ACL
Ethernet frame
header ACL
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, while the
1 bits represent 'don't care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an
IP address criterion, the IP address matches the criterion. All 'don't care' bits are ignored. The 0s and
1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.
ACL Rule Numbering Step
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. For
1)
A rule configured with a VPN instance takes precedence.
2)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IP.
3)
A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
4)
A rule with more 0s in the destination IP address wildcard mask takes
precedence.
5)
A rule with a narrower TCP/UDP service port number range takes precedence.
6)
A rule with a smaller ID takes precedence.
1)
A rule configured with a longer prefix for the source IP address takes precedence.
A longer prefix means a narrower IP address range.
2)
A rule with a smaller ID takes precedence.
1)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IPv6.
2)
A rule configured with a longer prefix for the source IPv6 address has a higher
priority.
3)
A rule configured with a longer prefix for the destination IPv6 address takes
precedence.
4)
A rule with a narrower TCP/UDP service port number range takes precedence.
5)
A rule with a smaller ID takes precedence.
1)
A rule with more 1s in the source MAC address mask takes precedence. More 1s
means a smaller MAC address.
2)
A rule with more 1s in the destination MAC address mask takes precedence.
3)
A rule with a smaller ID takes precedence.
Depth-first rule sorting procedures
1-4
Advertisement
Table of Contents
