Acl Rule Numbering Step - H3C S5120-SI Series Configuration Manual

auto: Sorts ACL rules in depth-first order, as described in
with ACL categories.
Table 1-2 Sorting ACL rules in depth-first order
ACL category
Basic ACL
Advanced ACL
Ethernet frame
header ACL
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, while the
1 bits represent 'don't care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an
IP address criterion, the IP address matches the criterion. All 'don't care' bits are ignored. The 0s and
1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.

ACL Rule Numbering Step

What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. For
example, the default ACL rule numbering step is 5. If you do assign IDs to rules you are creating, they
are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert
between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
Depth-first rule sorting procedures
1) A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
2) A rule with a smaller ID takes precedence.
1) A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IP.
2) A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
3) A rule with more 0s in the destination IP address wildcard mask takes precedence.
4) A rule with a narrower TCP/UDP service port number range takes precedence.
5) A rule with a smaller ID takes precedence.
1) A rule with more 1s in the source MAC address mask takes precedence. More 1s
means a smaller MAC address.
2) A rule with more 1s in the destination MAC address mask takes precedence.
3) A rule with a smaller ID takes precedence.
Table
1-3
1-2. The depth-first order varies