Acl Match Order - Huawei Quidway S5600 Series Operation Manual
Hide thumbs
Also See for Quidway S5600 Series:
- Specifications (9 pages) ,
- Installation manual (73 pages)
Table of Contents
Advertisement
Operation Manual – ACL
Quidway S5600 Series Ethernet Switches-Release 1510
II. ACL referenced by the upper-level modules
The switch also uses ACLs to filter packets processed by software and implements
traffic classification. In this case, there are two types of match orders for the rules in an
ACL: config (user-defined match order) and auto (the system performs automatic
ordering, namely according "depth-first" order). In this scenario, you can specify the
match order for multiple rules in an ACL. You cannot modify the match order for an ACL
once you have specified it. You can specify a new the match order only after all the
rules are deleted from the ACL.
ACLs can also be referenced by route policies or be used to control login users.
1.1.2 ACL Match Order
An ACL may contain a number of rules, which specify different packet ranges. This
brings about the issue of match order when these rules are used to match packets.
An ACL supports the following two types of match orders:
Configured order: ACL rules are matched according to the configured order.
Automatic ordering: ACL rules are matched according to the "depth-first" order.
With the depth-first rule adopted, the rules of an ACL are matched in the following
order:
1)
Protocol range. The range for IP protocol is 1 to 255 and those of other protocols
are the same as the corresponding protocol numbers. The smaller the protocol
range, the higher the priority.
2)
Range of source IP address. The smaller the source IP address range (that is, the
longer the mask), the higher the priority.
3)
Range of destination IP address. The smaller the destination IP address range
(that is, the longer the mask), the higher the priority.
4)
Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the
range, the higher the priority.
If rule A and rule B are the same in all the four ACEs (access control elements) above,
and also in their numbers of other ACEs to be considered in deciding their priority order,
weighting principles will be used in deciding their priority order.
The weighting principles work as follows:
Each ACE is given a fixed weighting value. This weighting value and the value of
the ACE itself will jointly decide the final matching order.
The weighting values of ACEs rank in the following descending order: DSCP, ToS,
ICMP, established, VPN-instance, precedence, fragment.
A fixed weighting value is deducted from the weighting value of each ACE of the
rule. The smaller the weighting value left, the higher the priority.
Huawei Technologies Proprietary
1-2
Chapter 1 ACL Configuration
- Quick Links:
- Chapter 3 Product Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
