Acl Overview - H3C S9500 Series Operation Manual

Operation Manual – ACL
H3C S9500 Series Routing Switches
Chapter 1 ACL Configuration
When Configuring ACLs, go to these sections for information you are interested in:

ACL Overview

ACL Configuration Task List
Displaying and Maintaining ACL Configuration
ACL Configuration Examples
1.1 ACL Overview
Access Control Lists (ACLs) are used to filter packets passing through network devices.
ACLs achieve this through ACL rules defined in them. ACL rules identify specific
packets and then deny/permit the packets.
ACL rules defined in an ACL can classify packets by source/destination address and
source/destination port number. After you apply an ACL globally or on a port, the device
checks the received packets and denies/permits the matching packets according to the
ACL rules defined in the ACL.
The rules defined in ACLs can also be used for traffic classification, for example, QoS
traffic classification.
An ACL can contain multiple rules, which may be defined for packets within different
address ranges. Matching order is involved in matching an ACL.
1.1.1 ACLs activated directly on hardware
ACLs can be delivered to hardware for traffic filtering and classification.
The cases when ACLs are sent directly to hardware include: referencing ACLs to
provide for QoS functions, filtering and forwarding packets with ACLs.
1.1.2 ACLs referenced by upper-level modules
ACLs may also be used to filter and classify packets processed by software. In this
case, you can define the order in which the rules in an ACL are matched. Two matching
modes are available in this case: config (the order in which the rules are defined) and
auto (depth first). You cannot modify the matching order once you define it for an ACL
rule, unless you delete the rule and redefine the matching order.
The cases when ACLs are referenced by upper-level modules include referencing
ACLs to achieve routing policies, and using ACLs to control register users and so on.
1-1
Chapter 1 ACL Configuration