H3C S9500 Series Operation Manual page 1104

Operation Manual – ACL
H3C S9500 Series Routing Switches
Note:
Depth first principle means putting the statement with smaller packet range in the
front. You can know the packet range by comparing IP address wildcards: The
smaller the wildcard is, the smaller host range is. For example, the address
129.102.1.1 0.0.0.0 specifies the host 129.102.1.1 and address 129.102.1.1
0.0.255.255 specifies the segment 129.102.1.1 to 129.102.255.255. Then
129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL
rules, directly compare the wildcards of source addresses and follow config order if
the wildcards are equal; for the ACL rules used in port packet filtering, the rules
configured with any are put to the end and other rules follow config order; for
advanced ACL rules, first compare the wildcards of source addresses, then the
wildcards of destination addresses if those of source addresses are equal, then the
port IDs if the wildcards of destination addresses are still equal. Follow config order
if port IDs are also equal.
The user-defined ACL matching order takes effect only when multiple rules of an
ACL are applied at the same time. For example, for an ACL containing two rules, if
the two rules are not applied simultaneously, even if you configure the matching
order to be depth first, the switch still matches them according to the order in which
they are applied.
If one rule is a subset of another rule in an ACL, it is recommended to apply the rules
according to the range of the specified packets. The rule with the smallest range of
the specified data packets is applied first, and then other rules are applied based on
this principle.
1.1.3 ACLs Supported on Your Device
The switch supports the following types of ACLs:
Number-based basic ACLs
Name-based basic ACLs
Number-based advanced ACLs
Name-based advanced ACLs
Number-based Layer 2 ACLs
Name-based Layer 2 ACLs
The limits for the ACLs on the switch are listed in the following table.
Table 1-1 Limits on ACLs on the switch
Number-based basic ACL
Number-based advanced ACL
Item
1-2
Chapter 1 ACL Configuration
Number range
2000 to 2999
3000 to 3999
Maximum number
1000
1000