H3C S9500 Series Operation Manual page 1111

Operation Manual – ACL
H3C S9500 Series Routing Switches
Note:
The numbers listed in the table are not the actual length of these elements in IP
packets, but their length in flow template. DSCP field is one byte in flow template,
but six bits in IP packets. You can determine whether the total length of template
elements exceeds 16 bytes using these numbers.
The dscp, exp, ip-precedence, and tos fields jointly occupy one byte. One byte is
occupied no matter you define one, two or three of these fields.
The c-tag-cos and c-tag-vlanid fields jointly occupy six bytes. Six bytes are occupied
no matter you define one or both of them.
The fragment-flags and mac-type fields do not occupy the length of flow template,
so you need not take them into account when determining whether the total length
of template elements exceeds 16 bytes.
C-type cards with 100 Mbps ports do not support the mac-type field.
If you configure QoS and ACL to prevent TTL=1 IP packet attacks, your
configuration will filter out some IP packets with TTL of 1. In this case, to permit
expected TTL=1 packets to reach up to the CPU, you need to add some rules in
your ACL.
To apply the user-defined flow template to a VLL-enabled port, make sure the flow
template includes the vlanid field. (VLL: virtual leased line.)
Usually, you can either use the default template or define a flow template based on your
needs.
Caution:
An OAP card supports only the default template.
1-9
Chapter 1 ACL Configuration