Chapter 1 Acl Configuration; Acl Overview; Introduction To Acl - H3C S9500 Series Operation Manual

Operation Manual – QoS/ACL
H3C S9500 Series Routing Switches

Chapter 1 ACL Configuration

1.1 ACL Overview

1.1.1 Introduction to ACL

A series match rules must be configured to recognize the packets before they are
filtered. Only when packets are identified, can the network take corresponding actions,
allowing or prohibiting them to pass, according to the preset policies. Access control list
(ACL) is targeted to achieve these functions.
ACLs classify packets using a series of matching rules, which can be source addresses,
destination addresses and port IDs. ACLs can be used globally on the switch or just at
a port, through which the switch determines whether to forward or drop the packets.
The matching rules defined in ACLs can also be imported to differentiate traffic in other
situations, for example, defining traffic classification rules in QoS.
An ACL rule can include many rules, which may be defined for packets within different
address ranges. Matching order is involved in matching an ACL.
I. ACLs being activated directly on hardware
ACLs can be delivered to hardware for traffic filtering and classification.
The cases when ACLs are sent directly to hardware include: referencing ACLs to
provide for QoS functions, filtering and forwarding packets with ACLs.
II. ACLs being referenced by upper-level modules
ACLs may also be used to filter and classify packets processed by software. Then you
can define matching order for the rules in an ACL. Two matching modes are available in
this case: config (user-defined order) and auto (depth first by the system). You cannot
modify the matching order once you define it for an ACL rule, unless you delete the rule
and redefine the matching order.
The cases when ACLs are referenced by upper-level modules include referencing
ACLs to achieve routing policies, and using ACLs to control register users and so on.
1-1
Chapter 1 ACL Configuration