3Com 7757 Configuration Manual page 638
3com switch 7750 family
Hide thumbs
Also See for 7757:
- Quick reference manual (94 pages) ,
- Installation manual (80 pages) ,
- Product manual (15 pages)
Table of Contents
Advertisement
638
C
60: ACL C
HAPTER
ONFIGURATION
ACL Match Order
ACL referenced by the upper-level modules
The switch also uses ACLs to filter packets processed by software and implements
traffic classification. In this case, there are two types of match orders for the rules
in an ACL: config (user-defined match order) and auto (the system performs
automatic ordering, namely according "depth-first" order). In this scenario, you
can specify the match order for multiple rules in an ACL. You cannot modify the
match order for an ACL once you have specified it. You can specify a new the
match order only after all the rules are deleted from the ACL.
ACLs can also be referenced by route policies or be used to control login users.
An ACL may contain a number of rules, which specify different packet ranges. This
brings about the issue of match order when these rules are used to match packets.
An ACL supports the following two types of match orders:
Configured order: ACL rules are matched according to the configured order.
■
Automatic ordering: ACL rules are matched according to the "depth-first"
■
order.
IP ACL depth-first order
With the depth-first rule adopted, the rules of an IP ACL (basic and advanced ACL)
are matched in the following order:
1 Protocol number of ACL rules. Protocol number ranges from 1 to 255. The smaller
the protocol range, the higher the priority.
2 Range of source IP address. The smaller the source IP address range (that is, the
longer the mask), the higher the priority.
3 Range of destination IP address. The smaller the destination IP address range (that
is, the longer the mask), the higher the priority.
4 Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the
range, the higher the priority.
If rule A and rule B are the same in all the four ACEs (access control elements)
above, and also in their numbers of other ACEs to be considered in deciding their
priority order, weighting principles will be used in deciding their priority order.
The weighting principles work as follows:
Each ACE is given a fixed weighting value. This weighting value and the value
■
of the ACE itself will jointly decide the final matching order.
The weighting values of ACEs rank in the following descending order: DSCP,
■
ToS, ICMP, established, precedence, fragment.
A fixed weighting value is deducted from the weighting value of each ACE of
■
the rule. The smaller the weighting value left, the higher the priority.
If the number and type of ACEs are the same for multiple rules, then the sum
■
of ACE values of a rule determines its priority. The smaller the sum, the higher
the priority.
Advertisement
Table of Contents
Troubleshooting
