Ways To Apply An Acl On A Device - 3Com WX3000 Series Operation Manual

auto: where rules in an ACL are matched in the order determined by the system, namely the
"depth-first" rule.
For depth-first rule, there are two cases:
Depth-first match order for rules of a basic ACL
1) Range of source IP address: The smaller the source IP address range (that is, the more the
number of zeros in the wildcard mask), the higher the match priority.
2) Fragment keyword: A rule with the fragment keyword is prior to others.
3) If the above two conditions are identical, the earlier configured rule applies.
Depth-first match order for rules of an advanced ACL
1) Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others.
2) Range of source IP address: The smaller the source IP address range (that is, the more the
number of zeros in the wildcard mask), the higher the match priority.
3) Range of destination IP address. The smaller the destination IP address range (that is, the more
the number of zeros in the wildcard mask), the higher the match priority.
4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the range, the higher
the match priority.
5) Number of parameters: the more the parameters, the higher the match priority.
If rule A and rule B are still the same after comparison in the above order, the weighting principles will be
used in deciding their priority order. Each parameter is given a fixed weighting value. This weighting
value and the value of the parameter itself will jointly decide the final matching order. Involved
parameters with weighting values from high to low are icmp-type, established, dscp, tos,
precedence, fragment. Comparison rules are listed below.
The smaller the weighting value left, which is a fixed weighting value minus the weighting value of
every parameter of the rule, the higher the match priority.
If the types of parameter are the same for multiple rules, then the sum of parameters' weighting
values of a rule determines its priority. The smaller the sum, the higher the match priority.

Ways to Apply an ACL on a Device

Being applied to the hardware directly
In the device, an ACL can be directly applied to hardware for packet filtering and traffic classification. In
this case, the rules in an ACL are matched in the order determined by the hardware instead of that
defined in the ACL. For devices, the earlier the rule applies, the higher the match priority.
ACLs are directly applied to hardware when they are used for:
Implementing QoS
Filtering the packets to be forwarded
Being referenced by upper-level software
ACLs can also be used to filter and classify the packets to be processed by software. In this case, the
rules in an ACL can be matched in one of the following two ways:
config, where rules in an ACL are matched in the order defined by the user.
auto, where the rules in an ACL are matched in the order determined by the system, namely the
"depth-first" order.
1-2