Filtering Or Classifying Data Transmitted By The Software; Acl Support On The Switch 7700 - 3Com Switch 7700 Configuration Manual

232 C 7: Q S/ O
HAPTER O PERATION
Filtering or Classifying
Data Transmitted by the
Software
ACL Support on the
Switch 7700
This type of filtering includes ACLs that are used with the QoS function, ACLs used
to filter the packet transmitted by the hardware, and so on.
An ACL can be used to filter or classify the data transmitted by the software of the
switch. The user can determine the match order of ACL's sub-rules. There are two
match-orders: configuration, which follows the user-defined configuration order
when matching the rule, and automatic, which follows the depth-first principle.
The depth-first principle puts the statement specifying the smallest range of
addresses on the top of the list. For example, 129.102.1.1 0.0.0.0 specifies a host,
while 129.102.1.1 0.0.255.255 specifies the network segment 129.102.0.1
through 129.102.255.255. The host is listed first in the access control list. The
specific standard is:
For basic ACL statements, source address wildcards are compared directly. If
■
the wildcards are the same, the configuration sequence is used.
For the ACL based on the interface filter, the rule that is configured is listed at
■
the end, while others follow the configuration sequence.
For the advanced ACL, source address wildcards are compared first. If they are
■
the same, then destination address wildcards are compared. For the same
destination address wildcards, ranges of port numbers are compared and the
smaller range is listed first. If the port numbers are in the same range, the
configuration sequence is used.
After you specify the match-order of an access control rule, you cannot modify it
later unless you delete all the contents and specify the match-order again.
This type of filtering includes ACLs cited by route policy function, ACLs used for
controlling user logons, and so on.
Table 1 lists the categories of ACLs, their value ranges and the maximum number
of each ACL on a Switch 7700.
Table 1 Quantitative Limitation to the ACL
Item
Numbered basic ACL
Numbered advanced ACL
Numbered Layer-2 ACL
User-defined ACL
Named basic ACL
Named advanced ACL
Named Layer-2 AC
The sub items of an ACL
Maximum sub items for all
ACLs ( for a 7-slot chassis)
Maximum sub items for all
ACLs ( for 4-slot chassis)
Maximum sub items for all
ACLs ( for an 8-slot chassis)
Value range
2000 to 2999
3000 to 3999
4000 to 4999
5000 to 5999
-
-
-
0 to 127
-
-
-
Maximum
99
100
100
100
1000
1000
1000
128
1536 (with 6 48-port I/O
modules installed)
768 (with 3 48-port I/O
modules installed)
1536 (with 6 48-port I/O
modules installed)