Ways To Apply An Acl On A Switch - 3Com 4500 PWR 26-Port Configuration Manual

auto: where rules in an ACL are matched in the order determined by the system, namely the
"depth-first" rule (Layer 2 ACLs, user-defined ACLs and IPv6 ACLs do not support this feature).
For depth-first rule, there are two cases:
D ept -first match order for rules of a basic ACL h
1) Range of source IP address: The smaller the source IP address range (that is, the more the
number of zeros in the wildcard mask), the higher the match p
2) Fragment keyword: A rule with the fragment keyword is prior to others.
3) If the above two conditions are identical, the earlier configured rule applies.
Depth -first match order for rules of an advanced ACL
1) Protocol range: A rule which has specified the types of the protocols carrie
2) Range of source IP address: The smaller the source IP address range (that is, the more the
number of zeros in
3) Range of destination IP address. The smaller the destination IP address range
the number of zeros in the wildcard mask), the higher the match priority.
4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the range, the higher
the match priority.
5) Number of parameters: the more the parameters, the higher the match priority.
If rule A and rule B are still the same after comparison in the a
use in deciding their priority order. Each parameter is given a fixed weighting value. This weighting d
value and the value of the parameter itself will jointly decide the final matching order. Involved
pa ramete rs with weighting values from high to low are icmp-type, established, dscp, tos,
p c re edence, fragment. Comparison rules are listed below.
The smaller the weighting value left, which is a fixed weighting value minus the weighting value of
every parameter of the rule, the hig
If the types of parameter are the same for multiple rules, then the sum of parameters' weighting
values of a rule determines its priority.
Ways to Apply an ACL on a Switch
B eing applied to the hardware directly
In the switch, an ACL can be directly applied to hardware for pa
this case, the rules in an ACL
defined in the ACL. For Switch 4500 series,
ACLs are directly applied to hardware when th
Implementing QoS
Filtering the packets to be forwarded
B ein referenced by upper-level software g
ACLs can also be used to filter and classify the packets to be processed by software. In this case, the
rules in an ACL can be matched in one of the following two ways:
config, where rules in an ACL are matched in the order defined by the user.
auto, where the rules in an ACL are matched in the order determined by the system, namely the
"depth-first" order (L
the wildcard mask), the higher the match priority.
her the match priority.
The smaller the sum, the higher the match priority.
are matched in the order determined by the hardware instead of that
the later the rule applies, the higher the match priority.
ey are used for:
ayer 2 ACLs, user-defined ACLs and IPv6 ACLs do not support this feature).
44-2
riority.
d by IP is prior to others.
bove order, the weighting principles will be
cket filtering and traffic classification. In
(that is, the more