Acl Match Order - H3C S7500 Series Operation Manual
Hide thumbs
Also See for S7500 Series:
- Installation manual (79 pages) ,
- Operation manual (47 pages) ,
- Command manual (39 pages)
Table of Contents
Advertisement
Operation Manual – ACL
H3C S7500 Series Ethernet Switches
Advanced ACL: rules are made based on the Layer 3 and Layer 4 information
such as the source and destination IP addresses of the data packets, the type of
protocol over IP, protocol-specific features, and so on.
Layer 2 ACL: rules are made based on the Layer 2 information such as the source
and destination MAC address, VLAN priority, Layer 2 protocol, and so on.
User-defined ACL: such rules specify a byte in the packet, by its offset from the
packet header, as the starting point to perform logical AND operations, and
compare the extracted string with the user-defined string to find the matching
packets for processing.
1.1.1 ACL Match Order
An ACL may contain a number of rules, which specify different packet ranges. This
brings about the issue of match order when these rules are used to filter packets.
An ACL supports the following two types of match orders:
Configured order: ACL rules are matched according to the configured order.
Automatic ordering: ACL rules are matched according to the "depth-first" order.
I. IP ACL depth-first order
With the depth-first rule adopted, the rules of an IP ACL (basic and advanced) are
matched in the following order:
1)
Protocol range of ACL rules. The range of IP protocol is 1 to 255 and those of other
protocols over IP are the same as the corresponding protocol numbers. The
smaller the protocol range, the higher the priority.
2)
Range of source IP address. The smaller the source IP address range (that is, the
longer the mask), the higher the priority.
3)
Range of destination IP address. The smaller the destination IP address range
(that is, the longer the mask), the higher the priority.
4)
Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the
range, the higher the priority.
If rule A and rule B are the same in all the four ACEs (access control elements) above,
and also in their numbers of other ACEs to be considered in deciding their priority order,
weighting principles will be used in deciding their priority order.
The weighting principles work as follows:
Each ACE is given a fixed weighting value. This weighting value and the value of
the ACE itself will jointly decide the final matching order. The weighting values of
ACEs rank in the following descending order: DSCP, ToS, ICMP, established,
precedence, fragment.
The weighting value of each ACE of the rule is deducted from a fixed weighting
value. The smaller the weighting value left, the higher the priority.
1-2
Chapter 1 ACL Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
