Ways To Apply Acl On A Switch; Acls Based On Time Ranges - H3C S7500 Series Operation Manual

Operation Manual – ACL
H3C S7500 Series Ethernet Switches
If the number and type of ACEs are the same for multiple rules, then the sum of
ACE values of a rule determines its priority. The smaller the sum, the higher the
priority.
II. Layer 2 ACL depth-first order
With the depth-first order adopted, the rules of a Layer 2 ACL are matched in the order
of the mask length of the source MAC address and destination MAC address, the
longer the mask, the higher the match priority. If two mask lengths are the same, the
priority of the match rule configured earlier is higher. For example, the priority of the rule
with source MAC address mask FFFF-FFFF-0000 is higher than that of the rule with
source MAC address mask FFFF-0000-0000.

1.1.2 Ways to Apply ACL on a Switch

I. ACLs activated directly on the hardware
In a switch, an ACL can be directly activated on the switch hardware for packet filtering
and traffic classification in the data forwarding process. You can use the acl order
command to specify the match order for the rules in the ACL. For detailed configuration,
refer to Specifying the Match Order of ACL
ACLs are directly activated on the switch hardware in the following situations: the
switch references ACLs to implement the QoS functions, and forwards data through
ACLs.
II. ACL referenced by the upper-level modules
The switch also uses ACLs to filter packets processed by software and implements
traffic classification. In this case, there are two types of match orders for the rules in an
ACL: config (user-defined match order) and auto (the system performs automatic
ordering, namely according to the "depth-first" order). In this scenario, you can specify
the match order for multiple rules in an ACL. You cannot modify the match order for an
ACL once you have specified it. You can specify anew the match order only after all the
rules are deleted from the ACL.
ACLs can also be referenced by route policies or be used to control login users.

1.1.3 ACLs Based on Time Ranges

A time range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a rule
is not configured, the system will give a prompt message and allow such a rule to be
successfully created. However, the rule does not take effect immediately. It takes effect
only when the specified time range is configured and the system time is within the time
Rules.
1-3
Chapter 1 ACL Configuration