2 acl matching order, 3 time range-based acl, 4 types of acls supported by the ethernet switch – H3C Technologies H3C S3100 Series Switches User Manual

Operation Manual – ACL

H3C S3100-52P Ethernet Switch

Chapter 1 ACL Configuration

1-2

1.1.2 ACL Matching Order

An ACL can contain multiple rules, each of which matches specific type of packets. So
the order in which the rules of an ACL are matched needs to be determined.
The order in which the rules of an ACL are matched can be:

z

The order the rules are created.

z

The order determined by the system. In this case, the rues are matched according
to the “depth-first” rule.

With the depth-first rule adopted, the rules of an ACL are matched according to:
1) Protocol range. The range for IP is 1 to 255 and those of other protocols are their

protocol numbers. The smaller the protocol range, the higher the priority.

2) Range of source IP address. The smaller the source IP address range (that is, the

longer the mask), the higher the priority.

3) Range of destination IP address. The smaller the destination IP address range

(that is, the longer the mask), the higher the priority.

4) Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the

range, the higher the priority.

If rule A and rule B are the same in all the four ACEs (access control elements) above,
and also in their numbers of other ACEs to be considered in deciding their priority order,
the weighting principles will be used in deciding their priority order, as listed below.

z

Each ACE is given a fixed weighting value. This weighting value and the value of
the ACE itself will jointly decide the final matching order.

z

The weighting values of ACEs rank in the following descending order: DSCP, ToS,
ICMP, established, VPN-instance, precedence, fragment.

z

A fixed weighting value is deducted from the weighting value of each ACE of the
rule. The smaller the weighting value left, the higher the priority.

z

If the number and type of ACEs are the same for multiple rules, then the sum of
ACE values of a rule determines its priority. The smaller the sum, the higher the
priority.

1.1.3 Time Range-based ACL

A time range-based ACL takes effect only in specified time ranges.
You can specify a time range for each rule in an ACL. An ACL rule cannot take effect if
you do not configure the time range for it. It takes effect only when the time range is
configured and the system time is within the time range. If you remove the time range of
an ACL rule, the ACL rule becomes invalid after the ACL rule timer refreshes.

1.1.4 Types of ACLs Supported by the Ethernet Switch

The following types of ACLs are supported by the Ethernet switch:

z

Basic ACL