Acl matching order, Depth-first match order for rules of a basic acl – H3C Technologies H3C S3600 Series Switches User Manual

1-2

z

User-defined ACL. An ACL of this type matches packets by comparing the strings

retrieved from the packets with specified strings. It defines the byte it begins to perform

“and” operation with the mask on the basis of packet headers.

z

IPv6 ACL: An ACL of this type matches IPv6 packets by matching information such as

the source IP address, destination IP address, source MAC address, destination MAC

address, traffic class, next header information, destination TCP or UDP port number,

and VLAN tag.

ACL Matching Order

An ACL can contain multiple rules, each of which matches specific type of packets. So the

order in which the rules of an ACL are matched needs to be determined.

The rules in an ACL can be matched in one of the following two ways:

z

config: where rules in an ACL are matched in the order defined by the user.

z

auto: where rules in an ACL are matched in the order determined by the system,

namely the “depth-first” rule (Layer 2 ACLs, user-defined ACLs and IPv6 ACLs do not

support this feature).

For depth-first rule, there are two cases:

Depth-first match order for rules of a basic ACL

1) Range of source IP address: The smaller the source IP address range (that is, the more

the number of zeros in the wildcard mask), the higher the match priority.

2) Fragment keyword: A rule with the fragment keyword is prior to others.

3) If the above two conditions are identical, the earlier configured rule applies.

Depth-first match order for rules of an advanced ACL

1) Protocol range: A rule which has specified the types of the protocols carried by IP is

prior to others.

2) Range of source IP address: The smaller the source IP address range (that is, the more

the number of zeros in the wildcard mask), the higher the match priority.

3) Range of destination IP address. The smaller the destination IP address range (that is,

the more the number of zeros in the wildcard mask), the higher the match priority.

4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the range,

the higher the match priority.

5) Number of parameters: the more the parameters, the higher the match priority.

If rule A and rule B are still the same after comparison in the above order, the weighting

principles will be used in deciding their priority order. Each parameter is given a fixed

weighting value. This weighting value and the value of the parameter itself will jointly

decide the final matching order. Involved parameters with weighting values from high to

low are icmp-type, established, dscp, tos, precedence, fragment. Comparison rules are

listed below.

z

The smaller the weighting value left, which is a fixed weighting value minus the

weighting value of every parameter of the rule, the higher the match priority.