beautypg.com

Ways to apply an acl on a switch, Being applied to the hardware directly, Being referenced by upper-level software – H3C Technologies H3C S3600 Series Switches User Manual

Page 708

background image

1-3

z

If the types of parameter are the same for multiple rules, then the sum of parameters’

weighting values of a rule determines its priority. The smaller the sum, the higher the

match priority.

Ways to Apply an ACL on a Switch

Being applied to the hardware directly

In the switch, an ACL can be directly applied to hardware for packet filtering and traffic

classification. In this case, the rules in an ACL are matched in the order determined by the

hardware instead of that defined in the ACL. For S3600 series Ethernet switches, the later

the rule applies, the higher the match priority.

ACLs are directly applied to hardware when they are used for:

z

Implementing QoS

z

Filtering the packets to be forwarded

Being referenced by upper-level software

ACLs can also be used to filter and classify the packets to be processed by software. In this

case, the rules in an ACL can be matched in one of the following two ways:

z

config, where rules in an ACL are matched in the order defined by the user.

z

auto, where the rules in an ACL are matched in the order determined by the system,

namely the “depth-first” order (Layer 2 ACLs, user-defined ACLs and IPv6 ACLs do not

support this feature).

When applying an ACL in this way, you can specify the order in which the rules in the ACL

are matched. The match order cannot be modified once it is determined, unless you delete

all the rules in the ACL and define the match order.

An ACL can be referenced by upper-layer software:

z

Referenced by routing policies

z

Used to control Telnet, SNMP and Web login users

z

When an ACL is directly applied to hardware for packet filtering, the switch will permit

packets if the packets do not match the ACL.

z

When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web

login users, the switch will deny packets if the packets do not match the ACL.

Types of ACLs Supported by S3600 Series Ethernet Switches

The following types of ACLs are supported by S3600 series Ethernet switches:

z

Basic ACL

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: