Flow templates, Acl application – H3C Technologies H3C SR8800 User Manual

Page 13

•

Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain

advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default
mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in

IPv4 ACL rules. For more information, see Security Configuration Guide.

Flow templates

Flow templates are sets of criteria based on header fields such as source IP address, destination IP

address, source TCP port, and destination TCP port. Flow templates apply only to hardware-based ACLs.

You use a flow template to limit the match criteria that can be applied to an interface. ACL rules that

contain any criterion beyond the flow template on an interface cannot be assigned to hardware.
There are default flow templates and user-defined templates, where a user-defined template can be basic

or extended. By default, an interface uses the default flow template.

ACL application

You can use ACLs in QoS, packet-filter firewall, routing, and other technologies for identifying traffic. For

examples of ACL application, see “

ACL configuration examples

.”

The inbound packet-filter firewall, policy-based routing (PBR), and QoS policy on an interface
process an incoming packet as shown in

Figure 1

Figure 1 Incoming packet processing procedure

The outbound packet-filter firewall and QoS policy on an interface process an outgoing packet as
shown in

Figure 2

An incoming packet

arrives

Packet-filter firewall

Match a deny rule?

Drop

Yes

PBR

Match an ACL rule?

Process the

packet

QoS policy

Yes

This manual is related to the following products:

H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000