Effective period of an acl, Acl step, Meaning of the step – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 516: Benefits of using the step, Table

45-4

Table 45-4 Depth-first match for IPv6 ACLs

IPv6 ACL Category

Depth-first match procedure

Basic IPv6 ACL

Sort rules by source IPv6 address prefix first and compare packets against the
rule configured with a longer prefix for the source IPv6 address.

In case of a tie, compare packets against the rule configured first.

Advanced IPv6 ACL

Look at the protocol type field in the rules first. A rule with no limit to the protocol
type (that is, configured with the ipv6 keyword) has the lowest precedence. Rules
each of which has a single specified protocol type are of the same precedence
level. Compare packets against the rule with the highest precedence.

In case of a tie, look at the source IPv6 address prefixes. Then, compare packets
against the rule configured with a longer prefix for the source IPv6 address.

3) If the prefix lengths for the source IPv6 addresses are the same, look at the

destination IPv6 address prefixes. Then, compare packets against the rule
configured with a longer prefix for the destination IPv6 address.

If the prefix lengths for the destination IPv6 addresses are the same, look at the
Layer 4 port number ranges, namely the TCP/UDP port number ranges. Then
compare packets against the rule configured with the smaller port number range.

5) If the port number ranges are the same, compare packets against the rule

configured first.

The comparison of a packet against ACL rules stops immediately after a match is found. The packet is

then processed as per the rule.

Effective Period of an ACL

You can control when a rule can take effect by referencing a time range in the rule.

A referenced time range can be one that has not been created yet. The rule, however, can take effect

only after the time range is defined and becomes active.

ACL Step

Currently, the Web interface does not support ACL step configuration.

Meaning of the step

The step defines the difference between two neighboring numbers that are automatically assigned to

ACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15,

and so on. By default, the step is 5.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules are

numbered 0, 5, 10, and 15 respectively, changing the step from 5 to 2 will cause the rules to be

renumbered 0, 2, 4, and 6.

Benefits of using the step

With the step and rule numbering/renumbering mechanism, you do not need to assign numbers to rules

when defining them. The system will assign a newly defined rule a number that is the smallest multiple

of the step bigger than the current biggest number. For example, with a step of five, if the biggest

This manual is related to the following products:

H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module