Acl configuration, Acl overview, Ipv4 acl classification – H3C Technologies H3C SecPath F1000-E User Manual

1

ACL Configuration

NOTE:

Currently, the Web interface supports only configuration of IPv4 ACLs. Therefore, this chapter covers
only IPv4 ACLs and the term ACL refers to IPv4 ACL throughout this chapter.

ACL Overview

An access control list (ACL) is a set of rules (that is, a set of permit or deny statements) for identifying

traffic based on matching criteria such as source address, destination address, and port number. The
selected traffic will then be permitted or rejected by predefined security policies.
ACLs are widely used in technologies where traffic identification is desired, such as packet filtering and

QoS.

IPv4 ACL Classification

IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in

Table 1

.

Table 1 IPv4 ACL categories

Category

ACL number

Matching criteria

Basic IPv4 ACL

2000 to 2999

Source IP address

Advanced IPv4 ACL

3000 to 3999

Source IP address, destination IP address,
protocol carried over IP, and other Layer 3 or

Layer 4 protocol header information

Ethernet frame header ACL

4000 to 4999

Layer 2 protocol header fields such as source
MAC address, destination MAC address, 802.1p

priority, and link layer protocol type

User-defined ACL

5000 to 5999

Customized information of protocol headers such
as IP and MPLS headers

NOTE:

The web interface does not support configuration of user-defined ACLs.

IPv4 ACL Rule Order

An ACL may contain multiple rules, that is, match criteria. As these criteria may overlap or conflict, and

the comparison of a packet against ACL rules stops immediately after a match is found (the packet is
then processed as per the rule), the rule order is important in determining which match criteria will

apply.
Two rule orders are available for IPv4 ACLs:

•

config: ACL rules are sorted in ascending order of rule ID. That is, a rule with a smaller ID number

has a higher priority.