beautypg.com

Depth-first for a basic ipv4 acl, Depth-first for an advanced ipv4 acl – H3C Technologies H3C SecPath F1000-E User Manual

Page 480

background image

2

auto: ACL rules are sorted in depth-first order. The depth-first order differs with ACL types.

Depth-first for a basic IPv4 ACL

The following table shows how the device sorts the rules of a basic IPv4 ACL to determine the depth-first

order of the rules. If a sorting criterion cannot determine the order of some rules, the next criterion is

applied, and the sorting ends till the order of all rules are determined:

Step Sort

by

Precedence

Remarks

1 VPN

instance

A rule configured with a VPN instance takes
precedence.

2

Source IP address
wildcard mask

A rule with more 0s in the source IP address
wildcard mask takes precedence.

More 0s means a
narrower IP address
range.

3 Rule

ID

A rule with a smaller ID number takes
precedence.

NOTE:

A wildcard mask is in dotted decimal notation. The 0s of its binary value mean "match" and the 1s mean
"do not care", which contrast with the meanings of the values in a subnet mask. For example, a wildcard

mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. In addition, it is not required that
the 0s or 1s in the wildcard mask be contiguous. For example, 0.255.0.255 is a valid wildcard mask.

This makes it flexible to configure match criteria.

Depth-first for an advanced IPv4 ACL

The following table shows how the device sorts the rules of an advanced IPv4 ACL to determine the

depth-first order of the rules. If a sorting criterion cannot determine the order of some rules, the next

criterion is applied, and the sorting ends till the order of all rules are determined:

Step Sort

by

Precedence

Remarks

1 VPN

instance

A rule configured with a VPN instance takes
precedence.

2 Protocol

range

A rule configured with a specific protocol is
prior to a rule with the protocol type set to IP.

IP means any protocol
carried over IP.

3

Source IP address
wildcard mask

A rule with more 0s in the source IP address
wildcard mask takes precedence.

More 0s means a
narrower IP address
range.

4

Destination IP address
wildcard mask

A rule with more 0s in the destination IP
address wildcard mask takes precedence.

More 0s means a
narrower IP address

range.

5

Layer 4 service port
number range

A rule with a narrower port number range
takes precedence.

Layer 4 service port
number refers to the

TCP/UDP port number.

6 Rule

ID

A rule with a smaller ID number takes
precedence.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: