Depth-first for an ethernet frame header acl, Rule numbering step with ipv4 acls, Meaning of the rule numbering step – H3C Technologies H3C SecPath F1000-E User Manual

3

Depth-first for an Ethernet frame header ACL

The following table shows how the device sorts the rules of an Ethernet frame header ACL to determine

the depth-first order of the rules. If a sorting criterion cannot determine the order of some rules, the next
criterion is applied, and the sorting ends till the order of all rules are determined:

Step Sort

by

Precedence

Remarks

1

Source MAC address
mask

A rule with more 1s in the source MAC
address mask takes precedence.

More 1s means a
narrower MAC address

range.

2

Destination MAC
address mask

A rule with more 1s in the destination MAC
address mask takes precedence.

More 1s means a
narrower MAC address

range.

3 Rule

ID

A rule with a smaller ID number takes
precedence.

—

Rule Numbering Step with IPv4 ACLs

NOTE:

The web interface does not support ACL step configuration. By default, the numbering step is 5.

Meaning of the rule numbering step

The concept of ACL rule numbering step is introduced to allow new rules to be inserted in an ACL that
already contains ACL rules. It defines the increment by which the system numbers rules automatically. By

default, the rule numbering step is 5, and rules are automatically numbered 0, 5, 10, 15, and so on.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five

rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 will cause the rules to be
renumbered 0, 2, 4, 6 and 8.
Likewise, when the default step is restored, ACL rules are renumbered in the default step. Assume that

there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the

rules are renumbered 0, 5, 15, and 15.

Benefits of using the rule numbering step

A bigger step means more numbering flexibility. This is helpful when the config rule order is adopted,

with which ACL rules are sorted in ascending order of rule ID.
If no ID is specified for a rule when the rule is created, the system automatically assigns it the smallest
multiple of the step that is bigger than the current biggest rule ID, starting with 0. For example, given the

step of 5, if the present biggest rule ID is 28, the newly defined rule will be numbered 30. If the ACL

does not contain any rule, the first defined rule will be numbered 0.

Effective Time Period of an IPv4 ACL

You can control when an ACL rule takes effect for packet filtering by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however, can take effect

only after the time range is defined and becomes active.
For information about time ranges, see Time Range Resource Configuration.