3Com Switch 8800 Advanced Software V5 Configuration Guide
802 CHAPTER 56: ACL OVERVIEW
■ Ethernet frame header ACL, based on Layer 2 protocol header fields such as
source MAC address, destination MAC address, 802.1p priority, and link layer
protocol type. Ethernet frame header ACLs are numbered 4000 through 4999.
■ User-defined ACL, based on customized information of protocol headers such
as IP and MPLS. User-defined ACLs are numbered 5000 through 5999.
IPv4 ACL Naming When creating an IPv4 ACL, you can specify a unique name for it. Afterwards, you
can identify the ACL by its name.
An IPv4 ACL can have only one name. Whether to specify a name for an ACL is up
to you. After creating an ACL, you cannot specify a name for it, nor can you
change or remove the name of the ACL.
n
The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL
and an IPv6 ACL can share the same name.
IPv4 ACL Match Order Each ACL is a sequential collection of rules defined with different matching
criteria. The order in which a packet is matched against the rules may affect how
the packet is handled.
At present, the following two match orders are available:
■ config: where packets are compared against ACL rules in the order in which
they are configured.
■ auto: where depth-first match is performed. The term depth-first match has
different meanings for different types of ACLs.
Depth-first match for a basic IPv4 ACL
The following shows how your device performs depth-first match in a basic IPv4
ACL:
1 Sort rules by source IP address wildcard first and compare packets against the rule
configured with more zeros in the source IP address wildcard prior to other rules.
2 If two rules are present with the same number of zeros in their source IP address
wildcards, compare packets against the rule configured first prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared
prior to the rule with the source IP address wildcard 0.0.255.255.
Depth-first match for an advanced IPv4 ACL
The following shows how your device performs depth-first match in an advanced
IPv4 ACL:
1 Sort rules by source IP address wildcard first and compare packets against the rule
configured with more zeros in the source IP address wildcard prior to other rules.
2 If two rules are present with the same number of zeros in their source IP address
wildcards, look at the destination IP address wildcards in the rules in addition.
Then, compare packets against the rule configured with more zeros in the
destination IP address wildcard prior to the other.
3 If the numbers of zeros in the destination IP address wildcards are the same,
compare packets against the rule configured first prior to the other.