3Com Switch 8800 Advanced Software V5 Configuration Guide
804 CHAPTER 56: ACL OVERVIEW
■ Advanced IPv6 ACL, based on source IPv6 address, destination IPv6 address,
protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.
Advanced ACLs are numbered 3000 through 3999.
IPv6 ACL Naming When creating an IPv6 ACL, you can specify a unique name for it. Afterwards, you
can identify the IPv6 ACL by its name.
An IPv6 ACL can have only one name. Whether to specify a name for an ACL is up
to you. After creating an ACL, you cannot specify a name for it, nor can you
change or remove the name of the ACL.
n
The name of an IPv6 ACL must be unique among IPv6 ACLs. However, an IPv6 ACL
and an IPv4 ACL can share the same name.
IPv6 ACL Match Order Similar to IPv4 ACLs, IPv6 ACLs are sequential collections of rules defined with
different matching parameters. The order in which a packet is matched against the
rules in an IPv6 ACL may affect how the packet is handled.
Like in IPv4 ACLs, the following two match orders are available in IPv6 ACLs:
■ config: where rules are compared against in the order in which they are
configured.
■ auto: where depth-first match is performed.
The depth-first mechanism performed by IPv6 ACLs is to match packets against
the rule that specifies a narrower address range first. This is done by comparing
prefix lengths: the smaller the prefix length, the narrower the address range.
Consider two IPv6 addresses, 2050:6070::/96 and 2050:6070::/64. In the auto
match approach, packets are matched against the rule with the address of
2050:6070::/96 first, because that address specifies a narrower address range
compared with 2050:6070::/64. In case two rules with the same prefix length are
defined in an IPv6 ACL, the one configured first is compared prior to the other
one.
The comparison of a packet against an ACL stops once a match is found. The
packet is then processed as per the rule.