Acl rule numbering, What is the acl rule numbering step, Automatic rule numbering and re-numbering – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

3

ACL rule numbering

What is the ACL rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The

rule numbering step sets the increment by which the system automatically numbers rules. For example, the

default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between

two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched
in ascending order of rule ID.

Automatic rule numbering and re-numbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is

numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules

numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6 and 8.

Implementing time-based ACL rules

You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
The following basic types of time range are available:

•

Periodic time range—Recurs periodically on a day or days of the week.

•

Absolute time range—Represents only a period of time and does not recur.

You may apply a time range to ACL rules before or after you create it. However, the rules using the time

range can take effect only after you define the time range.

IPv4 fragments filtering with ACLs

Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent

non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:

•

Filters all fragments by default, including non-first fragments.

•

Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain
advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default

mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in

IPv4 ACL rules. For more information, see Security Configuration Guide.

ACL application

You can use ACLs in QoS, security, routing, and other technologies for identifying traffic.