Ipv4 acl match order, Depth-first match for a basic ipv4 acl, Depth-first match for an advanced ipv4 acl – H3C Technologies H3C WX6000 Series Access Controllers User Manual

40-3

An IPv4 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating
an ACL, you cannot specify a name for it, nor can you change or remove the name of the ACL.

The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL
can share the same name.

IPv4 ACL Match Order

An ACL consists of multiple rules, each of which specifies different matching criteria. These criteria may
have overlapping or conflicting parts. This is where the order in which a packet is matched against the
rules comes to rescue.

Two match orders are available for IPv4 ACLs:

z

config

: where packets are compared against ACL rules in the order in which they are configured.

z

auto

: where depth-first match is performed. The term depth-first match has different meanings for

different types of ACLs.

Depth-first match for a basic IPv4 ACL

The following shows how your switch performs depth-first match in a basic IPv4 ACL:

1) Sort rules by source IP address wildcard first and compare packets against the rule configured with

more zeros in the source IP address wildcard prior to other rules.

2) If two rules are present with the same number of zeros in their source IP address wildcards,

compare packets against the rule configured first prior to the other.

Depth-first match for an advanced IPv4 ACL

The following shows how your switch performs depth-first match in an advanced IPv4 ACL:

1) Sort rules by protocol range and compare packets against the rule with the protocol carried on IP

specified prior to the other.

2) If the protocol ranges are the same, look at source IP address wildcard. Then, compare packets

against the rule configured with more zeros in the source IP address wildcard prior to the other.

3) If the numbers of zeros in the source IP address wildcards are the same, look at the destination IP

address wildcards. Then, compare packets against the rule configured with more zeros in the
destination IP address wildcard prior to the other.

4) If the numbers of zeros in the destination IP address wildcards are the same, look at the Layer 4

port number (TCP/UDP port number). Then compare packets against the rule configured with the
lower port number prior to the other.

5) If the port numbers are the same, compare packets against the rule configured first prior to the

other.

Depth-first match for an Ethernet frame header ACL

The following shows how your switch performs depth-first match in an Ethernet frame header ACL:

1) Sort rules by source MAC address mask first and compare packets against the rule configured with

more ones in the source MAC address mask prior to other rules.