Ipv4 acl step, Meaning of the step, Benefits of using the step – H3C Technologies H3C WX6000 Series Access Controllers User Manual

40-4

2) If two rules are present with the same number of ones in their source MAC address masks, look at

the destination MAC address masks. Then, compare packets against the rule configured with more
ones in the destination MAC address mask prior to the other.

3) If the numbers of ones in the destination MAC address masks are the same, the one configured

first is compared prior to the other.

The comparison of a packet against an ACL stops once a match is found. The packet is then processed
as per the rule.

IPv4 ACL Step

Meaning of the step

When defining rules in an IPv4 ACL, you do not necessarily assign them numbers; the system can do
this automatically, and the step defines the increment between two neighboring numbers. For example,
with a step of 5, rules are automatically numbered 0, 5, 10, 15, and so on. By default, the step is 5.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules are
numbered 5, 10, 15, and 20 respectively, changing the step from 5 to 2 will cause the rules to be
renumbered 0, 2, 4, and 6.

Benefits of using the step

With the step and rule numbering/renumbering mechanism, you do not need to assign rules numbers
when defining them. The system will assign a newly defined rule a number that is the smallest multiple
of the step bigger than the currently biggest number. For example, with a step of five, if the biggest
number is currently 28, the newly defined rule will get a number of 30. If the ACL has no rule defined
already, the first defined rule will get a number of 0.

Another benefit of using the step is that it allows you to insert new rules between existing ones as
needed. For example, after creating four rules numbered 0, 5, 10, and 15 in an ACL with a step of five,
you can insert a rule numbered 1.

Effective Period of an IPv4 ACL

You can control when a rule can take effect by referencing a time range in the rule.

A referenced time range can be one that has not been created yet. The rule, however, can take effect
only after the time range is defined and comes active.

IP Fragments Filtering with IPv4 ACL

Traditional packet filtering performs match operation on, rather than all IP fragments, the first ones only.
All subsequent non-first fragments are handled in the way the first fragments are handled. This causes
security risk as attackers may fabricate non-first fragments to attack your network.

As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that the rule applies to
non-first fragment packets only, and does not apply to non-fragment packets or the first fragment
packets. ACL rules that do not contain this keyword is applicable to both non-fragment packets and
fragment packets.

Introduction to IPv6 ACL

This section covers these topics: