Acl rule numbering, What is the acl rule numbering step, Automatic rule numbering and renumbering – H3C Technologies H3C SecPath F1000-E User Manual
Page 13: Implementing time-based acl rules, Fragments filtering with acls, Ipv4 acl acceleration
3
ACL rule numbering
What is the ACL rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example, the
default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between
two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched
in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6 and 8.
NOTE:
The default ACL rule numbering step is 5. The ACL step configuration is not available in the web interface.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
For more information about time ranges, see "Configuring time range resources."
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification, for example, filters non-first fragments only.
IPv4 ACL acceleration
ACL acceleration speeds up ACL lookup. The acceleration effect increases with the number of ACL rules.
ACL acceleration uses memory. To achieve the best trade-off between memory and ACL processing
performance, H3C recommends you enable ACL acceleration for large ACLs.