Effective period of an acl, Acl step, Meaning of the step – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 516: Benefits of using the step, Table
45-4
Table 45-4 Depth-first match for IPv6 ACLs
IPv6 ACL Category
Depth-first match procedure
Basic IPv6 ACL
1)
Sort rules by source IPv6 address prefix first and compare packets against the
rule configured with a longer prefix for the source IPv6 address.
2)
In case of a tie, compare packets against the rule configured first.
Advanced IPv6 ACL
1)
Look at the protocol type field in the rules first. A rule with no limit to the protocol
type (that is, configured with the ipv6 keyword) has the lowest precedence. Rules
each of which has a single specified protocol type are of the same precedence
level. Compare packets against the rule with the highest precedence.
2)
In case of a tie, look at the source IPv6 address prefixes. Then, compare packets
against the rule configured with a longer prefix for the source IPv6 address.
3) If the prefix lengths for the source IPv6 addresses are the same, look at the
destination IPv6 address prefixes. Then, compare packets against the rule
configured with a longer prefix for the destination IPv6 address.
4)
If the prefix lengths for the destination IPv6 addresses are the same, look at the
Layer 4 port number ranges, namely the TCP/UDP port number ranges. Then
compare packets against the rule configured with the smaller port number range.
5) If the port number ranges are the same, compare packets against the rule
configured first.
The comparison of a packet against ACL rules stops immediately after a match is found. The packet is
then processed as per the rule.
Effective Period of an ACL
You can control when a rule can take effect by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however, can take effect
only after the time range is defined and becomes active.
ACL Step
Currently, the Web interface does not support ACL step configuration.
Meaning of the step
The step defines the difference between two neighboring numbers that are automatically assigned to
ACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15,
and so on. By default, the step is 5.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules are
numbered 0, 5, 10, and 15 respectively, changing the step from 5 to 2 will cause the rules to be
renumbered 0, 2, 4, and 6.
Benefits of using the step
With the step and rule numbering/renumbering mechanism, you do not need to assign numbers to rules
when defining them. The system will assign a newly defined rule a number that is the smallest multiple
of the step bigger than the current biggest number. For example, with a step of five, if the biggest