3com 8807 User Guide
21
ACL C
ONFIGURATION
ACL Overview
Introduction to ACL
A series match rules must be configured to recognize the packets before they are
filtered. Only when packets are identified, can the network take corresponding
actions, allowing or prohibiting them to pass, according to the preset policies.
Access control list (ACL) is targeted to achieve these functions.
filtered. Only when packets are identified, can the network take corresponding
actions, allowing or prohibiting them to pass, according to the preset policies.
Access control list (ACL) is targeted to achieve these functions.
ACLs classify packets using a series of matching rules, which can be source
addresses, destination addresses and port IDs. ACLs can be used globally on the
switch or just at a port, through which the switch determines whether to forward
or drop the packets.
addresses, destination addresses and port IDs. ACLs can be used globally on the
switch or just at a port, through which the switch determines whether to forward
or drop the packets.
The matching rules defined in ACLs can also be imported to differentiate traffic in
other situations, for example, defining traffic classification rules in QoS.
other situations, for example, defining traffic classification rules in QoS.
An ACL rule can include many rules, which may be defined for packets within
different address ranges. Matching order is involved in matching an ACL.
different address ranges. Matching order is involved in matching an ACL.
ACLs being activated directly on hardware
ACLs can be delivered to hardware for traffic filtering and classification.
The cases when ACLs are sent directly to hardware include: referencing ACLs to
provide for QoS functions, filtering and forwarding packets with ACLs.
provide for QoS functions, filtering and forwarding packets with ACLs.
ACLs being referenced by upper-level modules
ACLs may also be used to filter and classify packets processed by software. Then
you can define matching order for the rules in an ACL. Two matching modes are
available in this case: config (user-defined order) and auto (depth first by the
system). You cannot modify the matching order once you define it for an ACL rule,
unless you delete the rule and redefine the matching order.
you can define matching order for the rules in an ACL. Two matching modes are
available in this case: config (user-defined order) and auto (depth first by the
system). You cannot modify the matching order once you define it for an ACL rule,
unless you delete the rule and redefine the matching order.
The cases when ACLs are referenced by upper-level modules include referencing
ACLs to achieve routing policies, and using ACLs to control register users and so
on.
ACLs to achieve routing policies, and using ACLs to control register users and so
on.
n
Depth first principle means putting the statement with smaller packet range in the
front. You can know the packet range by comparing IP address wildcards: The
smaller the wildcard is, the smaller host range is. For example, the address
129.102.1.1 0.0.0.0 specifies the host 129.102.1.1 and address 129.102.1.1
0.0.255.255 specifies the segment 129.102.1.1 to 129.102.255.255. Then
129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL
rules, directly compare the wildcards of source addresses and follow config order
if the wildcards are equal; for the ACL rules used in port packet filtering, the rules
front. You can know the packet range by comparing IP address wildcards: The
smaller the wildcard is, the smaller host range is. For example, the address
129.102.1.1 0.0.0.0 specifies the host 129.102.1.1 and address 129.102.1.1
0.0.255.255 specifies the segment 129.102.1.1 to 129.102.255.255. Then
129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL
rules, directly compare the wildcards of source addresses and follow config order
if the wildcards are equal; for the ACL rules used in port packet filtering, the rules