3com 5500-SI Manual Do Utilizador
352
C
HAPTER
19: ACL C
ONFIGURATION
The depth-first principle is to put the statement specifying the smallest range of
packets on the top of the list. This can be implemented through comparing the
wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify.
For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255
specifies a network segment, 129.102.0.1 through 129.102.255.255. Obviously, the
former one is listed ahead in the access control list.
packets on the top of the list. This can be implemented through comparing the
wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify.
For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255
specifies a network segment, 129.102.0.1 through 129.102.255.255. Obviously, the
former one is listed ahead in the access control list.
The specific standard is as follows.
For basic access control list statements, compare the source address wildcards directly.
If the wildcards are the same, follow the configuration sequence.
If the wildcards are the same, follow the configuration sequence.
For the advanced access control list, compare the source address wildcards first. If
they are the same, then compare the destination address wildcards. For the same
destination address wildcards, compare the ranges of port numbers, the one with the
smaller range is listed ahead. If the port numbers are in the same range, follow the
configuration sequence.
they are the same, then compare the destination address wildcards. For the same
destination address wildcards, compare the ranges of port numbers, the one with the
smaller range is listed ahead. If the port numbers are in the same range, follow the
configuration sequence.
ACL Supported by the
Switch
Table 361 lists the limits to the numbers of different types of ACL on a Switch.
Table 361 Quantitative Limitation to the ACL
Configuring ACL
ACL configuration includes:
■
■
■
The above three steps must be done in sequence. Configure the time range first and
then define the ACL (using the defined time range in the definition), then activate the
ACL to validate it.
then define the ACL (using the defined time range in the definition), then activate the
ACL to validate it.
Configuring Time-Range
The process of configuring a time-range includes: configuring the hour-minute range,
date ranges and period range. The hour-minute range is expressed in units of minute,
hour. Date range is expressed in units of minute, hour, date, month and year. The
periodic time range is expressed as the day of the week.
date ranges and period range. The hour-minute range is expressed in units of minute,
hour. Date range is expressed in units of minute, hour, date, month and year. The
periodic time range is expressed as the day of the week.
You can use the following command to set the time range by performing the
following configuration in the System View.
following configuration in the System View.
Item
Value range
Numbered basic ACL.
2000 to 2999
Numbered advanced ACL.
3000 to 3999
Numbered Layer-2 ACL.
4000 to 4999
Numbered user-defined ACL.
5000 to 5999
The sub items of an ACL
0 to 65534