Qtech QSW-2900-24T-AC [124/209] Ways to apply acl on a switch

8-122

the higher the priority.

4) Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the range, the higher the

priority.

If rule A and rule B are the same in all the four ACEs (access control elements) above, and also in their

numbers of other ACEs to be considered in deciding their priority order, weighting principles will be used in

deciding their priority order.

The weighting principles work as follows:

· Each ACE is given a fixed weighting value. This weighting value and the value of the ACE itself will

jointly decide the final matching order. The weighting values of ACEs rank in the following descending

order: ToS, ICMP, established, precedence, fragment.

· The weighting value of each ACE of the rule is deducted from a fixed weighting value. The smaller

the weighting value left, the higher the priority.

· If the number and type of ACEs are the same for multiple rules, then the sum of ACE values of a rule

determines its priority. The smaller the sum, the higher the priority.

b) Layer 2 ACL depth-first order

With the depth-first order adopted, the rules of a Layer 2 ACL are matched in the order of the mask length of

the source MAC address and destination MAC address, the longer the mask, the higher the match priority. If two

mask lengths are the same, the priority of the match rule configured earlier is higher. For example, the priority of the

rule with source MAC address mask FFFF-FFFF-0000 is higher than that of the rule with source MAC address mask

FFFF-0000-0000.

8.1.2 Ways to Apply ACL on a Switch

a) ACLs activated directly on the hardware

In a switch, an ACL can be directly activated on the switch hardware for packet filtering and traffic

classification in the data forwarding process. You can use the acl order command to specify the match order for the

rules in the ACL. For detailed configuration, refer to Matching Order of ACL Rules.

ACLs are directly activated on the switch hardware in the following situations: the switch references ACLs to

implement the QoS functions, and forwards data through ACLs.

b) ACL referenced by the upper-level modules

The switch also uses ACLs to filter packets processed by software and implements traffic classification. In this

case, there are two types of match orders for the rules in an ACL: config (user-defined match order) and auto (the

system performs automatic ordering, namely according to the “depth-first” order). In this scenario, you can specify

the match order for multiple rules in an ACL. You cannot modify the match order for an ACL once you have

specified it. You can specify a new the match order only after all the rules are deleted from the ACL.

ACLs can also be referenced by route policies or be used to control login users.

8.1.3 ACLs Based on Time Ranges

A time range-based ACL enables you to implement ACL control over packets by differentiating the time