Qtech QSW-2900-24T-AC [125/209] Configuring acl

8-123

ranges.

A time range can be specified in each rule in an ACL. If the time range specified in a rule is not configured,

the system will give a prompt message and allow such a rule to be successfully created. However, the rule does not

take effect immediately. It takes effect only when the specified time range is configured and the system time is within

the time range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the next time the ACL

rule timer refreshes.

8.2 Configuring ACL

8.2.1 Matching order configuration

An ACL rule consists of many “permit | deny” syntax, and the range of data packet specified by each syntax is

different. When matching a data packet and ACL rule, there should be order. Use following command to configure

ACL matching order:

access-list access-list-number match-order { config | auto }

Parameter:

access-list-number:the number of ACL rule which is in the range of 1 to 399.

config:Specify user configured order when matching this rule.

auto:Specify auto-sequencing when matching this rule. (according to the deep precedency) It is defaulted to

specify user configured order, that is “config”. Once user configures the matching order of an ACL rule, it cannot be

changed unless delete the content of the rule and re-configure its order.

The deep precedency used by auto means locating the syntax with the smallest data range at the end, which

can be realized by comparing address wildcard. The smaller the wildcard value is, the smaller range the host has. For

example, 192.168.3.1 0 specifies a host: 192.168.3.1, while 192.168.3.1 0.0.255.255 specifies a network interface:

192.168.3.1 = 192.168.255.255. The former is before the latter in ACL. The concrete rule is: For standard ACL

syntax, compare source address wildcard, if their wildcard is the same, use config order; for layer 2 ACL, the rule

with “any” is in the front, others use config order; for extended ACL, compare source address wildcard, if they are

the same, compare destination address wildcard, if they are the same, compare interface number range, the smaller is

in the back, if the interface number range is the same, use config order; for user-defained ACL, compare the length

of mask, the longer is in the back, if they are the same, use config order.

8.2.2 ACL support

ACL is the command control list applied to switch. These command is used to tell switch which data packet to

receive and which to refuse. It consists of a series of judging syntax. After activating an ACL, switch will examine

each data packet entering switch according to the judging condition given by ACL. The one which satisfies the ACL

will be permit or dropped according to ACL. QOS introduces the permit rule configuration.

In system, the ACL can be classified as following:

· Standard ACL based on number ID

· Standard ACL based on name ID

· Extended ACL based on number ID

· Extended ACL based on name ID

· Layer 2 ACL based on number ID

· Layer 2 ACL based on name ID

· User-defined ACL based on number ID

· User-defined ACL based on name ID

The restriction to every ACL and number of QOS action is as following table: