1-2Depth-first match order for rules of an advanced ACL1) Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others.2) Range of source IP address: The smaller the source IP address range (that is, the more thenumber of zeros in the wildcard mask), the higher the match priority.3) Range of destination IP address. The smaller the destination IP address range (that is, the morethe number of zeros in the wildcard mask), the higher the match priority.4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the range, the higherthe match priority.5) Number of parameters: the more the parameters, the higher the match priority.If rule A and rule B are still the same after comparison in the above order, the weighting principles will beused in deciding their priority order. Each parameter is given a fixed weighting value. This weightingvalue and the value of the parameter itself will jointly decide the final matching order. Involvedparameters with weighting values from high to low are icmp-type, established, dscp, tos,precedence, fragment. Comparison rules are listed below.z The smaller the weighting value left, which is a fixed weighting value minus the weighting value ofevery parameter of the rule, the higher the match priority.z If the types of parameter are the same for multiple rules, then the sum of parameters’ weightingvalues of a rule determines its priority. The smaller the sum, the higher the match priority.Ways to Apply an ACL on a SwitchBeing applied to the hardware directlyIn the switch, an ACL can be directly applied to hardware for packet filtering and traffic classification. Inthis case, the rules in an ACL are matched in the order determined by the hardware instead of thatdefined in the ACL. For H3C S5100 series Ethernet switches, the earlier the rule applies, the higher thematch priority.ACLs are directly applied to hardware when they are used for:z Implementing QoSz Filtering the packets to be forwardedBeing referenced by upper-level softwareACLs can also be used to filter and classify the packets to be processed by software. In this case, therules in an ACL can be matched in one of the following two ways:z config, where rules in an ACL are matched in the order defined by the user.z auto, where the rules in an ACL are matched in the order determined by the system, namely the“depth-first” order.When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched.The match order cannot be modified once it is determined, unless you delete all the rules in the ACL anddefine the match order.An ACL can be referenced by upper-layer software:z Referenced by routing policiesz Used to control Telnet, SNMP and Web login users
