3Com Switch 8800 Configuration Guide Chapter 32 ACL Configuration32-1Chapter 32 ACL Configuration32.1 ACL Overview32.1.1 Introduction to ACLA series match rules must be configured to recognize the packets before they arefiltered. Only when packets are identified, can the network take corresponding actions,allowing or prohibiting them to pass, according to the preset policies. Access control list(ACL) is targeted to achieve these functions.ACLs classify packets using a series of matching rules, which can be source addresses,destination addresses and port IDs. ACLs can be used globally on the switch or just ata port, through which the switch determines whether to forward or drop the packets.The matching rules defined in ACLs can also be imported to differentiate traffic in othersituations, for example, defining traffic classification rules in QoS.An ACL rule can include many sub-rules, which may be defined for packets withindifferent address ranges. Matching order is involved in matching an ACL.I. ACLs being activated directly on hardwareACLs can be delivered to hardware for traffic filtering and classification.The cases when ACLs are sent directly to hardware include: referencing ACLs toprovide for QoS functions, filtering and forwarding packets with ACLs.II. ACLs being referenced by upper-level modulesACLs may also be used to filter and classify packets processed by software. Then youcan define matching order for the sub-rules in an ACL. Two matching modes areavailable in this case: config (user-defined order) and auto (depth first by the system).You cannot modify the matching order once you define it for an ACL rule, unless youdelete the rule and redefine the matching order.The cases when ACLs are referenced by upper-level modules include referencingACLs to achieve routing policies, and using ACLs to control register users and so on.