Operation Manual – ACLH3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration1-2z Layer 2 ACL. Rules are created based on the Layer 2 information such as sourceand destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and soon.z User-defined ACL. An ACL of this type matches packets by comparing the stringsretrieved from the packets with specified strings. It defines the byte it begins toperform “and” operation with the mask on the basis of packet headers.1.1.1 ACL Matching OrderAn ACL can contain multiple rules, each of which matches specific type of packets. Sothe order in which the rules of an ACL are matched needs to be determined.The rules in an ACL can be matched in one of the following two ways:z config: where rules in an ACL are matched in the order defined by the user.z auto: where rules in an ACL are matched in the order determined by the system,namely the “depth-first” rule (Layer 2 ACLs and user-defined ACLs do not supportthis feature).For depth-first rule, there are two cases:I. Depth-first match order for rules of a basic ACL1) Range of source IP address: The smaller the source IP address range (that is, themore the number of zeros in the wildcard mask), the higher the match priority.2) Fragment keyword: A rule with the fragment keyword is prior to others.3) If the above two conditions are identical, the earlier configured rule applies.II. Depth-first match order for rules of an advanced ACL1) Protocol range: A rule which has specified the types of the protocols carried by IPis prior to others.2) Range of source IP address: The smaller the source IP address range (that is, themore the number of zeros in the wildcard mask), the higher the match priority.3) Range of destination IP address. The smaller the destination IP address range(that is, the more the number of zeros in the wildcard mask), the higher the matchpriority.4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller therange, the higher the match priority.5) Number of parameters: the more the parameters, the higher the match priority.If rule A and rule B are still the same after comparison in the above order, the weightingprinciples will be used in deciding their priority order. Each parameter is given a fixedweighting value. This weighting value and the value of the parameter itself will jointlydecide the final matching order. Involved parameters with weighting values from high tolow are icmp-type, established, dscp, tos, precedence, fragment. Comparisonrules are listed below.