Operation Manual – ACLH3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration1-3z The smaller the weighting value left, which is a fixed weighting value minus theweighting value of every parameter of the rule, the higher the match priority.z If the types of parameter are the same for multiple rules, then the sum ofparameters’ weighting values of a rule determines its priority. The smaller the sum,the higher the match priority.1.1.2 Ways to Apply an ACL on a SwitchI. Being applied to the hardware directlyIn the switch, an ACL can be directly applied to hardware for packet filtering and trafficclassification. In this case, the rules in an ACL are matched in the order determined bythe hardware instead of that defined in the ACL. For S5600 series Ethernet switches,the later the rule applies, the higher the match priority.ACLs are directly applied to hardware when they are used for:z Implementing QoSz Filtering the packets to be forwardedII. Being referenced by upper-level softwareACLs can also be used to filter and classify the packets to be processed by software. Inthis case, the rules in an ACL can be matched in one of the following two ways:z config, where rules in an ACL are matched in the order defined by the user.z auto, where the rules in an ACL are matched in the order determined by thesystem, namely the “depth-first” order (Layer 2 ACLs and user-defined ACLs donot support this feature).When applying an ACL in this way, you can specify the order in which the rules in theACL are matched. The match order cannot be modified once it is determined, unlessyou delete all the rules in the ACL and define the match order.An ACL can be referenced by upper-layer software:z Referenced by routing policiesz Used to control Telnet, SNMP and Web login usersNote:z When an ACL is directly applied to hardware for packet filtering, the switch willpermit packets if the packets do not match the ACL.z When an ACL is referenced by upper-layer software to control Telnet, SNMP andWeb login users, the switch will deny packets if the packets do not match the ACL.