Operation Manual – ACLH3C S7500 Series Ethernet Switches Chapter 1 ACL Configuration1-2z Advanced ACL: rules are made based on the Layer 3 and Layer 4 informationsuch as the source and destination IP addresses of the data packets, the type ofprotocol over IP, protocol-specific features, and so on.z Layer 2 ACL: rules are made based on the Layer 2 information such as the sourceand destination MAC address, VLAN priority, Layer 2 protocol, and so on.z User-defined ACL: such rules specify a byte in the packet, by its offset from thepacket header, as the starting point to perform logical AND operations, andcompare the extracted string with the user-defined string to find the matchingpackets for processing.1.1.1 ACL Match OrderAn ACL may contain a number of rules, which specify different packet ranges. Thisbrings about the issue of match order when these rules are used to filter packets.An ACL supports the following two types of match orders:z Configured order: ACL rules are matched according to the configured order.z Automatic ordering: ACL rules are matched according to the “depth-first” order.I. IP ACL depth-first orderWith the depth-first rule adopted, the rules of an IP ACL (basic and advanced) arematched in the following order:1) Protocol range of ACL rules. The range of IP protocol is 1 to 255 and those of otherprotocols over IP are the same as the corresponding protocol numbers. Thesmaller the protocol range, the higher the priority.2) Range of source IP address. The smaller the source IP address range (that is, thelonger the mask), the higher the priority.3) Range of destination IP address. The smaller the destination IP address range(that is, the longer the mask), the higher the priority.4) Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller therange, the higher the priority.If rule A and rule B are the same in all the four ACEs (access control elements) above,and also in their numbers of other ACEs to be considered in deciding their priority order,weighting principles will be used in deciding their priority order.The weighting principles work as follows:z Each ACE is given a fixed weighting value. This weighting value and the value ofthe ACE itself will jointly decide the final matching order. The weighting values ofACEs rank in the following descending order: DSCP, ToS, ICMP, established,precedence, fragment.z The weighting value of each ACE of the rule is deducted from a fixed weightingvalue. The smaller the weighting value left, the higher the priority.