Operation Manual – ACLH3C S7500 Series Ethernet Switches Chapter 1 ACL Configuration1-3z If the number and type of ACEs are the same for multiple rules, then the sum ofACE values of a rule determines its priority. The smaller the sum, the higher thepriority.II. Layer 2 ACL depth-first orderWith the depth-first order adopted, the rules of a Layer 2 ACL are matched in the orderof the mask length of the source MAC address and destination MAC address, thelonger the mask, the higher the match priority. If two mask lengths are the same, thepriority of the match rule configured earlier is higher. For example, the priority of the rulewith source MAC address mask FFFF-FFFF-0000 is higher than that of the rule withsource MAC address mask FFFF-0000-0000.1.1.2 Ways to Apply ACL on a SwitchI. ACLs activated directly on the hardwareIn a switch, an ACL can be directly activated on the switch hardware for packet filteringand traffic classification in the data forwarding process. You can use the acl ordercommand to specify the match order for the rules in the ACL. For detailed configuration,refer to Specifying the Match Order of ACL Rules.ACLs are directly activated on the switch hardware in the following situations: theswitch references ACLs to implement the QoS functions, and forwards data throughACLs.II. ACL referenced by the upper-level modulesThe switch also uses ACLs to filter packets processed by software and implementstraffic classification. In this case, there are two types of match orders for the rules in anACL: config (user-defined match order) and auto (the system performs automaticordering, namely according to the “depth-first” order). In this scenario, you can specifythe match order for multiple rules in an ACL. You cannot modify the match order for anACL once you have specified it. You can specify anew the match order only after all therules are deleted from the ACL.ACLs can also be referenced by route policies or be used to control login users.1.1.3 ACLs Based on Time RangesA time range-based ACL enables you to implement ACL control over packets bydifferentiating the time ranges.A time range can be specified in each rule in an ACL. If the time range specified in a ruleis not configured, the system will give a prompt message and allow such a rule to besuccessfully created. However, the rule does not take effect immediately. It takes effectonly when the specified time range is configured and the system time is within the time