3Com Switch 8800 Configuration Guide
Chapter 32 ACL Configuration
32-1
Chapter 32 ACL Configuration
32.1 ACL Overview
32.1.1 Introduction to ACL
A series match rules must be configured to recognize the packets before they are
filtered. Only when packets are identified, can the network take corresponding actions,
allowing or prohibiting them to pass, according to the preset policies. Access control list
(ACL) is targeted to achieve these functions.
ACLs classify packets using a series of matching rules, which can be source addresses,
destination addresses and port IDs. ACLs can be used globally on the switch or just at
a port, through which the switch determines whether to forward or drop the packets.
The matching rules defined in ACLs can also be imported to differentiate traffic in other
situations, for example, defining traffic classification rules in QoS.
An ACL rule can include many sub-rules, which may be defined for packets within
different address ranges. Matching order is involved in matching an ACL.
I. ACLs being activated directly on hardware
ACLs can be delivered to hardware for traffic filtering and classification.
The cases when ACLs are sent directly to hardware include: referencing ACLs to
provide for QoS functions, filtering and forwarding packets with ACLs.
II. ACLs being referenced by upper-level modules
ACLs may also be used to filter and classify packets processed by software. Then you
can define matching order for the sub-rules in an ACL. Two matching modes are
available in this case:
config
(user-defined order) and
auto
(depth first by the system).
You cannot modify the matching order once you define it for an ACL rule, unless you
delete the rule and redefine the matching order.
The cases when ACLs are referenced by upper-level modules include referencing
ACLs to achieve routing policies, and using ACLs to control register users and so on.