202
C
HAPTER
26: ACL C
ONFIGURATION
ACL Match Order
An ACL may contain a number of rules, and each rule specifies a different packet
range. This brings about the issue of match order when packets are matched.
An ACL supports the following four types of match orders:
■
Configured order: ACL rules are matched according to the configured order.
■
Automatic ordering: ACL rules are matched according to “depth-first” order.
”Depth-first” order is described as follows:
■
The “depth-first” ordering of rules in IP ACLs (basic and advanced ACLs) is
implemented based on the lengths of the source IP address masks and the
destination IP address masks. The rule with the longest masks is first matched, and
then comes the rule with the second longest masks, and so on. In the ordering,
the lengths of the source IP address masks are compared first; if the source IP
address masks have the same length, the lengths of the destination IP address
masks are compared. For example, the rule of which the source IP address mask is
255.255.255.0 precedes the rule of which the source IP address mask is
255.255.0.0 in the match order.
ACLs Based on Time
Ranges
A Time-range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a
rule is not configured, the system will give a prompt message and allow the rule to be
successfully created. However, the rule does not take effect immediately. It takes
effect only when the specified time range is configured and the system time is within
the time range.
There is no hardware clock on the 4200G. The date and time will be reset to 23:55:00
2000/04/01 when the system is rebooted or power cycled. If you are using time based
ACLs, the clock must be set using the clock command in user view after a reboot or
power cycle. In an environment that requires exact time, you must use NTP (Network
Time Protocol) to obtain and set the current date and time of the Ethernet switch.
Types of ACLs Supported
by the Ethernet Switch
The following types of ACLs are supported by the Ethernet switch:
■
Basic ACL
■
Advanced ACL
■
Layer 2 ACL
Configuring Time
Ranges
A number of time sections can be configured under the same time range name, and
there is an “OR” relationship among these sections.
The time range configuration tasks include configuring periodic time sections and
configuring absolute time sections. A periodic time section appears as a period of
time in a day of the week, while an absolute time section appears in the form of “the
start time to the end time”.
Summary of Contents for 4200G 12-Port
Page 10: ...8 CONTENTS...
Page 14: ...4 ABOUT THIS GUIDE...
Page 46: ...32 CHAPTER 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM...
Page 48: ...34 CHAPTER 6 LOGGING IN THROUGH NMS...
Page 60: ...46 CHAPTER 9 VLAN CONFIGURATION...
Page 64: ...50 CHAPTER 10 MANAGEMENT VLAN CONFIGURATION...
Page 80: ...66 CHAPTER 13 GVRP CONFIGURATION...
Page 98: ...84 CHAPTER 15 LINK AGGREGATION CONFIGURATION...
Page 112: ...98 CHAPTER 18 MAC ADDRESS TABLE MANAGEMENT...
Page 126: ...112 CHAPTER 19 LOGGING IN THROUGH TELNET...
Page 162: ...148 CHAPTER 20 MSTP CONFIGURATION...
Page 274: ...260 CHAPTER 29 IGMP SNOOPING CONFIGURATION...
Page 276: ...262 CHAPTER 30 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION...
Page 298: ...284 CHAPTER 33 SNMP CONFIGURATION...
Page 304: ...290 CHAPTER 34 RMON CONFIGURATION...
Page 338: ...324 CHAPTER 36 SSH TERMINAL SERVICES...
Page 356: ...342 CHAPTER 38 FTP AND TFTP CONFIGURATION...
Page 365: ...Information Center Configuration Example 351 S4200G terminal logging...
Page 366: ...352 CHAPTER 39 INFORMATION CENTER...
Page 378: ...364 CHAPTER 40 BOOTROM AND HOST SOFTWARE LOADING...
Page 384: ...370 CHAPTER 41 Basic System Configuration and Debugging...
Page 388: ...374 CHAPTER 43 NETWORK CONNECTIVITY TEST...
Page 406: ...392 CHAPTER 45 CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS...