Description of the ACL on the AC category value range features basic ACL 2000-2999 rules can only be set based on layer-3 IP addresses, analyze and process data packets. Advanced ACL 3000-3999 can be based on the source IP address, destination IP address, and protocol type of the data packet. For protocol features (for example: the source port, destination port, and ICMP Message Type of TCP) and other content are used to set rules. The advanced ACL is more accurate and richer than the basic ACL, for more flexible rules, the link layer ACL 4000-4999 can set rules based on source MAC address, vlan id, L2 protocol type, target MAC address, and other link layer information to process data.
The user-defined ACL 5000-5999 can match any 32 bytes of the first 80 bytes of the layer-2 data frame, and process the data packets accordingly. When a packet arrives, the system matching sequence is as follows: WS6603 Wireless Access Controller Configuration Guide 2 basic configuration document version 02 () Huawei proprietary and Confidential Information Copyright? Huawei Technology Co., Ltd. 67 l sub-rules in the same ACL. If the sub-rules are activated at the same time, the rules configured first have a higher execution priority than those configured later. L sub-rules in the same ACL. If the sub-rules are activated separately one by one, the then activated rules have a higher execution priority than the first activated rules. L different sub-rules are issued between ACLs, And the activated sub-rules have a higher execution priority than the first activated sub-rules. Note: Because the ACL is flexible in use, we recommend that you define a common rule in any sub-rule of an ACL, for example, if permit any or deny any matches any message with a stream rule, you can check whether the packets without a special identifier are forwarded or filtered by default. The ACL rules activated by www.2cto.com l occupy hardware resources and share hardware resources with the protocol module (such as DHCP and IPoA) functions. In addition, these hardware resources are limited, therefore, insufficient resources are inevitable. To prevent other service functions from starting failure due to ACL occupation of related hardware resources, we recommend that you start the protocol module before activating the ACL When configuring data. When a protocol module fails to be started, the solution is as follows:
1. Check whether the startup fails because the ACL occupies too many resources. 2. if the problem is identified as ACL problems, you can activate or delete some unimportant or temporarily unavailable ACL configurations before configuring and enabling the protocol module.