1.Depth-first match for IPv4 ACLs

IPv4 ACL category

Depth-first match procedure

 

1.

Sort rules by source IP address wildcard mask and compare

Basic IPv4 ACL

 

packets against the rule configured with more zeros in the source

 

IP address wildcard mask.

 

 

 

2.

In case of a tie, compare packets against the rule configured first.

 

 

 

 

3.

Sort rules by the protocol carried over IP. A rule with no limit to the

 

 

protocol type (that is, configured with the ip keyword) has the

 

 

lowest precedence. Rules each of which has a single specified

 

 

protocol type are of the same precedence level.

 

4.

If the protocol types have the same precedence, look at the source

 

 

IP address wildcard mask. Then, compare packets against the rule

 

 

configured with more zeros in the source IP address wildcard

 

 

mask.

Advanced IPv4 ACL

5.

If the numbers of zeros in the source IP address wildcard masks

 

are the same, look at their destination IP address wildcard masks.

 

 

 

 

Then, compare packets against the rule configured with more

 

 

zeros in the destination IP address wildcard mask.

 

6.

If the numbers of zeros in the destination IP address wildcard

 

 

masks are the same, look at the Layer 4 port number ranges,

 

 

namely the TCP/UDP port number ranges. Then compare packets

 

 

against the rule configured with the smaller port number range.

 

7.

If the port number ranges are the same, compare packets against

 

 

the rule configured first.

 

 

 

 

8.

Sort rules by source MAC address mask first and compare packets

 

 

against the rule configured with more ones in the source MAC

 

 

address mask.

 

9.

If two rules are present with the same number of ones in their

Ethernet frame header ACL

 

source MAC address masks, look at the destination MAC address

 

 

masks. Then, compare packets against the rule configured with

 

 

more ones in the destination MAC address mask.

 

10.

If the numbers of ones in the destination MAC address masks are

 

 

the same, compare packets against the one configured first.

 

 

 

Fragments filtering with IPv4 ACLs

Traditional packet filtering performs match operation on only the first fragments. All subsequent non-first fragments are handled in the way the first fragments are handled. This results in security risks, because attackers may exploit this vulnerability to fabricate non-first fragments to attack your network.

As for the configuration of a rule of an IPv4 ACL, you can specify that the rule applies to non-first fragment packets only, and does not apply to non-fragment packets or the first fragment packets. ACL rules that do not contain this keyword are applicable to both non-fragment packets and fragment packets.

Effective period of an ACL

You can control when a rule can take effect by referencing a time range in the rule.

A referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and becomes active.

411