1.
IPv4 ACL category | ||
| 1. | Sort rules by source IP address wildcard mask and compare |
Basic IPv4 ACL |
| packets against the rule configured with more zeros in the source |
| IP address wildcard mask. | |
|
| |
| 2. | In case of a tie, compare packets against the rule configured first. |
|
|
|
| 3. | Sort rules by the protocol carried over IP. A rule with no limit to the |
|
| protocol type (that is, configured with the ip keyword) has the |
|
| lowest precedence. Rules each of which has a single specified |
|
| protocol type are of the same precedence level. |
| 4. | If the protocol types have the same precedence, look at the source |
|
| IP address wildcard mask. Then, compare packets against the rule |
|
| configured with more zeros in the source IP address wildcard |
|
| mask. |
Advanced IPv4 ACL | 5. | If the numbers of zeros in the source IP address wildcard masks |
| are the same, look at their destination IP address wildcard masks. | |
|
| |
|
| Then, compare packets against the rule configured with more |
|
| zeros in the destination IP address wildcard mask. |
| 6. | If the numbers of zeros in the destination IP address wildcard |
|
| masks are the same, look at the Layer 4 port number ranges, |
|
| namely the TCP/UDP port number ranges. Then compare packets |
|
| against the rule configured with the smaller port number range. |
| 7. | If the port number ranges are the same, compare packets against |
|
| the rule configured first. |
|
|
|
| 8. | Sort rules by source MAC address mask first and compare packets |
|
| against the rule configured with more ones in the source MAC |
|
| address mask. |
| 9. | If two rules are present with the same number of ones in their |
Ethernet frame header ACL |
| source MAC address masks, look at the destination MAC address |
|
| masks. Then, compare packets against the rule configured with |
|
| more ones in the destination MAC address mask. |
| 10. | If the numbers of ones in the destination MAC address masks are |
|
| the same, compare packets against the one configured first. |
|
|
|
Fragments filtering with IPv4 ACLs
Traditional packet filtering performs match operation on only the first fragments. All subsequent
As for the configuration of a rule of an IPv4 ACL, you can specify that the rule applies to
Effective period of an ACL
You can control when a rule can take effect by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and becomes active.
411