Overview of ACL

One ACL (Access Control List) comprises a series of rules. Each rule is one permit, refuse or remark sentence, stating the corresponding matching condition and action. The ACL rule filters the packets by matching some field in the packet.

ACL can comprise multiple rules. The matching content specified by each rule is different and the matching contents in different rules may overlap or conflict. ACL rule matching strictly complies with the order of the sequence from small to large. The rule with smaller sequence takes effect earlier. Sequence means the order number of the rule in the while ACL.

There is one rule of refusing all packets hidden after the last rule of the ACL and the sequence is larger than all the other rules in the ACL. The hidden rule is invisible and it drops the packets that do not match the previous rules, that is, when the packet does not match with the previous rules, it matches the default rule and is dropped.

According to the ACL usage, we can divide ACL to seven kinds, that is, IP standard ACL, IP extended ACL, MAC standard ACL, MAC extended ACL, Hybrid extended ACL, IPv6 standard ACL, and IPv6 extended ACL. ACL name can use the number and also can use the customized character string. When ACL name uses the number, the corresponding ACL type and number value range are as follows:

• IP standard ACL: 1-1000;
• IP extended ACL: 1001-2000;
• MAC standard ACL: 2001-3000;
• MAC extended ACL: 3001-4000;
• Hybrid extended ACL: 5001-6000.
• IPv6 extended ACL: 7001-8000
• MPLS standard ACL: 8001-9000

When the ACL name adopts the customized character string, all ACLs share one name space, that is, if IP standard ACL uses one name, the other ACL types cannot use the name.

ACL also can execute the corresponding action group according to the matching. For details, refer to “QoS Configuration Manual”.