1-4
ACL category
Depth-first rule sorting procedures
IPv4 advanced ACL
1)
A rule configured with a VPN instance takes precedence.
2)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IP.
3)
A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
4) A rule with more 0s in the destination IP address wildcard mask takes
precedence.
5)
A rule with a narrower TCP/UDP service port number range takes precedence.
6)
A rule with a smaller ID takes precedence.
IPv6 basic ACL
1)
A rule configured with a longer prefix for the source IP address takes precedence.
A longer prefix means a narrower IP address range.
2)
A rule with a smaller ID takes precedence.
IPv6 advanced ACL
1)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IPv6.
2)
A rule configured with a longer prefix for the source IPv6 address has a higher
priority.
3) A rule configured with a longer prefix for the destination IPv6 address takes
precedence.
4)
A rule with a narrower TCP/UDP service port number range takes precedence.
5)
A rule with a smaller ID takes precedence.
Ethernet frame
header ACL
1)
A rule with more 1s in the source MAC address mask takes precedence. More 1s
means a smaller MAC address.
2)
A rule with more 1s in the destination MAC address mask takes precedence.
3)
A rule with a smaller ID takes precedence.
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‘do care’ bits, while the
1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an
IP address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and
1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.
ACL Rule Numbering Step
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. For