FAQ-ACL matching order

Question: How do rules in an ACL take effect?

Answer: An ACL consists of multiple deny | permit clauses, each of which describes a rule. The device supports two matching orders: the configuration order (config) and the automatic order (auto). The default order is config, that is, rules are processed in the order that they are configured. You can use the match-order { auto | config } command to change the matching order.
auto: indicates that ACL rules are processed based on the depth first principle. If the ACL rules are of the same depth first order, they are processed in ascending order of rule IDs. For details about the depth first principle, see Configuration > CLI-based Configuration > Configuration Guide - Security > ACL Configuration > Principle > Matching Order in the product documentation.
config: indicates that the rules are processed based on the configuration order. If rule IDs are specified, packets match ACL rules in ascending order of rule IDs.

Scroll to top