Got it

ACL Use Precautions

Latest reply: Jan 14, 2017 10:02:44 1470 1 1 0 0
  • If an ACL rule that you want to create already exists, the system does not create the rule again.

  • Repeated ACL names can only be used between basic ACL and basic ACL6, and between advanced ACL and advanced ACL6.

  • The match order of an ACL affects packet matching results. Therefore, consider the match order when configuring rules. If the match-order parameter is not specified when you create an ACL, the default match order config is used.

  • When the first rule of an ACL is created without the rule-id parameter specified, the device uses the step value as the rule ID. If an ACL has the rules with manually configured IDs and a new rule is added without the rule-id parameter specified, the system allocates the minimum multiple of the step value which is greater than the largest rule ID in the ACL to this new rule. In addition, a rule ID must be an integer. This rule is located at the bottom of the ACL. For example, an ACL contains rule 5 and rule 12, and the default step is 5. When a new rule needs to be added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).

  • If the rule-id parameter is not specified when you configure an ACL6, the device automatically allocates rule IDs. The allocated rule IDs start from 0 and increase by 1 each time a rule is created. If a rule ID is in use, the next one is allocated. For example, if an ACL6 contains rule 0, rule 1, and rule 3, the system allocates 2 to a new rule when the rule-id is not manually specified.

  • An ACL rule cannot be bound to a nonexistent time range.

  • To associate a time range with an ACL rule, ensure that the system time of the device is the same as that of other devices on the network; otherwise, the rule cannot take effect.

  • When the source source-address source-wildcard or destination destination-address destination-wildcard parameter is specified in a rule, the IP address wildcard mask (source-wildcard or destination-wildcard) is an inverse mask similar to the IP address inverse subnet mask.

  • If the vpn-instance vpn-instance-name parameter is not specified for an ACL rule, the device matches the packets of both public and private networks.

  • Apply an ACL to a correct direction of an interface. If an ACL is applied to an inbound direction of an interface, the device matches the packets received by this interface against ACL rules; if an ACL is applied to an outbound direction of an interface, the device matches the packets sent by this interface against ACL rules.

  • If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

  • When you use the undo rule command to delete an ACL rule, the rule ID must exist. If the rule ID is unknown, use the display acl command to view the rule ID.

  • The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Exercise caution when you run the undo rule command.

  • x
  • convention:

Created Jan 14, 2017 10:02:44

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.