Can an ACL rule match a time range that does not exist? Does the ACL take effect


When the ACL rule is configured to match time-range time-name, the configuration takes effect regardless of whether the time-range time-name command has been configured.

If the ACL rule matches no time-range time-name, the device considers that the ACL rule is invalid and the time-range time-name command is in inactive state.

After the time-range time-name command is configured and in active state, the ACL rule automatically updates its status and changes to valid.

Other related questions:
What can I do with excess ACL rules used by a blacklist in local attack defense
Excess ACL rules used by a blacklist do not take effect.

Can a nonexistent time-range in an ACL be matched, and how does the rule take effect
When a time-range time-name in an ACL rule is matched, the router does not check whether the time-range time-name has been configured. Therefore, the configuration will be successful. For a nonexistent time-range time-name, the router considers corresponding rule as invalid and sets the time-range time-name to the Inactive state. After the time-range time-name is configured, if it is in the Active state, corresponding ACL rule is updated dynamically and changed from the Invalid state to the Valid state.

Mechanism for ACL rules on S series switches to take effect
ACL rules on S series switches are classified into the following two modes: An ACL is bound to the traffic policy and delivered to the hardware of the LPU through the first mode. The second mode relates to software processing. An ACL prevents users from logging in through Telnet. After being sent to the CPU, packets are processed in the sequence that is specified during the configuration of the ACL. Rules in an ACL can be matched according to the depth first principle or the configuration order.

Why an ACL does not take effect after a deny action is defined in the ACL
When an ACL is referenced in a traffic policy and the ACL is matched: When the software version is a later version of V100R005, the deny action takes effect as long as the deny action is defined in the traffic behavior or ACL. If the packets match the ACL, When the software version is a later version of V100R005, the packets may match a rule with a higher priority and the action of the rule is not deny.

Matching rules of ACL
The display order of ACL rules determines the ACL matching principles. During ACL matching, a look-up is performed from the first rule displayed in the ACL. When one rule matches, the look-up is completed. The earlier a rule is displayed, the easier for it to be matched. The factors that determine the display order are the rule ID and matching methods. Matching methods include matching in configuration order or in automatic order. If the configuration order is used, the matching will be performed according to the order in which the ACL rules are configured. Rule IDs can be set by users, or can be automatically generated by the system based on the step, which is convenient for rule maintenance and insertion of new rules. For example, the default step of ACL is 5. If the user does not set a rule ID, the first rule ID automatically generated by the system is 5. When the user needs to insert a new rule before rule 5, a rule ID smaller than 5 can be set. The new rule now is the first rule. If the automatic order is used, the system automatically generates rule IDs, and ranks the rules with the highest precision to the top of the list. This can be achieved by comparing the length of the wildcard characters of addresses. The shorter the length is, the smaller the assigned NE range is.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top