What is the status of an ACL which does not contain any rule but is referenced during firewall configuration


The state of the ACL is Deny if the ACL does not contain any rule but is referenced during firewall configuration, indicating that the ACL does not allow packets to be released.

Other related questions:
How to configure and delete a basic ACL on the AR
Configure and delete the basic ACL.
A basic ACL can define rules based on the source IP address of IPv4 packets, VPN instance, fragment flag, and time range. Basic IPv4 ACLs are short for basic ACLs. The number ranges from 2000 to 2999.
Command: rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | logging | time-range time-name ] *

descriptions of parameters
rule-id: The value is an integer that ranges from 0 to 4294967294. The device automatically generates a rule ID starting from the step value. By default, the step value is 5. That is, the rule ID starts from 5 and subsequent rule IDs are multiples of 5, that is, 5, 10, 15, and so on.
The specified rule-id is valid only when the configuration mode is used. In automatic mode, the device automatically allocates a rule ID based on the depth-first algorithm.
deny: rejects the packets that meet conditions.
permit: permits the packets that meet conditions.
The source address is in dotted decimal notation.
The wildcard of the source IP address is in dotted decimal notation. The wildcard of the source IP address can be 0, which is equivalent to, indicating that the source IP address is a host address.
The wildcard is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is and the wildcard is, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
#  Add a rule to ACL 2001 to permit the packets with the source address to pass through.
[Huawei] acl 2001
[Huawei-acl-basic-2001] rule permit source 0
#  Delete rule 5 from ACL 2001.
<Huawei> system-view
[Huawei] acl 2001
[Huawei-acl-basic-2001] undo rule 5

An ACL with no rule is configured. What is the status of the ACL that is referenced by the firewall
The ACL status is deny, that is, the ACL rejects packets.

Can the deny parameter be configured in the ACL referenced during the traffic mirroring configuration on an S series switch
For S series switches, during the traffic mirroring configuration, the deny parameter cannot be configured in the ACL referenced by a traffic classifier. To mirror only specified service packets, configure the permit parameter in the ACL. Because the deny action and mirroring action are performed simultaneously, the received data packets that need to be denied on a port are still mirrored to an observing port.

Matching rules of ACL
The display order of ACL rules determines the ACL matching principles. During ACL matching, a look-up is performed from the first rule displayed in the ACL. When one rule matches, the look-up is completed. The earlier a rule is displayed, the easier for it to be matched. The factors that determine the display order are the rule ID and matching methods. Matching methods include matching in configuration order or in automatic order. If the configuration order is used, the matching will be performed according to the order in which the ACL rules are configured. Rule IDs can be set by users, or can be automatically generated by the system based on the step, which is convenient for rule maintenance and insertion of new rules. For example, the default step of ACL is 5. If the user does not set a rule ID, the first rule ID automatically generated by the system is 5. When the user needs to insert a new rule before rule 5, a rule ID smaller than 5 can be set. The new rule now is the first rule. If the automatic order is used, the system automatically generates rule IDs, and ranks the rules with the highest precision to the top of the list. This can be achieved by comparing the length of the wildcard characters of addresses. The shorter the length is, the smaller the assigned NE range is.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top