ACL matching order on S series switches

2

If ACL rules repeat or conflict, the ACL matching order decides the matching result.
S series switches (except S1700 switches) support the configuration order (config) and the automatic order (auto).
Configuration order:
The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first.
If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier.
If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step. Therefore, this rule is processed last.

Automatic order:
The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

Other related questions:
What is the matching order of an ACL on a WLAN device
If ACL rules repeat or conflict, the matching order decides the packet matching result. WLAN devices support two ACL matching orders: the configuration order (config) and the automatic order (auto). Configuration order The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL and processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step; therefore, this rule is processed last. Automatic order The system arranges rules according to precision degree of the rules (depth priority), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

FAQ-ACL matching order
Question: How do rules in an ACL take effect?

Answer: An ACL consists of multiple deny | permit clauses, each of which describes a rule. The device supports two matching orders: the configuration order (config) and the automatic order (auto). The default order is config, that is, rules are processed in the order that they are configured. You can use the match-order { auto | config } command to change the matching order. auto: indicates that ACL rules are processed based on the depth first principle. If the ACL rules are of the same depth first order, they are processed in ascending order of rule IDs. For details about the depth first principle, see Configuration > CLI-based Configuration > Configuration Guide - Security > ACL Configuration > Principle > Matching Order in the product documentation. config: indicates that the rules are processed based on the configuration order. If rule IDs are specified, packets match ACL rules in ascending order of rule IDs.


Check the number of times an ACL rule matches packets on an S series switch
Run the display acl { <acl-number> | name <acl-name> | all } command on an S series switch (except the S1700 switch) to check the configuration of an ACL.
In the command output, the match-counter field displays the number of times the ACL matches packets. To view the number of times the software-based ACL rule matches the packets, run the display acl command. To view the number of times the hardware-based ACL rule matches the packets, use other methods. For example, to view the number of times the ACL rule matches packets after a traffic policy is enforced, run the statistic enable command in the traffic behavior view to enable the traffic statistics collection in traffic behavior, and then run the display traffic policy statistics command.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top