FAQ-ACL matching order

1

Question: How do rules in an ACL take effect?

Answer: An ACL consists of multiple deny | permit clauses, each of which describes a rule. The device supports two matching orders: the configuration order (config) and the automatic order (auto). The default order is config, that is, rules are processed in the order that they are configured. You can use the match-order { auto | config } command to change the matching order.
auto: indicates that ACL rules are processed based on the depth first principle. If the ACL rules are of the same depth first order, they are processed in ascending order of rule IDs. For details about the depth first principle, see Configuration > CLI-based Configuration > Configuration Guide - Security > ACL Configuration > Principle > Matching Order in the product documentation.
config: indicates that the rules are processed based on the configuration order. If rule IDs are specified, packets match ACL rules in ascending order of rule IDs.

Other related questions:
What is the matching order of an ACL on a WLAN device
If ACL rules repeat or conflict, the matching order decides the packet matching result. WLAN devices support two ACL matching orders: the configuration order (config) and the automatic order (auto). Configuration order The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL and processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step; therefore, this rule is processed last. Automatic order The system arranges rules according to precision degree of the rules (depth priority), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

ACL matching order on S series switches
If ACL rules repeat or conflict, the ACL matching order decides the matching result. S series switches (except S1700 switches) support the configuration order (config) and the automatic order (auto). Configuration order: The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step. Therefore, this rule is processed last. Automatic order: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

Security policy matching order on the USG6000
On the USG6000, the device preferentially executes security policies configured earlier. Therefore, you are advised to first configure security policies with smaller matching scopes and accurate matching conditions and then configure security policies with larger matching scopes and wider matching conditions.

Matching rules of ACL
The display order of ACL rules determines the ACL matching principles. During ACL matching, a look-up is performed from the first rule displayed in the ACL. When one rule matches, the look-up is completed. The earlier a rule is displayed, the easier for it to be matched. The factors that determine the display order are the rule ID and matching methods. Matching methods include matching in configuration order or in automatic order. If the configuration order is used, the matching will be performed according to the order in which the ACL rules are configured. Rule IDs can be set by users, or can be automatically generated by the system based on the step, which is convenient for rule maintenance and insertion of new rules. For example, the default step of ACL is 5. If the user does not set a rule ID, the first rule ID automatically generated by the system is 5. When the user needs to insert a new rule before rule 5, a rule ID smaller than 5 can be set. The new rule now is the first rule. If the automatic order is used, the system automatically generates rule IDs, and ranks the rules with the highest precision to the top of the list. This can be achieved by comparing the length of the wildcard characters of addresses. The shorter the length is, the smaller the assigned NE range is.

What is the matching order of the firewall policy routes?
The matching order of the firewall policy routes is matched according to the node serial number following the policy-based-route policy from small to large.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top