Matching rules of ACL

2

The display order of ACL rules determines the ACL matching principles. During ACL matching, a look-up is performed from the first rule displayed in the ACL. When one rule matches, the look-up is completed. The earlier a rule is displayed, the easier for it to be matched. The factors that determine the display order are the rule ID and matching methods.
Matching methods include matching in configuration order or in automatic order. If the configuration order is used, the matching will be performed according to the order in which the ACL rules are configured. Rule IDs can be set by users, or can be automatically generated by the system based on the step, which is convenient for rule maintenance and insertion of new rules. For example, the default step of ACL is 5. If the user does not set a rule ID, the first rule ID automatically generated by the system is 5. When the user needs to insert a new rule before rule 5, a rule ID smaller than 5 can be set. The new rule now is the first rule.
If the automatic order is used, the system automatically generates rule IDs, and ranks the rules with the highest precision to the top of the list. This can be achieved by comparing the length of the wildcard characters of addresses. The shorter the length is, the smaller the assigned NE range is.

Other related questions:
Can a nonexistent time-range in an ACL be matched, and how does the rule take effect
When a time-range time-name in an ACL rule is matched, the router does not check whether the time-range time-name has been configured. Therefore, the configuration will be successful. For a nonexistent time-range time-name, the router considers corresponding rule as invalid and sets the time-range time-name to the Inactive state. After the time-range time-name is configured, if it is in the Active state, corresponding ACL rule is updated dynamically and changed from the Invalid state to the Valid state.

Can an ACL rule match a time range that does not exist? Does the ACL take effect
When the ACL rule is configured to match time-range time-name, the configuration takes effect regardless of whether the time-range time-name command has been configured. If the ACL rule matches no time-range time-name, the device considers that the ACL rule is invalid and the time-range time-name command is in inactive state. After the time-range time-name command is configured and in active state, the ACL rule automatically updates its status and changes to valid.

Check the number of times an ACL rule matches packets on an S series switch
Run the display acl { <acl-number> | name <acl-name> | all } command on an S series switch (except the S1700 switch) to check the configuration of an ACL.
In the command output, the match-counter field displays the number of times the ACL matches packets. To view the number of times the software-based ACL rule matches the packets, run the display acl command. To view the number of times the hardware-based ACL rule matches the packets, use other methods. For example, to view the number of times the ACL rule matches packets after a traffic policy is enforced, run the statistic enable command in the traffic behavior view to enable the traffic statistics collection in traffic behavior, and then run the display traffic policy statistics command.

Why is the statistics displayed in the display acl command output 0 after a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule
The display acl command displays statistics on traffic sent to the control plane. The traffic statistics collection function in traffic policies is used to collect statistics on traffic on the forwarding plane. Statistics on traffic sent to the control plane is not collected. After a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule, the statistics displayed in the display acl command output is 0. Run the display traffic-policy statistics command to view statistics on traffic matching a traffic policy applied to an interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top