Got it

What is the principle of ACL

Latest reply: May 14, 2018 09:29:58 899 1 0 0 0

Hi, everyone! Today I’m going to introduce what is the principle of ACL.

ACL Rule Management
An ACL can contain multiple rules. A rule is identified by a rule ID, which can be set by a user or automatically generated based on the ACL step. All rules in an ACL are

arranged in ascending order of rule IDs.
There is an ACL step between rule IDs. For example, if an ACL step is set to 5, rules are numbered 5, 10, 15, and so on. If an ACL step is set to 2 and rule IDs are

configured to be automatically generated, the system automatically generates rule IDs starting from 2. The step makes it possible to add a new rule between existing


ACL Rule Matching
When a packet reaches a device, the device retrieves information from the packet and matches it with ACL rules. Once a matching rule is found, the device stops matching.

If no rule matches the packet, the device does not process the packet.
ACL rules can be classified into permit rules and deny rules.
In summary, the ACL classifies packets into the following types:
-Packets matching permit rules.
-Packets matching deny rules.
-Packets that do not match rules.
Different features have different manners to process the three types of packets. For details, see configuration notes of feature manuals.

ACL Classification
-Basic ACL: A basic ACL matches packets only based on the source IP address, fragment flag, and time range.A basic IPv4 ACL is also called a basic ACL.
Basic ACLs are numbered from 2000 to 2999.
-Advanced ACL: An advanced ACL matches packets based on the source IPv4 address, destination IPv4 address, IP precedence, IP protocol type, Internet Control Message

Protocol (ICMP) type, TCP source/destination port, and User Datagram Protocol (UDP) source/destination port. An advanced IPv4 ACL is also called an advanced ACL.
Advanced ACLs are numbered from 3000 to 3999.
-Layer 2 ACL: A Layer 2 ACL matches packets based on Layer 2 information in packets, such as source and destination Media Access Control (MAC) addresses, and Ethernet

frame protocol number. The number of a Layer 2 ACL ranges from 4000 to 4999.
-User-defined ACL: A user-defined ACL matches certain contents in the packets according to the offset position and offset value. The number of a user-defined ACL ranges

from 5000 to 5999.
-ARP-based ACL: An ARP-based ACL matches the source/destination IP addresses and source/destination MAC addresses in ARP packets. The number of an ARP-based ACL ranges

from 23000 to 23999.
-Basic ACL6: A basic ACL6 matches packets based on the source IPv6 address, fragmentation flag, and time range. A basic IPv6 ACL is also called a basic ACL6. Basic ACL6

numbers range from 2000 to 2999.
-Advanced ACL6: An advanced ACL6 matches packets based on the source IPv6 address and destination IPv6 address of data packets, protocol type supported by IPv6, features

of the protocol such as the source port number and destination port number, ICMPv6 protocol, and ICMPv6 code. An advanced IPv6 ACL is also called an advanced ACL6.
Advanced ACL6 numbers range from 3000 to 3999.

You can also find the answer in Principles of ACLs.

If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:

MVE Created May 14, 2018 09:29:58

useful document, thanks
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.