1-11 ACL ConfigurationACL OverviewAs the network scale and network traffic are increasingly growing, security control and bandwidthassignment play a more and more important role in network management. Filtering data packets canprevent a network from being accessed by unauthorized users efficiently while controlling networktraffic and saving network resources. Access control lists (ACL) are often used to filter packets withconfigured matching rules.Upon receiving a packet, the switch compares the packet with the rules of the ACL applied on thecurrent port to permit or discard the packet.The rules of an ACL can be referenced by other functions that need traffic classification, such as QoS.ACLs classify packets using a series of conditions known as rules. The conditions can be based onsource addresses, destination addresses and port numbers carried in the packets.According to their application purposes, ACLs fall into the following four types.z Basic ACL. Rules are created based on source IP addresses only.z Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information such as thesource and destination IP addresses, type of the protocols carried by IP, protocol-specific features,and so on.z Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destinationMAC addresses, VLAN priorities, type of Layer 2 protocol, and so on.z User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved fromthe packets with specified strings. It defines the byte it begins to perform “and” operation with themask on the basis of packet headers.ACL Matching OrderAn ACL can contain multiple rules, each of which matches specific type of packets. So the order inwhich the rules of an ACL are matched needs to be determined.The rules in an ACL can be matched in one of the following two ways:z config: where rules in an ACL are matched in the order defined by the user.z auto: where rules in an ACL are matched in the order determined by the system, namely the“depth-first” rule.For depth-first rule, there are two cases:Depth-first match order for rules of a basic ACL1) Range of source IP address: The smaller the source IP address range (that is, the more thenumber of zeros in the wildcard mask), the higher the match priority.2) Fragment keyword: A rule with the fragment keyword is prior to others.3) If the above two conditions are identical, the earlier configured rule applies.