13-41) Sort rules by source MAC address mask first and compare packets against the rule configuredwith more ones in the source MAC address mask.2) If two rules are present with the same number of ones in their source MAC address masks, look atthe destination MAC address masks. Then, compare packets against the rule configured withmore ones in the destination MAC address mask.3) If the numbers of ones in the destination MAC address masks are the same, compare packetsagainst the one configured first.The comparison of a packet against ACL rules stops immediately after a match is found. The packet isthen processed as per the rule.IPv4 ACL StepMeaning of the stepThe step defines the difference between two neighboring numbers that are automatically assigned toACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15,and so on. By default, the step is 5.Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules arenumbered 5, 10, 15, and 20 respectively, changing the step from 5 to 2 will cause the rules to berenumbered 0, 2, 4, and 6.Benefits of using the stepWith the step and rule numbering/renumbering mechanism, you do not need to assign numbers torules when defining them. The system will assign a newly defined rule a number that is the smallestmultiple of the step bigger than the current biggest number. For example, with a step of five, if thebiggest number is currently 28, the newly defined rule will get a number of 30. If the ACL has no ruledefined already, the first defined rule will get a number of 0.Another benefit of using the step is that it allows you to insert new rules between existing ones asneeded. For example, after creating four rules numbered 0, 5, 10, and 15 in an ACL with a step of five,you can insert a rule numbered 1.Effective Period of an IPv4 ACLYou can control when a rule can take effect by referencing a time range in the rule.A referenced time range can be one that has not been created yet. The rule, however, can take effectonly after the time range is defined and becomes active.IP Fragments Filtering with IPv4 ACLTraditional packet filtering performs match operation on, rather than all IP fragments, the first ones only.All subsequent non-first fragments are handled in the way the first fragments are handled. This causessecurity risk as attackers may fabricate non-first fragments to attack your network.As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that the rule appliesto non-first fragment packets only, and does not apply to non-fragment packets or the first fragmentpackets. ACL rules that do not contain this keyword is applicable to both non-fragment packets andfragment packets.