1-2Table 1-2 Depth-first match for IPv4 ACLsIPv4 ACL category Depth-first match procedureBasic IPv4 ACL1) Sort rules by source IP address wildcard mask and comparepackets against the rule configured with more zeros in the sourceIP address wildcard mask.2) In case of a tie, compare packets against the rule configured first.Advanced IPv4 ACL1) Sort rules by the protocol carried over IP. A rule with no limit to theprotocol type (that is, configured with the ip keyword) has thelowest precedence. Rules each of which has a single specifiedprotocol type are of the same precedence level.2) If the protocol types have the same precedence, look at the sourceIP address wildcard mask. Then, compare packets against therule configured with more zeros in the source IP address wildcardmask.3) If the numbers of zeros in the source IP address wildcard masksare the same, look at their destination IP address wildcard masks.Then, compare packets against the rule configured with morezeros in the destination IP address wildcard mask.4) If the numbers of zeros in the destination IP address wildcardmasks are the same, look at the Layer 4 port number ranges,namely the TCP/UDP port number ranges. Then compare packetsagainst the rule configured with the smaller port number range.5) If the port number ranges are the same, compare packets againstthe rule configured first.Ethernet frame headerACL1) Sort rules by source MAC address mask first and comparepackets against the rule configured with more ones in the sourceMAC address mask.2) If two rules are present with the same number of ones in theirsource MAC address masks, look at the destination MAC addressmasks. Then, compare packets against the rule configured withmore ones in the destination MAC address mask.3) If the numbers of ones in the destination MAC address masks arethe same, compare packets against the one configured first.The comparison of a packet against ACL rules stops immediately after a match is found. The packet isthen processed as per the rule.Fragments Filtering with IPv4 ACLsTraditional packet filtering performs match operation on only the first fragments. All non-first fragmentsare permitted. This results in security risks, because attackers may exploit this vulnerability to fabricatenon-first fragments to attack your network.As for the configuration of a rule of an IPv4 ACL, you can specify that the rule applies to non-firstfragment packets only, and does not apply to non-fragment packets or the first fragment packets. ACLrules that do not contain this keyword is applicable to both non-fragment packets and fragment packets.Effective Period of an ACLYou can control when a rule can take effect by referencing a time range in the rule.A referenced time range can be one that has not been created yet. The rule, however, can take effectonly after the time range is defined and becomes active.