1Configuring ACLsOverviewAn access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IPaddress, destination IP address, and por t number. The rules are also called permit or denystatements.ACLs are primarily used for packet filtering. "Configuring packetfiltering with ACLs" provides anexample. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. Thepacket drop or forwarding decisions depend on the modules that use ACLs.ACL typesType ACL number IP version Match criteriaWLAN client ACL 100 to 199 IPv4 and IPv6 SSID.WLAN AP ACL 200 to 299 IPv4 and IPv6 AP MAC address and AP serial ID.Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.IPv6 Source IPv6 address.Advanced ACLs 3000 to 3999IPv4Source IPv4 address, destination IPv4address, packet priority, protocol number, andother Layer 3 and Layer 4 header fields.IPv6Source IPv6 address, destination IPv6address, packet priority, protocol number, andother Layer 3 and Layer 4 header fields.Layer 2 ACLs 4000 to 4999 IPv4 and IPv6Layer 2 header fields, such as source anddestination MAC addresses, 802.1p priority,and link layer protocol type.Numbering and naming ACLsWhen creating an ACL, you must assign it a number or name for identification. You can specify anexisting ACL by its number or name. Each ACL type has a unique range of ACL numbers.For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2, WLANclient, or WLAN AP ACL, its number or name must be globally unique.Match orderThe rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stopsthe match process and performs the action defined in the rule. If an ACL contains overlapping orconflicting rules, the matching result and action to take depend on the rule order.The following ACL match orders are available:• config—Sorts ACL rule s in ascending order of rule ID. A rule with a lower ID is matched beforea rule with a higher ID. If you use this method, check the rules and their order carefully.