An increment is automatically allocated by the system to determine difference in to neighboring rule IDs.
If a rule without a manually specified ID is added to an empty ACL, the system allocates the increment value as the ID to this rule. If a rule without a manually specified ID is added to an ACL containing rules with manually specified IDs, the system allocates to this new rule the minimum multiple of the increment value, which is also greater than the largest rule ID in the ACL. For example, an ACL (basic ACL, advanced ACL, Layer 2 ACL, user ACL, or user-defined ACL) contains rule 5 and rule 12, and the default increment is 5. When a new rule is added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).
Basic ACL6s and advanced ACL6s do not allow for the increment configuration, and use the fixed increment of 5.
Setting an increment facilitates new rule insertion between existing rules of an ACL.
For example, an ACL contains rule 5, rule 10, and rule 15, with an increment of 5.
rule 5 deny source 10.1.1.1 0 //Reject the packets from source IP address 10.1.1.1. rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2. rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0/24.
It is required that a rule that packets from the source IP address 10.1.1.3 be denied. The system stops matching packets once a match is found. Therefore, you need to define a new rule before rule 15 that will deny packets from the source IP address 10.1.1.3. In this way, rule 15 with a larger range will not filter these packets. The increment of 5 allows you to easily insert the new rule. However, if the increment is set to 1 (that is, rules are automatically arranged as rule 1, 2, 3...), you may have to first delete existing rules, define a new one, and then re-configure the deleted ones, which brings a heavy workload.
rule 5 deny source 10.1.1.1 0 //Reject the packets from source IP address 10.1.1.1. rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2. rule 11 deny source 10.1.1.3 0 //Reject the packets from source IP address 10.1.1.3. rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0.