Basic ACL Concepts

ACL Type

ACL can be classified as ACL4 or ACL6 based on the support for IPv4 or IPv6.

The following table outlines ACL4 classification based on functions.

**Table 1** ACL types
ACL Type	Function	ACL Number
Interface-based ACL	Defines rules based on packets' inbound interfaces.	1000 to 1999
Basic ACL	Defines rules based on packets' source addresses.	2000 to 2999
Advanced ACL	Rules in an advanced ACL are defined based on packets' source or destination addresses, source or destination port numbers, and protocol types.	3000 to 3999
Layer 2 ACL	Defines rules based on the Layer 2 information, such as the source MAC address, destination MAC address, or protocol type of Ethernet frames.	4000 to 4999
User ACL (UCL)	Defines rules based on the source/destination IP address, source/destination service group, source/destination user group, source/destination port number, and protocol type.	6000 to 9999
MPLS-based ACL	Defines rules based on MPLS packets' EXP values, labels, or TTL values.	10000 to 10999

The following table outlines ACL6 classification based on functions.

**Table 2** ACL6 types
ACL6 Type	Function	ACL6 Number
Interface-based ACL6	Defines rules based on packets' inbound interfaces.	1000 to 1999
Basic ACL6	Defines rules based on packets' source addresses.	2000 to 2999
Advanced ACL6	Defines rules based on packets' source or destination addresses, source or destination port numbers, and protocol types.	3000 to 3999
User ACL6 (UCL6)	Defines rules based on the source/destination IP address, source/destination service group, source/destination user group, source/destination port number, and protocol type.	6000 to 9999

For easy memorization, use names instead of numbers to define ACLs. Just like using domain names to replace IP addresses. ACLs of this type are called named ACLs. The ACL stated above called numbered ACLs.

The only difference between named and numbered ACLs is that the former ones are more recognizable owing to descriptive names.

When naming an ACL, you can specify a number for it. If no number is specified, the system will allocate one automatically.

One name is only for one ACL. Multiple ACLs cannot have the same name, even if they are of different types.

ACL Increment

An ACL increment is the difference between two adjacent ACL rule numbers that are automatically allocated. For example, if the ACL increment is set to 5, the rule numbers are multiples of 5, such as 5, 10, 15, and 20.

If an ACL increment is changed, rules in the ACL are automatically renumbered. For example, if the ACL increment is changed from 5 to 2, the original rule numbers 5, 10, 15, and 20 will be renumbered as 2, 4, and 6.
If the default increment 5 is restored for an ACL, the system immediately renumbers the rules in the ACL based on the default increment. For example, if the increment of ACL 3001 is 2, rules in ACL 3001 are numbered 0, 2, 4, and 6. If the default increment 5 is restored, the rules will be renumbered as 5, 10, 15, and 20.

An ACL increment can be used to maintain ACL rules and makes it convenient to add new ACL rules. If a user has created four rules numbered 0, 5, 10, and 15 in an ACL, the user can add a rule (for example, rule number 1) between rules 0 and 5.

ACL Validity Period

To control a type of traffic in a specified period of time, users can configure the validity period of an ACL rule to determine the time during which that traffic type is allowed to pass through. For example, to ensure reliable transmission of video services in prime time in the evening, restrict the traffic volume of common online users. The validity period can be an absolute or cyclic time range.

An absolute time range start from yyyy-mm-dd to yyyy-mm-dd. This time range is effective once and does not repeat.
A cyclic time range is cyclic, with a one week cycle. For example, an ACL rule takes effect from 8:00 to 12:00 every Sunday.