ACL Matching Principles

What is "Matched"

Matched: the ACL exists, and there is a rule to which the packet conforms, no matter the rule is permit or deny.

Mismatched: the ACL does not exist, or there is no rule in the ACL, or the packet does not conform to any rules of the ACL.

ACL Matching Order

First, the device checks whether the ACL exists.

Then, the device matches packets against rules in order according to the rule ID. When packets match one rule, the match operation is complete, and no more rules will be matched against.

A rule is identified by a rule ID, which is configured by a user or generated by the system according to the ACL increment. All rules in an ACL are arranged in ascending order of rule IDs.

If the rule ID is automatically allocated, there is a certain space between two rule IDs. The size of the space depends on the ACL increment. For example, if the ACL increment is set to 5, the difference between two rule IDs are 5, such as 5, 10, 15, and the rest may be deduced by analogy. If the ACL increment is 2, the rule IDs generated automatically by the system start from 2. In this manner, the user can add a rule before the first rule.

In configuration file, the rules are displayed in ascending order of rule IDs, not in the order of configuration.

Rule can be arranged in two modes: Configuration mode and Auto mode. The default mode is Configuration.

If the Configuration mode is used, users can set rule IDs or allow a device to automatically allocate rule IDs based on the increment.

If rule IDs are specified when rules are configured, the rules are inserted at places specified by the rule IDs. For example, three rules with IDs 5, 10, and 15 exist on a device. If a new rule with ID 3 is configured, the rules are displayed in ascending order, 3, 5, 10, and 15. This is the same as inserting a rule before ID 5. If users do not set rule IDs, the device automatically allocates rule IDs based on the increment. For example, if the ACL increment is set to 5, the difference or interval between two rule IDs is 5, such as 5, 10, 15, and the rest may be deduced by analogy.

If the ACL increment is set to 2, the device allocates rule IDs starting from 2. The increment allows users to insert new rules, facilitating rule maintenance. For example, the ACL increment is 5 by default. If a user does not configure a rule ID, the system automatically generates a rule ID 5 as the first rule. If the user intends to add a new rule before rule 5, the user only needs to input a rule ID smaller than 5. After the automatic realignment, the new rule becomes the first rule.

In the Configuration mode, the system matches rules in ascending order of rule IDs. As a result, a latter configured rule may be matched earlier.

If the auto mode is used, the system automatically allocates rule IDs, and places the most precise rule in the front of the ACL based on the depth-first principle. This can be implemented by comparing the address wildcard. The smaller the wildcard, the narrower the specified range.

For example, 172.16.1.1 0.0.0.0 specifies a host with the IP address 172.16.1.1, and 172.16.1.1 0.0.0.255 specifies a network segment with the network segment address ranging from 172.16.1.1 to 172.16.1.255. The former specifies a narrower host range and is placed before the latter.

The detailed operations are as follows:

For basic ACL rules, the source address wildcards are compared. If the source address wildcards are the same, the system matches packets against the ACL rules based on the configuration order.
For advanced ACL rules, the protocol ranges and then the source address wildcards are compared. If both the protocol ranges and the source wildcards are the same, the destination address wildcards are then compared. If the destination address wildcards are also the same, the ranges of source port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of source port numbers are still the same, the ranges of destination port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of destination port numbers are still the same, the system matches packets against ACL rules based on the configuration order of rules.

For example, a wide range of packets are specified for packet filtering. Later, it is required that packets matching a specific feature in the range be allowed to pass. If the auto mode is configured in this case, the administrator only needs to define a specific rule and does not need to re-order the rules because a narrower range is allocated a higher precedence in the auto mode.

Table 1 describes the depth-first principle for matching ACL rules.

**Table 1** Depth-first principle for matching ACL rules
ACL Type	Matching Rules
Interface-based ACL	Rules with any set are matched last, and other rules are matched in the order they are configured.
Basic ACL	Rules with VPN instance information are matched before those without VPN instance information. If multiple rules contain the same VPN instance information, the rule with the smaller source IP addresses range (more 1s in the masks) is matched first. If multiple rules contain the same VPN instance information and the same source IP address range, they are matched in the order they are configured.
Advanced ACL	Rules with VPN instance information are matched before those without VPN instance information. If multiple rules contain the same VPN instance information, the rule that contains the protocol type is matched first. If multiple rules contain the same VPN instance information and the same protocol type, the rule with the smaller source IP address range (more 1s in the masks) is matched first. If multiple rules contain the same VPN instance information, protocol type, and source IP address range, the rule with the smaller destination IP address range (more 1s in the masks) is matched first. If multiple rules contain the same VPN instance information, protocol type, source IP address range, and destination IP address range, the rule with the smaller Layer 4 port number range (TCP/UDP port numbers) is matched first. If multiple rules contain the same VPN instance information, protocol type, source and destination IP address ranges, and port number range, they are matched in the order they are configured.
Layer 2 ACL	Rules with smaller wildcards of Layer 2 protocol types (more 1s in the masks) are matched first. If multiple rules contain the same Layer 2 protocol type wildcard, the rule with the smaller source MAC address range (more 1s in the masks) is matched first. If multiple rules contain the same Layer 2 protocol type wildcard and the same source MAC address range, the rule with the smaller destination MAC address range (more 1s in the masks) is matched first. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, the rule with the smaller VLAN ID of the outer tag is matched first. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, and VLAN ID of the outer tag, the rule with the higher 802.1p priority of the outer tag is matched first. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, the rule with the smaller VLAN ID of the inner tag is matched first. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, and VLAN ID of the inner tag, the rule with the higher 802.1p priority of the inner tag is matched first. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, VLAN ID and 802.1p priority of the inner tag, they are matched in the order they are configured.
User ACL (UCL)	The rule that contains the protocol type is matched first. If multiple rules contain the same VPN instance information and the same protocol type, the rule with the smaller source IP address range (more 1s in the masks) is matched first. If multiple rules contain the same VPN instance information, protocol type, and source IP address range, the rule with the smaller destination IP address range (more 1s in the masks) is matched first. If multiple rules contain the same VPN instance information, protocol type, source IP address range, and destination IP address range, the rule with the smaller Layer 4 port number range (TCP/UDP port numbers) is matched first. If multiple rules contain the same VPN instance information, protocol type, source and destination IP address ranges, and port number range, they are matched in the order they are configured.
MPLS-based ACL	Rules can only be arranged in Configuration mode.

Matching Principle Summary

The rules of an ACL are matched against according to the ascending order of the rule IDs.
Checking continues until a match is found. And stop to check once a match is found. Therefore, different arrangement orders may have different results even all the rules in an ACL are the same.
Each rule has two actions: permit or deny.
An ACL has two matching result: matched or mismatched.

Mismatched result includes:

The ACL has rules, but no rule is matched.
There is no rule in the ACL.
The ACL does not exist.

The performance for mismatched case depends on the ACL application. For detailed information, see Table 2.

Please attention that in Table 2:

The default "permit" in CPU defend policy indicates the device continues to match against the rest clauses. For example, if the packet mismatches the blacklist, the device continues to match the packet against the user-defined flow, rather than do the action of the blacklist.
The default "permit" in traffic policy just indicates the matching result of the if-match acl clause is permit. The performance of the policy depends on the matching result of other if-match acl clauses in the same Classifier, and the logical relationship between the if-match acl clauses. For detailed information, see ACLs Applied to a Traffic Policy.
The default "permit" and "deny" in route policy is just the matching result of the if-match acl clause. The performance of the policy node depends on the matching-results of all if-match acl clauses in the same node, and the node action ("permit" or "deny"). For detailed information, see ACLs Applied to a Route-Policy.

**Table 2** The default value of the application modules for mismatched case
Application Module		Mismatched All Rules	No Rule In ACL
Telnet		deny	permit
SNMP		deny	permit
FTP		deny	permit
TFTP		deny	permit
Traffic Policy		permit	permit
CPU Defend Policy	Whitelist	permit	permit
	Blacklist	permit	permit
	User-defined Flow	permit	permit
Routing Protocol	Route Policy	deny	deny
Routing Protocol	Filter Policy	deny	deny
Multicast Policy	static-rp group-policy c-rp group-policy	permit	permit
	Multicast boundary policy	deny	permit
	Other multicast policies	deny	deny
NAT		deny	deny
BFD		deny	deny
IPsec		deny	IPsec does not support this kind of ACL.
SSH		deny	deny
VTY		deny	deny

Example

The following commands are configured one after another:

rule deny ip dscp 30 destination 1.1.0.0 0.0.255.255 
rule permit ip dscp 30 destination 1.1.1.0 0.0.0.255

If the config mode is used, the rules in the ACL are displayed as follows:

acl 3000
  rule 5 deny ip dscp 30 destination 1.1.0.0 0.0.255.255 
  rule 10 permit ip dscp 30 destination 1.1.1.0 0.0.0.255

If the auto mode is used, the rules in the ACL are displayed as follows:

acl 3000
 rule 5 permit ip dscp 30 destination 1.1.1.0 0.0.0.255
 rule 10 deny ip dscp 30 destination 1.1.0.0 0.0.255.255

If the device receives a packet with DSCP value 30 and destination IP address 1.1.1.1, the packet is dropped when the config mode is used, but the packet is allowed to pass when the auto mode is used.