The Access Control List (ACL) classifies the data packets with a series of matching
rules, including source address, destination address and port number. The switch
verifies the data packets with the rules in the ACL and decides to forward,
prioritize, or discard them.

A series of matching rules are required for the network devices to identify the
packets. After identifying the packets, the switch can permit or deny them to pass
through according to the defined policy. The ACL is used to implement these
functions.

The data packet matching rules, that are defined by ACL, can also be used in other
cases requiring traffic classification, such as defining traffic classification for QoS.

An access control rule includes several statements. Different statements specify
different ranges of packets. When matching a data packet with the access control
rule, the issue of match-order arises.

ACLs Activated Directly

on Hardware

ACLs can be delivered to hardware for traffic filtering and classification. In this
case, the matching order of many sub-rules in an ACL is determined by hardware,
not by a customized order.

ACLs are sent directly to hardware when referencing ACLs to provide for QoS
functions and when filtering and forwarding packets with ACLs.

ACLs Referenced by

Upper-level Modules

An ACL can be used to filter or classify the data transmitted by the software of the
switch. The user can determine the match order of ACL’s sub-rules. There are two
match-orders: configuration, which follows the user-defined configuration order
when matching the rule, and automatic, which follows the depth-first principle.

The depth-first principle puts the statement specifying the smallest range of
addresses on the top of the list. For example, 129.102.1.1 0.0.0.0 specifies a host,