Access lists are usually configured in the following locations of network devices:
Devices between the internal network and external network (such as the Internet)
Devices at the borders of two parts in a network
Devices on the access control port
The execution of the ACL statements must follow the statement order in the table strictly.
Starting from the first statement, once the header of a packet matches a conditional judge
statement in the table, the sequential statements are ignored.
44.1.4 Input/Output ACL, Filtering Domain
Template and Rules
When a device interface receives a packet, the input ACL checks whether the packet
matches an ACE of the input ACL on the interface. When a device interface is ready to
output a packet, the output ACL checks whether the packet matches an ACE of the output
ACL on the interface.
When detailed filtering rules are formulated, all or some of the above eight items may be
used. As long as the packet matches one ACE, the ACL processes the pakcet as the ACE
defined (permit or deny). The ACE of an ACL identifies Ethernet packets according to some
fields of Ethernet packet. The fields include the following:
Layer-2 fields:
48-bit source MAC address (all the 48 bits must be declared)
48-bit destination MAC address (all the 48 bits must be declared)
16-bit layer-2 type field
Layer 3 fields:
Source IP address field (you can specify all the address values of the IP address, or
specify a type of streams of the defined subnet)
Destination IP address field (you can specify all the address values of the IP address, or
specify a type of streams of the defined subnet)
Protocol type fields
Layer 4 fields:
You can specify one TCP source port, destination port, or both
You can specify one UDP source port, destination port, or both
The filtering domain consists of the fields in the packets based on which the packets are
identified and classified when you create an ACE. A filtering domain template is the definition
formed by these field. For example, when one ACE is generated, you want to identify and
classify packets according to the destination IP field of a packet. When another ACE is
generated, you want to identify and classify packets according to the source IP address field