By default, the system matches messages according to ACL rule number from small to large, and the smaller the rule number, the easier it is to match.

When a packet matches an ACL rule, there will be two matching results: "match" and "mismatch".

Matching (hit rule): refers to the existence of ACL, and the rules that meet the matching conditions are found in ACL. Whether the matching action is "allow" or "reject", it is called "match", not just matching the allowed rules.

Matching license: allow

Match Reject: Reject.

Whether the result of packet matching with ACL is "mismatch", "allow" or "reject", and whether the packet is finally allowed or rejected is actually determined by each business module applying ACL. Different business modules handle hit and miss rule messages in different ways.

Miss rule: it means that there is no ACL, or there are no rules in the ACL, or all the rules in the ACL have been traversed, but no matching rules have been found. Remember that the above three situations are called "mismatch".

Extended data:

Basic principles of ACL:

ACL is short for Access Control List, and its Chinese name is "Access Control List".

ACL consists of a series of rules (that is, judgment statements describing the matching conditions of messages). These conditions can be the source address, destination address and port number of the message.

For example, ACL is actually a message filter, and ACL rules are the filter elements of the filter. What kind of filter is installed (that is, the corresponding ACL rules are configured according to the message characteristics), and what kind of messages can be filtered by ACL.

Based on the filtered messages, attack messages can be intercepted, differentiated services can be provided for different types of message flows, and Telnet login /FTP file download can be controlled, thus improving the security of network environment and the reliability of network transmission.