Use an access control entry (ACE) to define a pattern (found in a packet) and the desired behavior for packets that carry the pattern.
As a best practice, create access control lists (ACL) with a default action of permit, and with an ACE mode of deny. For deny or permit ACLs or ACEs, the default action and the mode must be opposite for the ACE (filter) to have meaning.

Note
Some hardware platforms support ACE IDs from the range 1-1000 for both security and QoS rules.