Rule Evaluation

When there are multiple rule entries applied to an interface, evaluation proceeds as follows:
  • A packet is compared to all the rule entry match conditions at the same time.

  • For each rule where the packet matches all the match conditions, the action and any action modifiers in the then statement are taken. If there are any actions or action modifiers that conflict (deny vs. permit, etc), only the one with higher precedence is taken.

  • If a packet matches no rule entries in the ACL (Access Control List), it is permitted.

Often there will be a lowest-precedence rule entry that matches all packets. This entry will match any packets not otherwise processed, so that the user can specify an action to overwrite the default permit action. This lowest-precedence rule entry is usually the last entry in the ACL policy file applied to the interface.