Configuring ACL Priority
Management of ACLs is flexible, with configurable priority for dynamic ACLs. This includes ACLs inserted by internal and external applications, as well as those inserted using the CLI. The priority is assigned by a system of zones, and within zones by numeric codes.
Zones are of two types:
-
System Space—The System Space zones include the following:
- SYSTEM_HIGH—This zone always has the highest priority.
- SYSTEM_LOW—This zone always has the lowest priority.
The priorities cannot be changed.
No configuration is allowed by the user into System Space.
Hal is the only application in a System Space zone.
-
User Space—The User Space zones include the following:
- DOS—This is the denial of service zone.
- SYSTEM—This is the zone for applications that require a CPU-copy or mirror and for redirect ACLs.
- SECURITY—This is the zone for ACLs installed by security appliances and internal security processes.
User Space zones consist of default zones and created zones. Default zones group like functions and cannot be deleted.
The administrator has the ability to create new zones and configure the priority of both default and created zones. See Configuring User Zones for discussion of created zones and applications. Applications insert ACLs into zones.
To view both System Space and User Space zones, use the show access-list zone command.
Default Assignment and Priority of Applications, by Zone shows the priority of System Space zones and User Space zones together with the default assignments and priority of applications by zone.
Zone/Default Application | Default Priority | Platform |
---|---|---|
SYSTEM SPACE ZONES | ||
hal | 1 | |
USER SPACE ZONES | ||
DOS | 2 | |
hal | 1 | All platforms |
Dos | 2 | All platforms |
SYSTEM | 3 | |
Cli | 1 | All platforms |
IpSecurity | 2 | All platforms |
NetLogin | 6 | All platforms |
SECURITY | 4 | |
GenericXml (Allows configuration of one additional external application) | 4 | All platforms |
SYSTEM SPACE ZONES | ||
hal | 1 |

Note
The priority of static ACLs is determined by the order they are configured, with the first rule configured having the highest priority.