An Access Control List (ACL) consists of multiple entries, each called a Access Control Entry (ACE). ACEs are evaluated in ascending order based on their sequence numbers (default starting at 5, stepping by 5). The first match is applied immediately, and no further evaluation occurs.

Cisco ACLs implicitly deny all traffic at the end. In contrast, Huawei and H3C devices do not have an implicit deny; if no rule matches, the packet is forwarded according to the routing table (if a route exists).

A wildcard mask is the inverse of a subnet mask: a binary 0 means the corresponding bit must match exactly, and a binary 1 means it can be any value. For example:

• 0.0.0.255 → 0000 0000.0000 0000.0000 0000.1111 1111 → first three octets match exactly, last octet is wild.
• Match a single host: 172.16.1.1 0.0.0.0 or just 172.16.1.1 0.
• Match any network: 0.0.0.0 255.255.255.255 or use the keyword any.
• Match odd hosts in subnet 192.168.1.0/24: 192.168.1.1 0.0.0.254 (only last bit matters).

Basic ACL

• ACL ID range: 2000–2999.

Huawei

Defining and applying rules:

[R1]acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]rule 20 permit source 1.1.1.1 0.0.0.0
[R1-acl-basic-2000]rule 99 deny source any
[R1-acl-basic-2000]qu

Alternative: acl number 2000.

H3C

Defining and applying rules:

[R1]acl basic 2000
[R1-acl-ipv4-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255

Also access-list basic 2000 or acl number 2000.

Cisco

Defining and applying rules:

R1(config)#access-list 10 permit 192.168.1.0 0.0.0.255

Advanced ACL

• ACL ID range: 3000–3999.

Huawei

[R1]acl 3000
[R1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 10.211.33.1 0.0.0.0

Or use a named ACL: acl name aaa.

H3C

[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 10.211.33.1 0.0.0.0

Also access-list advanced 3000 or acl number 3000.

Cisco

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 10.211.33.1 0.0.0.0

Applying ACLs to Interfaces

• Inbound: The ACL is checked before routing. All received traffic is subject to the ACL.
• Outbound: The ACL is checked after routing. Only transit traffic (that enters another interface) is affceted; traffic originated on the router is not filtered.

Huawei Example

[R2]acl number 2000
[R2-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[R2-acl-basic-2000]rule 20 permit source 1.1.1.1 0.0.0.0
[R2-acl-basic-2000]rule 99 deny source any
[R2-acl-basic-2000]qu

[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
[R2-GigabitEthernet0/0/2]qu

[R2]acl number 3000
[R2-acl-adv-3000]rule 10 permit icmp source 1.1.1.1 0.0.0.0 destination 4.4.4.4 0.0.0.0
[R2-acl-adv-3000]rule 99 deny icmp source any destination 4.4.4.4 0.0.0.0
[R2-acl-adv-3000]qu

[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R2-GigabitEthernet0/0/1]qu

H3C Example

[R2]acl number 2000
[R2-acl-ipv4-basic-2000]rule 10 deny source 1.1.1.1 0.0.0.0
[R2-acl-ipv4-basic-2000]qu

[R2]int g0/2
[R2-GigabitEthernet0/0/2]packet-filter 2000 inbound
[R2-GigabitEthernet0/0/2]qu

[R2]acl number 3000
[R2-acl-ipv4-adv-3000]rule 10 permit icmp source 1.1.1.1 0.0.0.0 destination 4.4.4.4 0.0.0.0
[R2-acl-ipv4-adv-3000]rule 99 deny icmp source any destination 4.4.4.4 0.0.0.0
[R2-acl-ipv4-adv-3000]qu

[R2]int g0/1
[R2-GigabitEthernet0/0/1]packet-filter 3000 outbound
[R2-GigabitEthernet0/0/1]qu

On H3C, if a basic outbound ACL is applied with out explicitly permitting anything, it may block all traffic. It is safer to use advanced ACLs for outbound filtering.

Cisco Example

R2(config)#access-list 10 permit 192.168.1.0 0.0.0.255
R2(config)#access-list 10 permit host 1.1.1.1
R2(config)#interface GigabitEthernet0/1
R2(config-if)#ip access-group 10 out