Extreme Networks ExtremeWare XOS Guide Manual page 276

Access Lists (ACLs)
In this example, the only difference between policy1.pol and policy2.pol is that rule entries two and
three are swapped. Policy1.pol consumes three masks since there are no adjacent rules with the same
match criteria. Policy2.pol consumes two masks since rules one and three are adjacent and have
identical match criteria. However, policy1.pol and policy2.pol have different meanings because of
precedence.
With this being said, you have to be careful to avoid wasting masks. For example consider the following
policy:
policy3.pol:
entry one {
if {
source-address 1.1.1.1/32;
} then {
count debug;
}
}
entry two {
if {
protocol tcp;
destination-port 23;
} then {
deny;
}
}
entry three {
if {
source-address 2.2.2.2/32;
} then {
deny;
}
}
Policy3.pol consumes three masks. However, since rule entries two and three have the same action, their
relative precedence doesn't matter, and they could be swapped without affecting the results of the
policy. The following policy accomplishes the same actions, but uses two masks:
policy4.pol:
entry one {
if {
source-address 1.1.1.1/32;
} then {
count debug;
}
}
entry three {
if {
source-address 2.2.2.2/32;
} then {
deny;
}
}
entry two {
if {
protocol tcp;
destination-port 23;
} then {
deny;
276
ExtremeWare XOS 11.3 Concepts Guide