Routing and/or switching equipment can be configured to enforce access control policies for data communication sessions between endpoints. For example, a router or switch can maintain and utilize an Access Control List (ACL) that dictates whether data transmissions between endpoints should be granted or denied. Each ACL entry can identify an appropriate action (e.g., allow or deny a transmission) based on transmission data associated with the data transmission. Examples of transmission data can include the source port, destination port, source end point group, destination end point group, whether the transmission is an acknowledgement, reset or fragment, etc.
To reduce network latency, routing and switching equipment can be equipped with high speed memory, such as ternary content-addressable memory (TCAM), which searches its entire contents in a single clock. These types of high speed memory can be expensive to build, consume a lot of power, generate a high level of heat, and are therefore often limited in storage capacity. As such, network operators must be economical with their ACL entries. Current practices of minimizing ACL entries often involve the use of blanket access control rules. For example, to reduce the number of ACL entries, administrators will often set restrictions for initial packet traffic to specified port, but permit all acknowledgement packets for each port rather than create a separate ACL entry for each. While this reduces the number of ACL entries, it can also lead to attacks, malicious servers or host attacks.