In computer networking, an access control list (ACL) can refer to a strictly ordered list of rules applied to port numbers or IP addresses available on a host or other network. An ACL may be implemented on networking devices, such as routers and switches, to filter traffic and provide network security. For instance, an ACL may include rules that specify certain network hosts or addresses that a switch should permit or deny network access.
An ACL rule may be divided into a condition and an action. That is, if a certain condition is satisfied, then the networking device performs the corresponding action. For example, a rule may specify, as a condition, receiving an incoming frame from a specific IP address. The rule could specify, as a corresponding action, to discard the frame. Typically, networking devices configured with ACLs execute an action associated with the first matching rule in the list. Therefore, the ordering of the list is of importance.
Further, An ACL may be implemented in a networking device using ternary content addressable memory (TCAM). TCAM is a type of computer memory that allows for high speed searching in the ACL. However, TCAM capacity is costly, and thus, an ACL is generally restricted by spatial considerations. To maximize usage in the ACL, the TCAM allows rule conditions to be grouped together conjunctively. More specifically, different rule conditions may be tied together by using logical AND operations. As a result, numerous conditions may be expressed in one rule for efficiency.
Additionally, a networking device may provide a numeric range table that aids the device in performing numeric comparisons for TCAM-based rules. When the networking device receives an incoming Ethernet frame, the device consults the numeric range table prior to searching for a matching rule condition in the ACL. If the networking device matches a given entry of the numeric range table, the networking device may generate a portion of a search key from values obtained from the entry and use the search key to access the TCAM.