Analyzing Matched Packets on Cisco ACL Rules: Theories and Proof
This paper propose the applicable theory for Matching Analysis between packets and rules of Cisco ACL, which helps the ACL rule designers understand more about the components of Cisco ACL rules such as rule confliction, the excludable rules, and rule combination. The proposed theory explains the conditions under which the rules should not be repositioned and those that could be swapped without any effects on the policy. The theory originates from a simple idea and the authors' study suggests 11 theories that they prove to be applicable. This paper also illustrates the practical implementation of the proposed theories. In addition, the theories can be applied to analyze the complexity of firewall rules.