I know that ACLs have to be ordered from most specific to lesser specific rules.
IP addresses to subnets.
When permitting a subnet through and denying a given IP address through, it is best to start with the IP address rule and then put in the network rule.
IP address is permitted, then the network is denied except for the permitted IP address. Rule 1 allows the packet to pass through for both rules.
If the subnet is denied first and the IP address is permitted, the packets will be blocked by the first rule. This is because the second rule is ignored. The subnet is blocked and then an IP address is permitted. All packets are blocked by rule 1.
Suppose if rule 1 and rule 2 are swapped and the IP address is blocked after the network is permitted through, both rules are still present. Packets pass through rule for network. However, the rule for the IP address is still present.
-------- allow Net A through -------- block a given IP address in the network -------
Will this work?