It would be very nice if in the ACL rules could invert at least some parameters.
How this is done, for example, in iptables or some other switch's ACL.
Parameters, who lack this option: IP Src / IP Dst, and maybe MAC Src / MAC Dst.
Example: IP Src "! 10.0.0.0/24" will affect all IP Src except 10.0.0.0/24.