Configuring Dynamic ACLs

The Dynamic Access Control Lists page allows you to create dynamic rules for Access Control Lists (ACLs) and is equivalent to entering the command create access-list dynamic_rule conditions actions {non_permanent} with its different variables.

Note

Note

For more information, refer to the ACL Solutions Guide or the ACLs section of the ExtremeXOS 16.2 User Guide.
  1. Select Configure > Dyanmic ACL.
    Any current ACLs on the switch will be listed in a searchable table.
  2. Click the Create Policy button.
    A new screen displays showing the match conditions and actions (defaulted to the Basic tab). Clicking the Advanced tab shows more configuration options.
    Click to expand in new window
    Graphics/ACL_create-policy.png
  3. Give the policy a name and provide IP addresses and actions. When complete, click Next.
  4. On the ACL Rule: <policy name> page, complete the If area by entering the enternet-source and ethernet-destination addresses.
  5. Complete the Then field (deny; is common here).
  6. In the Bindings area, determine where this policy will be used—VLANs, ports, or both, and egress or ingress.
    The following examples show ACLs applying the to VLANs and Ports using ingress any; and egress any;
    Click to expand in new window
    Graphics/ACL_bindings1.png

    To create this ACL in the CLI, you would use the following commands:

    create access-list Test 
        "ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM any ingress
    Click to expand in new window
    Graphics/ACL_bindings2.png

    To create this ACL in the CLI, you would use the following commands:

    create access-list Test 
        "ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM any egress
    The following ACL examples apply bindings to only ports on ingress and egress. For Summit platforms, use the port number only; for SummitStack and chassis, use the slot:port format.
    Click to expand in new window
    Graphics/ACL_bindings3.png

    To create this ACL in the CLI, use the following commands:

    create access-list Test 
        " ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM ports 1 ingress 
    Click to expand in new window
    Graphics/ACL_bindings4.png

    To create this ACL in the CLI, use the following commands:

    create access-list Test 
        " ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM ports 1 egress
    The following example ACLs apply bindings to ports on a specific VLAN on ingress and egress (assuming the VLAN has been created previously). These examples use the Default VLAN.
    Click to expand in new window
    Graphics/ACL_bindings5.png

    To create this ACL in the CLI, use the following commands:

    create access-list Test 
        " ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM vlan Default ingress
    Click to expand in new window
    Graphics/ACL_bindings6.png

    To create this ACL in the CLI, use the following commands:

    create access-list Test 
        " ethernet-source-address 00:00:00:00:00:01 ; 
        ethernet-destination-address 00:00:00:00:00:02 ;" 
        " deny  ;" application "Cli"
    configure access-list add Test last priority 0 zone SYSTEM vlan Default egress
  7. Click Apply to complete the policy setup, or click Delete to start over.
When the ACL is complete, you are returned to the Dynamic Access Control Lists screen, where your new policy will be displayed.