create policy access-list

create policy access-list list_dot_rule {matches [ {app-signature group group name name} {ether ether {mask ether_mask}} {icmp6type icmp6type {mask icmp6_mask}} {icmptype icmptype {mask icmp_mask}} {ipdestsocket ipdestsocket {mask ipdest_mask}} {ipfrag} {ipproto ipproto {mask ipproto_mask}} {ipsourcesocket ipsourcesocket {mask ipsrc_mask}} {iptos iptos {mask iptos_mask}} {ipttl ipttl {mask ipttl_mask} {tcpdestportIP tcpdestportIP {mask tcpdest_mask}} {tcpsourceportIP tcpsourceportIP {mask tcpsrc_mask}} {udpdestportIP udpdestportIP {mask udpdest_mask}} {udpsourceportIP udpsourceportIP {mask udpsrc_mask}} ] } {actions [ {cos cos} {drop | forward} {mirror-destination control_index} {syslog}]}

Description

Creates policy access-list match criteria.

Syntax Description

access-list Specifies access-list rule model to select multiple match criteria per rule.
list_dot_rule Specifies the access-list name and rule name in the format list_name.rule_name.
matches Selects up to 5 match criteria.
app-signature Associates an application signature to a policy profile.
group Associates an application signature group to a policy profile.
group Defines the application signature group name.
name Associates an application signature name to a policy profile.
name Defines the name assigned to the application signature (range 1–32).
ether Selects the type field in Ethernet II packet.
ether Defines the type field in Ethernet II packet (data: 0–65535 or 0x0–0xFFFF; mask: 1–16).
mask Selects a mask.
ether_mask Selects the number of most significant bits to match data value (range 1–16).
icmp6type Selects ICMPv6 type.code.
icmp6type Defines the ICMPv6 type.code (data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)).
icmp6_mask Specifies the number of most significant bits to match data value (range 1–16).
icmptype Selects an ICMP type.code.
icmptype Specifies the ICMP type.code - (data: a.b; mask: 1-16).
icmp_mask Specifies the number of most significant bits to match data value (range 1–16).
ipdestsocket Specifies a destination IP address with optional post-fixed port or port-range.
ipdestsocket Defines the destination IP address with optional post-fixed port or port-range - (data: a.b.c.d [:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64).
ipdest_mask Specifies the number of most significant bits to match data value (range 1–64).
ipfrag Selects IP fragmentation flag.
ipproto Specifies protocol field in IP packet.
ipproto Defines the protocol field in IP packet (data: 0–255 or 0x0-0xFF; mask: 1–8). IPv4 only (ICMP).
ipproto_mask Specifies the number of most significant bits to match the data value (range 1–8).
ipsourcesocket Specifies the source IP address with optional post-fixed port or port-range.
ipsourcesocket Defines the source IP address with optional post-fixed port or port-range - (data: a.b.c.d [:ab (0–65535) [-cd (0-65535)]]; mask: 1-48, 64).
ipsrc_mask Specifies the number of most significant bits to match data value (range 1–64).
iptos Specifies IPv4 type of service/IPv6 traffic class field.
iptos Defines the IPv4 type of service/IPv6 traffic class field (data: 0–255; mask: 1–8).
iptos_mask Specifies the number of most significant bits to match data value (range 1–8).
ipttl Specifies IP time to live.
ipttl Defines the IP time to live (data: 0–255 or 0x0–0xFF; mask:1–8).
ipttl_mask Specifies the number of most significant bits to match data value (range 1–8).
tcpdestportIP Specifies TCP port/port-range destination with optional post-fix IPv4 address.
tcpdestportIP Defines the TCP port/port-range destination with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask: 1–64).
tcpdest_mask Specifies the number of most significant bits to match data value (range 1–64).
tcpsourceportIP Specifies TCP port/port-range source with optional post-fix IPv4 address.
tcpsourceportIP Defines the TCP port/port-range source with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask: 1–64).
tcpsrc_mask Specifies the number of most significant bits to match data value (range 1–64).
udpdestportIP Specifies UDP port/port-range destination with optional post-fix IPv4 address.
udpdestportIP Defines the UDP port/port-range destination with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask:1-64).
udpdest_mask Specifies the number of most significant bits to match data value (range 1–64).
udpsourceportIP Specifies UDP port/port-range source with optional post-fix IPv4 address.
udpsourceportIP Defines the UDP port/port-range source with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]).
udpsrc_mask Specifies the number of most significant bits to match data value (range 1–64).
actions Specifies selecting one or more actions to occur when there is a match.
cos Specifies Class of Service (CoS) as an action.
cos Defines the CoS (0–255), or -1 for no CoS, or CoS with no forwarding behavior to remove the existing forwarding settings.
drop Specifies dropping any packets that match this rule.
forward Specifies forwarding any packets that match this rule.
mirror-destination Specifies mirroring any packets that match this rule.
control_index Defines which mirror destination control index (1–4).
syslog Enables, disables, or prohibits Syslog using event Policy.LogRuleHit on first rule use.

Default

N/A.

Usage Guidelines

To use this command, the policy rule model must be set to access-list (use command configure policy rule-model [access-list | hierarchical]).

The following combinations are not allowed:
  • ipfrag with icmp, tcp, udp or ip with port rules
  • tcp/udp source rules with ipSrc rule with port
  • tcp/udp rules dest rule with ipDest rule with port
  • icmp with tcp, udp or ip with port rules

Example

The following example creates the policy access list "ACL1.ace3" with match criteria of IP source address "10.1.1.1" and mask "32" with the action to forward with Class of Service level "2":

# create policy access-list ACL1.ace3 matches ipsource 10.1.1.1 mask 32 actions forward cos 2

History

This command was first available in ExtremeXOS 30.5.

Platform Availability

This command is available on all Universal switches supported in this document.