Creates a dynamic ACL.
dynamic_rule | Specifies the dynamic ACL name. The name can be from 1-32 characters long. |
conditions | Specifies the match conditions for the dynamic ACL. |
actions | Specifies the actions for the dynamic ACLs. |
non_permanent | Specifies that the ACL is not to be saved. |
By default, ACLs are permanent.
This command creates a dynamic ACL rule. Use the configure access-list add command to apply the ACL to an interface.
The conditions parameter is a quoted string of match conditions, and the actions parameter is a quoted string of actions. Multiple match conditions or actions are separated by semi-colons. A complete listing of the match conditions and actions is in the ACLs section of the Switch Engine v33.1.1 User Guide .
Dynamic ACL rule names must be unique, but can be the same as used in a policy-file based ACL. Any dynamic rule counter names must be unique. For name creation guidelines and a list of reserved names, see Object Names in the Switch Engine v33.1.1 User Guide .
By default, ACL rules are saved when the save command is executed, and persist across system reboots. Configuring the optional keyword non-permanent means the ACL will not be saved.
The following example creates a dynamic ACL that drops all ICMP echo-request packets on the interface:
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"
The created dynamic ACL will take effect after it has been configured on the interface. The previous example creates a dynamic ACL named icmp-echo that is equivalent to the following ACL policy file entry:
entry icmp-echo { if { protocol icmp; icmp-type echo-request; } then { deny; }
The following example creates a dynamic ACL that accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250:
create access-list udpacl "source-address 10.203.134.0/24;destination-address 140.158.18.16/32;protocol udp;source-port 190;destination-port 1200 - 1250;" "permit"
The previous example creates a dynamic ACL entry named udpacl that is equivalent to the following ACL policy file entry:
entry udpacl { if { source-address 10.203.134.0/24; destination-address 140.158.18.16/32; protocol udp; source-port 190; destination-port 1200 - 1250; } then { permit; } }
This command was first available in ExtremeXOS 11.3.
The non_permanent option was added in ExtremeXOS 11.6.
This command is available on all Universal switches supported in this document.