create access-list

create access-list dynamic_rule conditions actions {non_permanent}

Description

Creates a dynamic ACL.

Syntax Description

dynamic_rule Specifies the dynamic ACL name. The name can be from 1-32 characters long.
conditions Specifies the match conditions for the dynamic ACL.
actions Specifies the actions for the dynamic ACLs.
non_permanent Specifies that the ACL is not to be saved.

Default

By default, ACLs are permanent.

Usage Guidelines

This command creates a dynamic ACL rule. Use the configure access-list add command to apply the ACL to an interface.

The conditions parameter is a quoted string of match conditions, and the actions parameter is a quoted string of actions. Multiple match conditions or actions are separated by semi-colons. A complete listing of the match conditions and actions is in the ACLs section of the Switch Engine v33.1.1 User Guide .

Dynamic ACL rule names must be unique, but can be the same as used in a policy-file based ACL. Any dynamic rule counter names must be unique. For name creation guidelines and a list of reserved names, see Object Names in the Switch Engine v33.1.1 User Guide .

By default, ACL rules are saved when the save command is executed, and persist across system reboots. Configuring the optional keyword non-permanent means the ACL will not be saved.

Example

The following example creates a dynamic ACL that drops all ICMP echo-request packets on the interface:

create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"

The created dynamic ACL will take effect after it has been configured on the interface. The previous example creates a dynamic ACL named icmp-echo that is equivalent to the following ACL policy file entry:

entry  icmp-echo {
	if  {
		protocol  icmp;
		icmp-type  echo-request;
	} then {
		deny;
	}

The following example creates a dynamic ACL that accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250:

create access-list udpacl "source-address 10.203.134.0/24;destination-address 140.158.18.16/32;protocol  udp;source-port 190;destination-port  1200 - 1250;" "permit"

The previous example creates a dynamic ACL entry named udpacl that is equivalent to the following ACL policy file entry:

entry  udpacl {
if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

History

This command was first available in ExtremeXOS 11.3.

The non_permanent option was added in ExtremeXOS 11.6.

Platform Availability

This command is available on all Universal switches supported in this document.