Configuring Dynamic ACLs

The Dynamic Access Control Lists page allows you to create dynamic rules for Access Control Lists (ACLs) and is equivalent to entering the command create access-list dynamic_rule conditions actions {non_permanent} with its different variables.

Note

For more information, refer to the ACL Solutions Guide or the ACLs section of the ExtremeXOS 16.2 User Guide.

Select Configure > Dyanmic ACL.
Any current ACLs on the switch will be listed in a searchable table.
Click the Create Policy button.
A new screen displays showing the match conditions and actions (defaulted to the Basic tab). Clicking the Advanced tab shows more configuration options.
Give the policy a name and provide IP addresses and actions. When complete, click Next.
On the ACL Rule: <policy name> page, complete the If area by entering the enternet-source and ethernet-destination addresses.
Complete the Then field (deny; is common here).

In the Bindings area, determine where this policy will be used—VLANs, ports, or both, and egress or ingress.

The following examples show ACLs applying the to VLANs and Ports using ingress any; and egress any;

To create this ACL in the CLI, you would use the following commands:

create access-list Test 
    "ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM any ingress

To create this ACL in the CLI, you would use the following commands:

create access-list Test 
    "ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM any egress

The following ACL examples apply bindings to only ports on ingress and egress. For Summit platforms, use the port number only; for SummitStack and chassis, use the slot:port format.

To create this ACL in the CLI, use the following commands:

create access-list Test 
    " ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM ports 1 ingress

To create this ACL in the CLI, use the following commands:

create access-list Test 
    " ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM ports 1 egress

The following example ACLs apply bindings to ports on a specific VLAN on ingress and egress (assuming the VLAN has been created previously). These examples use the Default VLAN.

To create this ACL in the CLI, use the following commands:

create access-list Test 
    " ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM vlan Default ingress

To create this ACL in the CLI, use the following commands:

create access-list Test 
    " ethernet-source-address 00:00:00:00:00:01 ; 
    ethernet-destination-address 00:00:00:00:00:02 ;" 
    " deny  ;" application "Cli"
configure access-list add Test last priority 0 zone SYSTEM vlan Default egress

Click Apply to complete the policy setup, or click Delete to start over.

When the ACL is complete, you are returned to the Dynamic Access Control Lists screen, where your new policy will be displayed.

Published December 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback