After a dynamic ACL (Access Control List) rule has been created, it can be applied to a port, VLAN (Virtual LAN), or to the wildcard any interface. When the ACL is applied, you specify the precedence of the rule among the dynamic ACL rules. To configure the dynamic ACL rule on an interface, use the following command:
configure access-list add dynamic_rule [ [[first | last] {priority p_number} {zone zone} ] | [[before | after] rule] | [ priority p_number {zone zone} ]] [ any | vlan vlan_name | ports port_list ] {ingress | egress}
To remove a dynamic ACL from an interface, use the following command:
configure access-list delete ruleName [ any | vlan vlan_name | ports port_list | all] {ingress | egress}
An ACL can be created to be used when an edge port detects a loop. This ACL acts to block looped frames while allowing the port to remain in a forwarding state rather than shutting down. To configure a dynamic ACL for blocking looped STP (Spanning Tree Protocol) BPDUs on port 6, for example, use the following:
create access-list bpdu1 "ethernet-destination-address \ 01:80:C2:00:00:00;" "deny; count bpdu1" conf access-list add "bpdu1" first ports 6 ingress
To configure a dynamic ACL for blocking PVST frames on port 6, use the following:
create access-list bpdu2 "ethernet-destination-address \ 01:00:0c:cc:cc:cd;" "deny; count bpdu2" conf access-list add "bpdu2" first ports 6 ingress
To unconfigure the STP ACL, use the following:
conf access-list del "bpdu1" ports 6 del access-list "bpdu1"