Example ACL Rule Entries

The following entry accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250:

entry  udpacl {
	if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

The following rule entry accepts TCP packets from the 10.203.134.0/24 subnet with a source port larger than 190 and ACK & SYN bits set and also increments the counter tcpcnt. The packets will be forwarded using QoS (Quality of Service) profile QP3.

entry  tcpacl {
	if  {
		source-address 10.203.134.0/24;
		protocol  TCP;
		source-port > 190;
		tcp-flags  syn_ack;
	} then {
		permit;
		count tcpcnt ;
		qosprofile qp3;
	}
}

The following example denies ICMP (Internet Control Message Protocol) echo request (ping) packets originating from the 10.203.134.0/24 subnet, and increments the counter icmpcnt:

entry  icmp {
	if  {
		source-address 10.203.134.0/24;
		protocol  icmp;
		icmp-type  echo-request;
	} then {
		deny;
		count icmpcnt;
	}
}

The following example prevents TCP connections from being established from the 10.10.20.0/24 subnet, but allows established connections to continue, and allows TCP connections to be established to that subnet. A TCP connection is established by sending a TCP packet with the SYN flag set, so this example blocks TCP SYN packets.

entry  permit-established {
	if  {
		source-address 10.10.20.0/24;
		protocol  TCP;
		tcp-flags  syn;
	} then {
		deny;
	}
}

The following entry denies every packet and increments the counter default:

entry  default {
	if  {
	} then {
		deny;
		count default;
	}
}

The following entry permits only those packets with destination MAC addresses whose first 32 bits match 00:01:02:03:

entry rule1 {
	if {
		ethernet-destination-address 00:01:02:03:01:01 ff:ff:ff:ff:00:00 ;
	} then {
		permit  ;
	}
}

The following entry denies IPv6 packets from source addresses in the 2001:db8:c0a8::/48 subnets and to destination addresses in the 2001:db8:c0a0:1234::/64 subnets:

entry ipv6entry {
	if {
		source-address 2001:DB8:C0A8:: / 48;
		destination-address 2001:DB8:C0A0:1234:: / 64;
	} then {
		deny;
	}
}
            

Access lists have entries to match an Ethernet type, so be careful when configuring access lists to deny all traffic. For example, the following rule entries permit traffic only to destination 10.200.250.2 and block any other packet.

entry test_policy_4 {
	if {
		source-address 0.0.0.0/0;
		destination-address 10.200.250.2/32;
	} then {
		permit;
		count test_policy_permit;
	}
}
# deny everyone else
entry test_policy_99 {
	if {
	} then {
		deny;
		count test_policy_deny;
	}
}

Since the deny section does not specify an Ethernet type, all traffic other than IP packets destined to 10.200.250.2/32 are blocked, including the ARP packets. To allow ARP packets, add an entry for the Ethernet type, 1x0806, as shown below.

entry test_policy_5 {
	if {
		ethernet-type 0x0806;
	} then {
		permit;
		count test_policy_permit;
	}
}

The following entries use vlan-ids to set up meters based on individual VLANs.

myServices.pol
	entry voiceService {
		if {
			vlan-id 100;
		} then {
			meter voiceServiceMeter;
		}
	}
	entry videoService {
		if {
			vlan-id 101;
		} then {
			meter videoServiceMeter;
		}
	}
…and so on.

To bind this ACL to a port with vlan-id match criteria use the following command:

config access-list myServices port <N>

The following entry shows how to take action based on VLAN (Virtual LAN) tag priority information. In this example, the dot1p match keyword is used to allow and count every tagged packet with a VLAN priority tag of 3.

entry count_specific_packets {
	if {
		dot1p 3;
	} then {
		count allowed_pkts;
		permit;
	}
}