ACL Rule Syntax

An ACL (Access Control List) rule entry consists of:

A rule entry name, unique within the same ACL policy file or among Dynamic ACLs.
Zero or more match conditions.
Zero or one action (permit or deny). If no action is specified, the packet is permitted by default.
Zero or more action modifiers.

Each rule entry uses the following syntax:

entry <ACLrulename>{
	if  {
		<match-conditions>;
	} then {
		<action>;
		<action-modifiers>;
	}
}

The following is an example of a rule entry:

entry  udpacl {
	if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

An ACL rule is evaluated as follows:

If the packet matches all the match conditions, the action and any action modifiers in the then statement are taken.
For ingress ACLs, if a rule entry does not contain any match condition, the packet is considered to match and the action and any action modifiers in the rule entry‘s "then" statement are taken. For egress ACLs, if a rule entry does not contain any match condition, no packets will match. See Matching All Egress Packets for more information.
If the packet matches all the match conditions, and if there is no action specified in the then statement, the action permit is taken by default.
If the packet does not match all the match conditions, the action in the then statement is ignored.

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback