ACL Rule Syntax

An ACL rule entry consists of:
  • A rule entry name, unique within the same ACL policy file or among Dynamic ACLs.
  • Zero or more match conditions.
  • Zero or one action (permit or deny). If no action is specified, the packet is permitted by default.
  • Zero or more action modifiers.

Each rule entry uses the following syntax:

entry <ACLrulename>{
	if  {
		<match-conditions>;
	} then {
		<action>;
		<action-modifiers>;
	}
}

The following is an example of a rule entry:

entry  udpacl {
	if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

An ACL rule is evaluated as follows:

Note

Note

For the ExtremeSwitching X695 series switches, egress ACL user rules or policy with an OuterVlanId qualifier do not match packets egressing untagged member ports of a given VLAN. Matching does occur as expected if the egress port is a tagged member of the given VLAN. The OuterVlanId qualifier might be explicitly present, or a rule/policy is applied to a VLAN.

Workaround: (Using dynamic ACL rule) To achieve the same functionality for untagged member ports, use the following workaround. It installs an additional ACL on the untagged member ports with the same actions:

vlan v1 tag 100
 ports 1,2,3 are tagged members of vlan v1
 port 5 is untagged members of vlan v1

 original rule (will match only on tagged ports (1,2,3)):
 create access-list test "source-address 10.10.10.10/24" "count cnt"
 configure access-list add test first vlan v1 egress

 additional rule (will match on untagged port(s))
 create access-list test2 "vlan-format untagged; source-address 10.10.10.10/24" "count cnt2"
 configure access-list add test2 last port 5 egress