ACL Rule Syntax

An ACL rule entry consists of:

A rule entry name, unique within the same ACL policy file or among Dynamic ACLs.
Zero or more match conditions.
Zero or one action (permit or deny). If no action is specified, the packet is permitted by default.
Zero or more action modifiers.

Each rule entry uses the following syntax:

entry <ACLrulename>{
	if  {
		<match-conditions>;
	} then {
		<action>;
		<action-modifiers>;
	}
}

The following is an example of a rule entry:

entry  udpacl {
	if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

An ACL rule is evaluated as follows:

If the packet matches all the match conditions, the action and any action modifiers in the then statement are taken.
For ingress ACLs, if a rule entry does not contain any match condition, the packet is considered to match and the action and any action modifiers in the rule entry‘s "then" statement are taken. For egress ACLs, if a rule entry does not contain any match condition, no packets will match. See Matching All Egress Packets for more information.
If the packet matches all the match conditions, and if there is no action specified in the then statement, the action permit is taken by default.
If the packet does not match all the match conditions, the action in the then statement is ignored.

Note

For the ExtremeSwitching X695 series switches, egress ACL user rules or policy with an OuterVlanId qualifier do not match packets egressing untagged member ports of a given VLAN. Matching does occur as expected if the egress port is a tagged member of the given VLAN. The OuterVlanId qualifier might be explicitly present, or a rule/policy is applied to a VLAN.

Workaround: (Using dynamic ACL rule) To achieve the same functionality for untagged member ports, use the following workaround. It installs an additional ACL on the untagged member ports with the same actions:

vlan v1 tag 100
 ports 1,2,3 are tagged members of vlan v1
 port 5 is untagged members of vlan v1

 original rule (will match only on tagged ports (1,2,3)):
 create access-list test "source-address 10.10.10.10/24" "count cnt"
 configure access-list add test first vlan v1 egress

 additional rule (will match on untagged port(s))
 create access-list test2 "vlan-format untagged; source-address 10.10.10.10/24" "count cnt2"
 configure access-list add test2 last port 5 egress

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

ACL Rule Syntax