ACL Rule Syntax
- A rule entry name, unique within the same ACL policy file or among Dynamic ACLs.
- Zero or more match conditions.
- Zero or one action (permit or deny). If no action is specified, the packet is permitted by default.
- Zero or more action modifiers.
Each rule entry uses the following syntax:
entry <ACLrulename>{ if { <match-conditions>; } then { <action>; <action-modifiers>; } }
The following is an example of a rule entry:
entry udpacl { if { source-address 10.203.134.0/24; destination-address 140.158.18.16/32; protocol udp; source-port 190; destination-port 1200 - 1250; } then { permit; } }
An ACL rule is evaluated as follows:
- If the packet matches all the match conditions, the action and any action modifiers in the then statement are taken.
- For ingress ACLs, if a rule entry does not contain any match condition, the packet is considered to match and the action and any action modifiers in the rule entry‘s "then" statement are taken. For egress ACLs, if a rule entry does not contain any match condition, no packets will match. See Matching All Egress Packets for more information.
- If the packet matches all the match conditions, and if there is no action specified in the then statement, the action permit is taken by default.
- If the packet does not match all the match conditions, the action in the then statement is ignored.

Note
For the ExtremeSwitching X695 series switches, egress ACL user rules or policy with an OuterVlanId qualifier do not match packets egressing untagged member ports of a given VLAN. Matching does occur as expected if the egress port is a tagged member of the given VLAN. The OuterVlanId qualifier might be explicitly present, or a rule/policy is applied to a VLAN.
Workaround: (Using dynamic ACL rule) To achieve the same functionality for untagged member ports, use the following workaround. It installs an additional ACL on the untagged member ports with the same actions:
vlan v1 tag 100 ports 1,2,3 are tagged members of vlan v1 port 5 is untagged members of vlan v1 original rule (will match only on tagged ports (1,2,3)): create access-list test "source-address 10.10.10.10/24" "count cnt" configure access-list add test first vlan v1 egress additional rule (will match on untagged port(s)) create access-list test2 "vlan-format untagged; source-address 10.10.10.10/24" "count cnt2" configure access-list add test2 last port 5 egress