create access-list

create access-list dynamic_rule conditions actions {non_permanent}

Description

Creates a dynamic ACL (Access Control List).

Syntax Description

dynamic_rule Specifies the dynamic ACL name. The name can be from 1-32 characters long.
conditions Specifies the match conditions for the dynamic ACL.
actions Specifies the actions for the dynamic ACLs.
non_permanent Specifies that the ACL is not to be saved.

Default

By default, ACLs are permanent.

Usage Guidelines

This command creates a dynamic ACL rule. Use the configure access-list add command to apply the ACL to an interface.

The conditions parameter is a quoted string of match conditions, and the actions parameter is a quoted string of actions. Multiple match conditions or actions are separated by semi-colons. A complete listing of the match conditions and actions is in the ACLs section of the ExtremeXOS 22.2 User Guide.

Dynamic ACL rule names must be unique, but can be the same as used in a policy-file based ACL. Any dynamic rule counter names must be unique. For name creation guidelines and a list of reserved names, see Object Names in the ExtremeXOS 22.2 User Guide.

By default, ACL rules are saved when the save command is executed, and persist across system reboots. Configuring the optional keyword non-permanent means the ACL will not be saved.

Example

The following example creates a dynamic ACL that drops all ICMP (Internet Control Message Protocol) echo-request packets on the interface:

create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"

The created dynamic ACL will take effect after it has been configured on the interface. The previous example creates a dynamic ACL named icmp-echo that is equivalent to the following ACL policy file entry:

entry  icmp-echo {
	if  {
		protocol  icmp;
		icmp-type  echo-request;
	} then {
		deny;
	}

The following example creates a dynamic ACL that accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250:

create access-list udpacl "source-address 10.203.134.0/24;destination-address 140.158.18.16/32;protocol  udp;source-port 190;destination-port  1200 - 1250;" "permit"

The previous example creates a dynamic ACL entry named udpacl that is equivalent to the following ACL policy file entry:

entry  udpacl {
if  {
		source-address 10.203.134.0/24;
		destination-address 140.158.18.16/32;
		protocol  udp;
		source-port 190;
		destination-port  1200 - 1250;
	} then {
		permit;
	}
}

History

This command was first available in ExtremeXOS 11.3.

The non_permanent option was added in ExtremeXOS 11.6.

Platform Availability

This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.