Creates a dynamic ACL (Access Control List).
dynamic_rule | Specifies the dynamic ACL name. The name can be from 1-32 characters long. |
conditions | Specifies the match conditions for the dynamic ACL. |
actions | Specifies the actions for the dynamic ACLs. |
non_permanent | Specifies that the ACL is not to be saved. |
By default, ACLs are permanent.
This command creates a dynamic ACL rule. Use the configure access-list add command to apply the ACL to an interface.
The conditions parameter is a quoted string of match conditions, and the actions parameter is a quoted string of actions. Multiple match conditions or actions are separated by semi-colons. A complete listing of the match conditions and actions is in the ACLs section of the ExtremeXOS 22.2 User Guide.
Dynamic ACL rule names must be unique, but can be the same as used in a policy-file based ACL. Any dynamic rule counter names must be unique. For name creation guidelines and a list of reserved names, see Object Names in the ExtremeXOS 22.2 User Guide.
By default, ACL rules are saved when the save command is executed, and persist across system reboots. Configuring the optional keyword non-permanent means the ACL will not be saved.
The following example creates a dynamic ACL that drops all ICMP (Internet Control Message Protocol) echo-request packets on the interface:
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"
The created dynamic ACL will take effect after it has been configured on the interface. The previous example creates a dynamic ACL named icmp-echo that is equivalent to the following ACL policy file entry:
entry icmp-echo { if { protocol icmp; icmp-type echo-request; } then { deny; }
The following example creates a dynamic ACL that accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250:
create access-list udpacl "source-address 10.203.134.0/24;destination-address 140.158.18.16/32;protocol udp;source-port 190;destination-port 1200 - 1250;" "permit"
The previous example creates a dynamic ACL entry named udpacl that is equivalent to the following ACL policy file entry:
entry udpacl { if { source-address 10.203.134.0/24; destination-address 140.158.18.16/32; protocol udp; source-port 190; destination-port 1200 - 1250; } then { permit; } }
This command was first available in ExtremeXOS 11.3.
The non_permanent option was added in ExtremeXOS 11.6.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.