Configures a dynamic ACL (Access Control List) rule to the specified interface and sets the priority and zone for the ACL.
dynamic_rule | Specifies a dynamic ACL rule. |
first | Specifies that the new dynamic rule is to be added as the first rule. |
last | Specifies that the new dynamic rule is to be added as the last rule. |
priority | Priority of rule within a zone. |
p_number | Specifies the priority number of the rule within a zone. The range is from 0 (highest priority) to 7 (lowest priority). |
zone | Specifies the ACL zone for the rule. |
before rule | Specifies that the new dynamic rule is to be added before an existing dynamic rule. |
after rule | Specifies that the new dynamic rule is to be added after an existing dynamic rule. |
any | Specifies that this ACL is applied to all interfaces. |
vlan_name | Specifies the VLAN (Virtual LAN) on which this ACL is applied. |
port_list | Specifies the ports on which this ACL is applied. |
ingress | Apply the ACL to packets entering the switch on this interface. |
egress | Apply the ACL to packets leaving the switch from this interface. |
The default direction is ingress.
The dynamic rule must first be created before it can be applied to an interface. Use the following command to create a dynamic rule:
create access-list dynamic-rule conditions actions {non-permanent}When a dynamic ACL rule is applied to an interface, you will specify its precedence among any previously applied dynamic ACLs. All dynamic ACLs have a higher precedence than any ACLs applied through ACL policy files.
Specifying the keyword any applies the ACL to all the ports, and is referred to as the wildcard ACL. This ACL is evaluated for ports without a specific ACL applied to them, and is also applied to packets that do not match the ACL applied to the interface.
The priority keyword can be used to specify a sub-zone within an application‘s space. For example, to place ACLs into three sub-zones within the CLI application, you can use three priority numbers, such as 2, 4, and 7.
Configuring priority number 1 is the same as configuring first priority. Configuring priority number 8 is the same as configuring last priority.
The following command applies the dynamic ACL icmp-echo as the first (highest precedence) dynamic ACL to port 1:2 at ingress:
configure access-list add icmp-echo first ports 1:2
The following command applies the dynamic ACL udpdacl to port 1:2, with a higher precedence than rule icmp-echo:
configure access-list add udpacl before icmp-echo ports 1:2
This command was first available in ExtremeXOS 11.3.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.
The egress option is available on Summit X450-G2, X460-G2, X670-G2, and X770 series switches only.