configure access-list add

configure access-list add dynamic_rule [ [[first | last] {priority p_number} {zone zone} ] | [[before | after] rule] | [ priority p_number {zone zone} ]] [ any | vlan vlan_name | ports port_list ] {ingress | egress}

Description

Configures a dynamic ACL (Access Control List) rule to the specified interface and sets the priority and zone for the ACL.

Syntax Description

dynamic_rule Specifies a dynamic ACL rule.
first Specifies that the new dynamic rule is to be added as the first rule.
last Specifies that the new dynamic rule is to be added as the last rule.
priority Priority of rule within a zone.
p_number Specifies the priority number of the rule within a zone. The range is from 0 (highest priority) to 7 (lowest priority).
zone Specifies the ACL zone for the rule.
before rule Specifies that the new dynamic rule is to be added before an existing dynamic rule.
after rule Specifies that the new dynamic rule is to be added after an existing dynamic rule.
any Specifies that this ACL is applied to all interfaces.
vlan_name Specifies the VLAN (Virtual LAN) on which this ACL is applied.
port_list Specifies the ports on which this ACL is applied.
ingress Apply the ACL to packets entering the switch on this interface.
egress Apply the ACL to packets leaving the switch from this interface.

Default

The default direction is ingress.

Usage Guidelines

The dynamic rule must first be created before it can be applied to an interface. Use the following command to create a dynamic rule:

create access-list dynamic-rule conditions actions {non-permanent}

When a dynamic ACL rule is applied to an interface, you will specify its precedence among any previously applied dynamic ACLs. All dynamic ACLs have a higher precedence than any ACLs applied through ACL policy files.

Specifying the keyword any applies the ACL to all the ports, and is referred to as the wildcard ACL. This ACL is evaluated for ports without a specific ACL applied to them, and is also applied to packets that do not match the ACL applied to the interface.

The priority keyword can be used to specify a sub-zone within an application‘s space. For example, to place ACLs into three sub-zones within the CLI application, you can use three priority numbers, such as 2, 4, and 7.

Configuring priority number 1 is the same as configuring first priority. Configuring priority number 8 is the same as configuring last priority.

Example

The following command applies the dynamic ACL icmp-echo as the first (highest precedence) dynamic ACL to port 1:2 at ingress:

configure access-list add icmp-echo first ports 1:2

The following command applies the dynamic ACL udpdacl to port 1:2, with a higher precedence than rule icmp-echo:

configure access-list add udpacl before icmp-echo ports 1:2

History

This command was first available in ExtremeXOS 11.3.

Platform Availability

The egress option is available on Summit X450-G2, X460-G2, X670-G2, and X770 series switches only.