ACL Rule Syntax
An
ACL rule entry consists of:
- A rule entry name, unique within the same ACL policy file or among
Dynamic ACLs.
- Zero or more match conditions.
- Zero or one action (permit or deny). If no action is specified,
the packet is permitted by default.
- Zero or more action modifiers.
Each rule entry uses the following syntax:
entry <ACLrulename>{
if {
<match-conditions>;
} then {
<action>;
<action-modifiers>;
}
}
The following is an example of a rule entry:
entry udpacl {
if {
source-address 10.203.134.0/24;
destination-address 140.158.18.16/32;
protocol udp;
source-port 190;
destination-port 1200 - 1250;
} then {
permit;
}
}
An ACL rule is evaluated as follows:
- If the packet matches all the match
conditions, the action and any action modifiers in the then statement are taken.
- For ingress ACLs, if a rule entry does
not contain any match condition, the packet is considered to match and the action and any
action modifiers in the rule entry‘s "then" statement are taken. For egress ACLs, if a
rule entry does not contain any match condition, no packets will match. See Matching All Egress Packets for more information.
- If the packet matches all the match
conditions, and if there is no action specified in the then statement, the action permit
is taken by default.
- If the packet does not match all the
match conditions, the action in the then statement is ignored.
