Access Lists (ACLs)
can be applied to an interface, and the precedence of the ACLs is determined as they are being
configured. See
ACL Policy File Syntax
An ACL policy file contains one or more rule entries. Each rule entry consists of:
a rule entry name, unique within the same ACL.
●
zero or more match conditions.
●
zero or one action (permit or deny). If no action is specified, the packet is permitted by default.
●
zero or more action modifiers.
●
Each rule entry in the file uses the following syntax:
entry <ACLrulename>{
if
{
<match-conditions>;
} then {
<action>;
<action-modifiers>;
}
}
Here is an example of a rule entry:
entry
udpacl {
if
{
source-address 10.203.134.0/24;
destination-address 140.158.18.16/32;
protocol
source-port 190;
destination-port
} then {
permit;
}
}
ACL rule entries are evaluated in order, from the beginning of the file to the end, as follows:
If the packet matches all the match conditions, the action in the then statement is taken and the
●
evaluation process terminates.
For ingress ACLs, if a rule entry does not contain any match condition, the packet is considered to
●
match and the action in the rule entry's then statement is taken and the evaluation process
terminates. For egress ACLs, if a rule entry does not contain any match condition, no packets will
match. See the section,
If the packet matches all the match conditions, and if there is no action specified in the then
●
statement, the action permit is taken by default.
If the packet does not match all the match conditions, the next rule entry in the ACL is evaluated.
●
This process continues until either the packet matches all the match conditions in one of the
●
subsequent rule entries or there are no more entries.
If a packet passes through all the rule entries in the ACL without matching any of them, it is
●
permitted.
262
"Dynamic ACLs" on page 268
udp;
1200 - 1250;
"Matching All Egress Packets"
for information about creating dynamic ACLs.
for more information.
ExtremeWare XOS 11.3 Concepts Guide