Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will
match any ingress packets not otherwise processed, so that user can specify an action to overwrite the
default permit action.
Matching All Egress Packets. Unlike ingress ACLs, for egress ACLs, you must specify either a source or
destination address, instead of writing a rule with no match conditions.
For example, an ingress ACL deny all rule could be:
entry DenyAllIngress{
if {
} then {
deny;
}
}
The previous rule would not work as an egress ACL. The following is an example of an egress ACL
deny all rule:
entry DenyAllEgress{
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}
Rule Evaluation—BlackDiamond 8800 Family and Summit X450 Only
On the BlackDiamond 8800 family and Summit X450, all matching rule actions in a policy are applied to
a given packet. Conflicting actions (deny vs. permit, etc) are resolved by the relative matching rule
order in the policy file. This means that multiple counters can be incremented for a single packet.
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is specified, all packets
match the rule entry. Among the match conditions commonly used are:
IP source address and mask
●
IP destination address and mask
●
TCP or UDP source port range
●
TCP or UDP destination port range
●
Table 34
describes all the possible match conditions.
Actions
The actions are:
—the packet is forwarded
●
permit
—the packet is dropped
●
deny
The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.
ExtremeWare XOS 11.3 Concepts Guide
ACLs
263