Acl Evaluation Precedence - Extreme Networks ExtremeWare XOS Guide Manual
Concepts guide
Hide thumbs
Also See for ExtremeWare XOS Guide:
- Command reference manual (2024 pages) ,
- Manual (496 pages) ,
- Command reference manual (1712 pages)
Table of Contents
Advertisement
conditions, actions, and action-modifiers are the same as those that are available for ACL policy files
(see
"ACL Policy File Syntax" on page
created directly in the CLI. Use the following command to create a dynamic ACL:
create access-list <dynamic-rule> <conditions> <actions>
As an example of creating a dynamic ACL rule, let's compare an ACL policy file entry with the CLI
command that creates the equivalent dynamic ACL rule. The following ACL policy file entry will drop
all ICMP echo-requests:
entry
icmp-echo {
if
{
protocol
icmp;
icmp-type
echo-request;
} then {
deny;
}
}
To create the equivalent dynamic ACL rule, use the following command:
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"
Notice that the
conditions
portion of the ACL policy file entry. The individual match conditions are concatenated into
if { ... }
a single string. The
actions
entry.
From the command line, you can get a list of match conditions and actions by using the following
command:
check policy attribute {<attr>}
Limitations. Dynamic ACL rule names must be unique, but can be the same as used in a policy-file
based ACL. Any dynamic rule counter names must be unique. Dynamic ACLs only apply to ACLs and
do not apply to CLEAR-Flow rules.
Configuring the ACL Rule on the Interface
Once a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the wildcard
interface. When the ACL is applied, you will specify the precedence of the rule among the dynamic
ACL rules. Use the following command to configure the dynamic ACL rule on an interface:
configure access-list add <dynamic_rule> [after <rule> | before <rule> | first |
last][any | ports <portlist> | vlan <vlanname>] {ingress | egress}
To remove a dynamic ACL from an interface, use the following command:
configure access-list delete <ruleName> [all | any | ports <portlist> | vlan
<vlanname>] {ingress | egress}
ACL Evaluation Precedence
This section discusses the precedence for evaluation among ACL rules.
ExtremeWare XOS 11.3 Concepts Guide
262). In contrast to the ACL policy file entries, dynamic ACLs are
parameter is a quoted string that corresponds to the match conditions in the
parameter corresponds to the
portion of the ACL policy file
then { ... }
ACLs
any
269
Advertisement
Chapters
Table of Contents
Troubleshooting
