Specifications
IP Access Lists (ACLs)
ExtremeWare XOS 10.1 Concepts Guide 115
protocol udp;
source-port 190;
destination-port 1200-1400;
} then {
permit;
}
}
ACL rule entries are evaluated in order, from the beginning of the file to the end, as follows:
• If the packet matches all the match conditions, the action in the then statement is taken and
evaluation process terminates.
• If a rule entry does not contain any match condition, the packet is considered to match and the
action in the rule entry’s then statement is taken and evaluation process terminates.
• If the packet matches all the match conditions, and if there is no action specified in the then
statement, the action permit is taken by default.
• If the packet does not match all the match conditions, the next rule entry in the ACL is evaluated.
• This process continues until either the packet matches all the match conditions in one of the
subsequent rule entries or there are no more entries.
• If a packet passes through all the rule entries in the ACL without matching any of them, it is
permitted.
Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will
match any packets not otherwise processed, so that user can specify an action to overwrite the default
permit action.
Match Conditions. Multiple, single, or zero match conditions can be specified. If no match condition is
specified, all packets match the rule entry. Among the match conditions commonly used are:
• IP source address and mask
• IP destination address and mask
• TCP or UDP source port range
• TCP or UDP destination port range
There are descriptions of all the possible match conditions in Table 21.
Actions. The action is either permit, deny, or no action specified. No action specified permits the
packet. The deny action drops the packet.
Action Modifier. The action modifier is count. The count action increments the counter named in the
action modifier.
Table 21 lists the match conditions that can be used with ACLs. The conditions are case-insensitive; for
example, the match condition listed in the table as
TCP-flags can also be written as tcp-flags. Within
Table 21 are five different data types used in matching packets. Table 22 lists the data types, and details
on using them.