Specifications
IP Access Control Lists
ExtremeWare XOS 11.0 Concepts Guide 149
When the policy is refreshed, the new policy file is read, processed, and stored in the server database.
Any clients that use the policy will also be updated. Use the following command to refresh the policy:
refresh policy <policy-name>
In the case of ACLs, during the time that an ACL policy is refreshed, packets on the interface are
blackholed. This is to protect the switch during the short time that the policy is being applied. To
control the behavior of the switch during an ACL refresh, use the following commands:
enable access-list refresh blackhole
disable access-list refresh blackhole
ACL File Syntax
The ACL file contains one or more rule entries. Each rule entry consists of:
• a rule entry name, unique within the same ACL.
• zero or more match conditions. If no match condition is specified, all packets are matched.
• zero or one action. If no action is specified, the packet is permitted by default.
• zero or more action modifiers.
Each rule entry in the file uses the following syntax:
entry <entry-name>{
if {
<match-conditions>;
} then {
<action>;
<action-modifiers>;
}
}
Here is an example of a rule entry:
entry udpacl {
if {
source-address 10.203.134.0/24;
destination-address 140.158.18.16/32;
protocol udp;
source-port 190;
destination-port 1200-1400;
} then {
permit;
}
}
ACL rule entries are evaluated in order, from the beginning of the file to the end, as follows:
• If the packet matches all the match conditions, the action in the then statement is taken and the
evaluation process terminates.
• If a rule entry does not contain any match condition, the packet is considered to match and the
action in the rule entry’s then statement is taken and the evaluation process terminates.
• If the packet matches all the match conditions, and if there is no action specified in the then
statement, the action permit is taken by default.