Owner's Manual
302 | Chapter 13. ACLs
NETGEAR 8800 User Manual
Matching All Egress Packets
Unlike ingress ACLs, for egress ACLs you must specify either a source or destination
address, instead of writing a rule with no match conditions. (Exceptions are the
BlackDiamond 20800 series switches.)
For example, an ingress ACL deny all rule could be:
entry DenyAllIngress{
if {
} then {
deny;
}
}
The previous rule would not work as an egress ACL, except with BlackDiamond 20800 series
switches. The following is an example of an egress ACL deny all rule:
entry DenyAllEgress{
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}
Comments and Descriptions in ACL Policy Files
In ACL policy files, there are two types of textual additions that have no effect on the ACL
actions: comments and descriptions. A comment is ignored by the policy manager and
resides only in the policy file. Comments are not saved in the switch configuration and are not
displayed by the "show policy" command. A description is saved in the policy manager and is
displayed when the ACL is displayed.
You can display the ACL using the following two commands:
show policy {<policy-name> | detail}
show access-list {any | ports <portlist> | vlan <vlanname>} {ingress | egress}
For example, the following policy, saved in the file denyping.pol, contains both a comment
and a description:
# this line is a comment
@description "This line is a description for the denyping.pol"
entry ping_deny_echo-request {
if {
protocol icmp;
icmp-type echo-request;
} then {
deny;
count pingcount_deny;
}
}