Operation Manual

Security ACL Commands

15 – 399

Usage

The MX does not apply security ACLs until you activate them with the commit security

acl command and map them to a VLAN, port, or virtual port, or to a user. If the MX is reset or

restarted, any ACLs in the edit buffer are lost.

You cannot perform ACL functions that include permitting, denying, or marking with a Class of

Service (CoS) level on packets with a multicast or broadcast destination address.

The order of security ACEs in a security ACL is important. Once an ACL is active, the ACEs are

checked according to the order in the ACL. If an ACE criterion is met, the action takes place and

any ACEs that follow are ignored.

ACEs are listed in the order in which you create them, unless you move them. To position security

ACEs within a security ACL, use before editbuffer-index and modify editbuffer-index.

Examples

The following command adds an ACE to security acl_123 that permits packets from IP

address 192.168.1.11/24 and counts the hits:

MX# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits

The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11:

MX# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0

The following command creates acl_125 by defining an ACE that denies TCP packets from source

IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and

counts the hits:

MX# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0

established hits

The following command adds an ACE to acl_125 that denies TCP packets from source IP address

192.168.1.1 to destination IP address 192.168.1.2, on destination port 80 only, and counts the hits:

MX# set security acl ip acl_125 deny tcp 192.168.1.1 0.0.0.0 192.168.1.2 0.0.0.0 eq 80 hits

Finally, the following command commits the security ACLs in the edit buffer to the configuration:

MX# commit security acl all

configuration accepted