Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル

Dynamic ACLs

Dynamic ACLs are created using the CLI. They use a similar syntax and can accomplish the 
same actions as single rule entries used in ACL policy files. More than one dynamic ACL can 
be applied to an interface, and the precedence among the dynamic ACLs can be configured. 
By default, the priority among dynamic ACLs is established by the order in which they are 
configured. 

Dynamic ACLs have a higher precedence than ACLs applied using 

a policy file.

The steps involved in using a dynamic ACL on an interface are:

•     Creating the Dynamic ACL Rule 

•     Configuring the ACL Rule on the Interface 

•     Configuring ACL Priority 

Creating the Dynamic ACL Rule

Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You specify 
the name of the dynamic ACL rule, the match conditions, and the actions and 
action-modifiers. You can configure a dynamic ACL to be persistent or non-persistent across 
system reboots. The match conditions, actions, and action-modifiers are the same as those 
that are available for ACL policy files (see 

on page 300). In contrast to the 

ACL policy file entries, dynamic ACLs are created directly in the CLI. Use the following 
command to create a dynamic ACL:

create access-list <dynamic-rule> <conditions> <actions> {non-permanent}

As an example of creating a dynamic ACL rule, compare an ACL policy file entry with the CLI 
command that creates the equivalent dynamic ACL rule. The following ACL policy file entry 
will drop all ICMP echo-requests:

entry  icmp-echo {

   if  {

      protocol  icmp;

      icmp-type  echo-request;

   } then {

      deny;

   }

}

To create the equivalent dynamic ACL rule, use the following command:

create access-list icmp-echo “protocol icmp;icmp-type echo-request” “deny”