Abbreviation | Condition |
---|---|
Ingress |
|
DIP |
destination address <prefix> (IPv4 addresses only) |
DIPv6/128 |
destination address <prefix> (IPv6 address with a prefix length longer than 64) |
DIPv6/64 |
destination address <prefix> (IPv6 address with a prefix length up to 64) |
DSCP |
dscp <number> |
Etype |
ethernet-type <number> |
First Fragment |
first ip fragment |
FL |
IPv6 Flow Label |
Fragments |
fragments |
IP-Proto |
protocol <number> |
L4DP |
destination-port <number> (a single port) |
L4-Range |
A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry. |
L4SP |
source-port <number> (a single port) |
MACDA |
ethernet-destination-address <mac-address> <mask> |
MACSA |
ethernet-source-address <mac-address> |
NH |
IPv6 Next Header field. Use protocol <number> to match. See IP-Proto |
OVID |
This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs. |
packet-type |
This selector is used internally and not accessible by users through explicit ACLs. |
Port-list |
This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. |
SIP |
source address <prefix> (IPv4 addresses only) |
SIPv6/128 |
source address <prefix> (IPv6 address with a prefix length longer than 64) |
SIPv6/64 |
source address <prefix> (IPv6 address with a prefix length up to 64) |
TC |
IPv6 Traffic Class field. Use dscp <number> |
TCP-Flags |
TCP-flags <bitfield> |
TPID |
802.1Q Tag Protocol Identifier |
TTL |
Time-to-live |
UDF |
User-defined field. This selector is used internally and not accessible by users through explicit ACLs. |
VID-inner |
Inner VLAN ID |
VRF |
Virtual router and forwarding instance |
Egress |
|
DestIPv6 |
destination-address <ipv6> |
DIP |
destination-address |
Etype |
ethernet-type |
IP-Proto |
protocol |
L4DP |
destination-port. Support only single L4 ports and not port ranges. |
L4SP |
source-port. Support only single L4 ports and not port ranges. |
MACDA |
ethernet-destination-address |
MACSA |
ethernet-source-address |
NH |
IPv6 Next Header field. |
SIP |
source-address |
SIPv6 |
source-address <ipv6> |
TC |
IPv6 Traffic Class field. |
Tcp-Flags |
tcp-flags |
TOS |
ip-tos or diffserv-codepoint |
VlanId |
vlan-id |
The following table lists all the combinations of match conditions that are available. Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.
If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.
Fixed Field | Field 1 | Field 2 | Field 3 |
---|---|---|---|
Port-list |
OVID, VID-inner |
DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag |
OVID |
Etype, OVID |
DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag |
OVID, IpInfo(First-Fragment, Fragments) |
|
VID-inner |
DIPv6/128 |
OVID, VID-inner |
|
IpInfo(First-Fragment, Fragments), OVID |
SIPv6/128 |
OVID, Etype |
|
OVID |
DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag |
VID-Inner |
|
IP-Proto, DSCP |
MACDA, MACSA, OVID, Etype |
L4-Range |
|
"User Defined Field” 1 |
MACSA, OVID, Etype, SIP |
FL |
|
MACDA, OVID, Etype, DIP, IP-Proto |
UDF1[95..64] |
||
"User Defined Field” 1 |
|||
"User Defined Field” 2 |
|||
DIPv6/64, SIPv6/64 |