| Abbreviation | Condition |
|---|---|
|
Ingress |
|
|
DIP |
destination address <prefix> (IPv4 addresses only) |
|
DIPv6/128 |
destination address <prefix> (IPv6 address with a prefix length longer than 64) |
|
DIPv6/64 |
destination address <prefix> (IPv6 address with a prefix length up to 64) |
|
DSCP |
dscp <number> |
|
Etype |
ethernet-type <number> |
|
First Fragment |
first ip fragment |
|
FL |
IPv6 Flow Label |
|
Fragments |
fragments |
|
IP-Proto |
protocol <number> |
|
L4DP |
destination-port <number> (a single port) |
|
L4-Range |
A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry. |
|
L4SP |
source-port <number> (a single port) |
|
MACDA |
ethernet-destination-address <mac-address> <mask> |
|
MACSA |
ethernet-source-address <mac-address> |
|
NH |
IPv6 Next Header field. Use protocol <number> to match. See IP-Proto |
|
OVID |
This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs. |
|
packet-type |
This selector is used internally and not accessible by users through explicit ACLs. |
|
Port-list |
This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. |
|
SIP |
source address <prefix> (IPv4 addresses only) |
|
SIPv6/128 |
source address <prefix> (IPv6 address with a prefix length longer than 64) |
|
SIPv6/64 |
source address <prefix> (IPv6 address with a prefix length up to 64) |
|
TC |
IPv6 Traffic Class field. Use dscp <number> |
|
TCP-Flags |
TCP-flags <bitfield> |
|
TPID |
802.1Q Tag Protocol Identifier |
|
TTL |
Time-to-live |
|
UDF |
User-defined field. This selector is used internally and not accessible by users through explicit ACLs. |
|
VID-inner |
Inner VLAN ID |
|
VRF |
Virtual router and forwarding instance |
|
Egress |
|
|
DestIPv6 |
destination-address <ipv6> |
|
DIP |
destination-address |
|
Etype |
ethernet-type |
|
IP-Proto |
protocol |
|
L4DP |
destination-port. Support only single L4 ports and not port ranges. |
|
L4SP |
source-port. Support only single L4 ports and not port ranges. |
|
MACDA |
ethernet-destination-address |
|
MACSA |
ethernet-source-address |
|
NH |
IPv6 Next Header field. |
|
SIP |
source-address |
|
SIPv6 |
source-address <ipv6> |
|
TC |
IPv6 Traffic Class field. |
|
Tcp-Flags |
tcp-flags |
|
TOS |
ip-tos or diffserv-codepoint |
|
VlanId |
vlan-id |
The following table lists all the combinations of match conditions that are available. Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.
If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.
| Fixed Field | Field 1 | Field 2 | Field 3 |
|---|---|---|---|
|
Port-list |
OVID, VID-inner |
DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag |
OVID |
|
Etype, OVID |
DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag |
OVID, IpInfo(First-Fragment, Fragments) |
|
|
VID-inner |
DIPv6/128 |
OVID, VID-inner |
|
|
IpInfo(First-Fragment, Fragments), OVID |
SIPv6/128 |
OVID, Etype |
|
|
OVID |
DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag |
VID-Inner |
|
|
IP-Proto, DSCP |
MACDA, MACSA, OVID, Etype |
L4-Range |
|
|
"User Defined Field” 1 |
MACSA, OVID, Etype, SIP |
FL |
|
|
MACDA, OVID, Etype, DIP, IP-Proto |
UDF1[95..64] |
||
|
"User Defined Field” 1 |
|||
|
"User Defined Field” 2 |
|||
|
DIPv6/64, SIPv6/64 |