Match Conditions

You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all packets match the rule entry. Commonly used match conditions are:

ethernet-source-address [mac-address | pre-defined-mac ] mask—Ethernet source address
ethernet-destination-address [mac-address | pre-defined-mac ] mask—Ethernet destination address and mask
ethernet-type value {mask value}—Ethernet type, accepts an optional mask.
source-address prefix—IP source address and mask
destination-address prefix—IP destination address and mask
destination-physical-port—supported in ingress
destination-port value {mask value}—IP destination port, accepts optional mask
source-port [value {mask value}|range]—TCP or UDP source port with optional mask or TCP or UDP source port range
destination-port [port {mask value} |range]—TCP or UDP destination port with optional mask or TCP or UDP destination port range
ttl value {mask value}—condition with optional mask that matches IPv4 Time-To-Live and IPv6 Hop Limit.
ip-tos value {mask value}—this condition accepts optional masks
vlan-format—matches packets based on their VLAN format. Can be one of the following values:
- untagged—all untagged packets
- single-tagged—all packets with only a single tag
- double-tagged—all packets with a double tag
- outer-tagged—all packets with at least one tag; for example, single tag or double tag
Note
ACL rules using the vlan-format match condition can only be applied to a physical port binding point. Applying such a rule to the any or vlan binding point returns the following error:
```
Error: ACL install operation failed - internal failure
```
To apply a vlan-format rule to the any or vlan binding point, add a source-physical-port qualifier to the same policy entry:
```
entry one {
    if {
        vlan-format outer-tagged;
        source-physical-port 2;
    } then {
        count c1;
    }
}
```
fragments—matches any fragment of fragmented packet, including the first fragment
first-fragments—matches only the first fragment of a fragmented packet.
l4-match value offset offset mask mask value—generic bit-matching pattern starting at the Layer 4 header of four separate chunks of 32-bits, each fully bit-maskable with a unique offset. Unlike others, this match criteria can appear up to four times in a single rule, each specified as a logical AND, to match up to four separate chunks of 32-bits. Each chunk is fully bit-maskable with a unique offset. The matching data must be within the first 128 bytes of the packet. This match criteria is intended for advanced users only.
- value—32-bit value
- offset—number of bytes from the start of the Layer 4 header (for example, TCP header)
- mask—32-bit mask value applied to value for matching. Mask is optional. The default is 0xffffffff.
Note
On ExtremeSwitching X440-G2 series switches, l4-match cannot be combined with other Layer 3 match criteria, such as source-address.

ACL Match Conditions describes all the possible match conditions.