Compatible and Conflicting Rules

The slices can support a variety of different ACL match conditions, but there are some limitations on how you combine the match conditions in a single slice. A slice is divided up into fields, and each field uses a single selector. A selector is a combination of match conditions or packet conditions that are used together. To show all the possible combinations, the conditions in the following table are abbreviated.

Abbreviations Used in Field Selector Table

Abbreviation	Condition
Ingress
DIP	destination address <prefix> (IPv4 addresses only)
DIPv6/128	destination address <prefix> (IPv6 address with a prefix length longer than 64)
DIPv6/64	destination address <prefix> (IPv6 address with a prefix length up to 64)
DSCP	dscp <number>
Etype	ethernet-type <number>
First Fragment	first ip fragment
FL	IPv6 Flow Label
Fragments	fragments
IP-Proto	protocol <number>
L4DP	destination-port <number> (a single port)
L4-Range	A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry.
L4SP	source-port <number> (a single port)
MACDA	ethernet-destination-address <mac-address> <mask>
MACSA	ethernet-source-address <mac-address>
NH	IPv6 Next Header field. Use protocol <number> to match. See IP-Proto
OVID	This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs.
packet-type	This selector is used internally and not accessible by users through explicit ACLs.
Port-list	This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN.
SIP	source address <prefix> (IPv4 addresses only)
SIPv6/128	source address <prefix> (IPv6 address with a prefix length longer than 64)
SIPv6/64	source address <prefix> (IPv6 address with a prefix length up to 64)
TC	IPv6 Traffic Class field. Use dscp <number>
TCP-Flags	TCP-flags <bitfield>
TPID	802.1Q Tag Protocol Identifier
TTL	Time-to-live
UDF	User-defined field. This selector is used internally and not accessible by users through explicit ACLs.
VID-inner	Inner VLAN ID
VRF	Virtual router and forwarding instance
Egress
DestIPv6	destination-address <ipv6>
DIP	destination-address
Etype	ethernet-type
IP-Proto	protocol
L4DP	destination-port. Support only single L4 ports and not port ranges.
L4SP	source-port. Support only single L4 ports and not port ranges.
MACDA	ethernet-destination-address
MACSA	ethernet-source-address
NH	IPv6 Next Header field.
SIP	source-address
SIPv6	source-address <ipv6>
TC	IPv6 Traffic Class field.
Tcp-Flags	tcp-flags
TOS	ip-tos or diffserv-codepoint
VlanId	vlan-id

The following ingress conditions are not supported on egress:

fragments
first-fragment
IGMP-msg-type
ICMP-type
ICMP-code

The tables that follow list all the combinations of match conditions that are available. The possible choices for different collections of switches and modules are listed in the tables as follows:

BlackDiamond 8800 a-series and G48Te2 Modules
BlackDiamond 8000 e-Series Modules (Continued)
BlackDiamond 8800 c-Series Modules
BlackDiamond 8900 10G24X-c Module
BlackDiamond 8900 xl-Series and G96Tc Modules and Summit X480 Series Switches
BlackDiamond 8900 40G6X-xm Module, BlackDiamond X8 series switches and Summit X460, X460-G20-G2, X460-G2, X670, and X770 Switches

Note

It is not possible for the BlackDiamond X8 and Summit X670 series switches to have ICMP/IGMP code and type fields on egress. ICMP/IGMP type requires UDF (user defined fields). Ingress Pipeline has UDF but Egress pipeline hardware does not have UDF. So it cannot match ICMP/IGMP types on egress pipeline.

Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.

If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.

Field Selectors, G48Te2 Series Modules

Field 1	Field 2	Field 3
Port-list	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IP-Fl	IpInfo(First-Fragment, Fragments)
L4DP, L4SP	DIP, SIP, IP-Proto, L4DP, L4-range, DSCP, TCP-Flag, IP-flag	Port
OVID, VID-inner	DIP, SIP, IP-Proto, L4-range, L4SP, DSCP, TCP-Flag, IP-flag	DSCP, TCP-Flag
Etype, OVID	DIPv6/128	OVID
IpInfo(First-Fragment, Fragments), OVID	SIPv6/128	IP-Proto, DSCP
Port, Dst-Port	DIPv6/64,SIPv6/64	L4-Range
Etype, IP-Proto	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag	Dst-Port
	MACDA, MACSA, Etype, OVID
	MACDA, DIP, Etype, OVID
	MACSA, SIP, Etype, OVID
	"User Defined Field” 1
	"User Defined Field” 2

Field Selectors, BlackDiamond 8800 G48Te and G48Pe Modules

Field 1	Field 2	Field 3
Port-list	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IP-Flag	IpInfo(First-Fragment, Fragments)
L4DP, L4SP	DIP, SIP, IP-Proto, L4DP, L4-range, DSCP, TCP-Flag, IP-flag	Port
OVID, VID-inner	DIP, SIP, IP-Proto, L4-range, L4SP, DSCP, TCP-Flag, IP-flag	DSCP, TCP-Flag
Etype, OVID	DIPv6/128	OVID
Port, Dst-Port	SIPv6/128	Dst-Port
Etype, IP-Proto	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag
	MACDA, MACSA, Etype, OVID
	MACDA, DIP, Etype, OVID
	MACSA, SIP, Etype, OVID
	"User Defined Field” 1
	"User Defined Field” 2

Field Selectors, BlackDiamond 8800 c-Series Modules

Field 1	Field 2	Field 3
Port-list	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IP-Flag	IpInfo(First-Fragment, Fragments)
L4DP, L4SP	DIP, SIP, IP-Proto, L4DP, L4-range, DSCP, TCP-Flag, IP-flag	Port
OVID, VID-inner	DIP, SIP, IP-Proto, L4-range, L4SP, DSCP, TCP-Flag, IP-flag	DSCP, TCP-Flag
Etype, OVID	DIPv6/128	OVID
IpInfo(First-Fragment, Fragments), OVID	SIPv6/128	IP-Proto, DSCP
Port, Dst-Port	DIPv6/64, SIPv6/64	L4-Range
Etype, IP-Proto	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag	Dst-Port
VRF, OVID	MACDA, MACSA, Etype, OVID
DSCP, VRF, IP-Proto	MACDA, DIP, Etype, OVID
	MACSA, SIP, Etype, OVID
	"User Defined Field” 1
	"User Defined Field” 2
	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IpInfo(First-Fragment, Fragments)
	DIP, SIP, IP-Proto, L4DP, L4-range, DSCP, TCP-Flag, IpInfo(First-Fragment, Fragments)
	DIP, SIP, IP-Proto, L4-range, L4SP, DSCP, TCP-Flag, IpInfo(First-Fragment, Fragments)

Field Selectors, BlackDiamond 8900 10G24X-c Module

Fixed Field	Field 1	Field 2	Field 3
Port-list	L4DP, L4SP	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IP-Flag	IpInfo(First-Fragment, Fragments)
	OVID, VID-inner	DIPv6/128	Port
	Etype, OVID	SIPv6/128	DSCP, TCP-Flag
	IpInfo(First-Fragment, Fragments), OVID	DIPv6/64, SIPv6/64	OVID
	Port, Dst-Port	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag	IP-Proto, DSCP
	Etype, IP-Proto	MACDA, MACSA, Etype, OVID	L4-Range
	VRF, OVID	MACDA, DIP, Etype, OVID	Dst-Port
	DSCP, VRF, IP-Proto	MACSA, SIP, Etype, OVID
		"User Defined Field” 1
		"User Defined Field” 2
		DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IpInfo(First-Fragment, Fragments)

Field Selectors, BlackDiamond 8900 xl-series and G96Tc Modules and Summit X480 Series Switches

Fixed Field	Field 1	Field 2	Field 3
Port-list	DstPort	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Flag, IP-Flag	OVID(12bit)
	TPID, OVID, VID-inner	DIP, SIP, IP-Proto, L4SP, L4DP, DSCP, IpInfo(First-Fragment, Fragments), TCP-Flag	DstPort
	Etype, OVID	SIPv6/128	OVID
	InnerTPID, VID-inner	DIPv6/128	OVID, VID-inner
	OVID	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag	Etype, OVID
	DSCP, IP-Proto	MACDA, MACSA, Etype, OVID	VID-inner
		MACSA, SIP, Etype, OVID	InnerTPID, OuterTPID
		MACDA, DIP, Etype, OVID
		“User Defined Field”
		SIPV6/64, DIPV6/64
		DIPV6/64

Field Selectors, BlackDiamond 8900 40G6X-xm Module, BlackDiamond X8 Series Switches and Summit X460, X670, and X770 Series Switches

Fixed Field	Field 1	Field 2	Field 3
Port-list	OVID, VID-inner	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag	OVID
	Etype, OVID	DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag	OVID, IpInfo(First-Fragment, Fragments)
	VID-inner	DIPv6/128	OVID, VID-inner
	IpInfo(First-Fragment, Fragments), OVID	SIPv6/128	OVID, Etype
	OVID	DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag	VID-Inner
	IP-Proto, DSCP	MACDA, MACSA, OVID, Etype	L4-Range
	"User Defined Field” 1	MACSA, OVID, Etype, SIP	FL
		MACDA, OVID, Etype, DIP, IP-Proto	UDF1[95..64]
		"User Defined Field” 1
		"User Defined Field” 2
		DIPv6/64, SIPv6/64

Field Selectors, Summit X440

Fixed Field	Field 1	Field 2	Field 3
Ingress Port List	Vlan, EtherType	TTL, TcpControl, IpFlags, TOS, l4DstPort, L4SrcPort, IpProtocol, DstIp, SrcIp	Vlan, EtherType
	DstPort, DstMod, DstTrunk, SrcPort, SrcMod, SrcTrunk	TTL, TcpControl, IpFrag, TOS, l4DstPort, L4SrcPort, IpProtocol, DstIp, SrcIp	RangeCheck(l4 ports or vlans)
	IpProtocol, TOS, VlanId	SrcIp6
	4-byte UDF	DstIp6
		TTL, TcpControl, IP6FlowLabel, TOS, IpProtocol, Ip6High
		Vlan, EtherType, SrcMac, DstMac
		Vlan, EtherType, SrcMac, SrcIp
		Vlan, EtherType, TTL, IpProtocol, DstIp, DstMac
		16-byte UDF
		SrcIp6High, DstIp6High

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback