Match Conditions
You can specify multiple, single, or zero match conditions. If you do not
specify a match condition, all packets match the rule entry. Commonly used match
conditions are:
- ethernet-source-address
mac-address mask—Ethernet
source address
- ethernet-destination-address mac-address
mask—Ethernet destination address and mask
- ethernet-type value {mask
value}—Ethernet type, accepts an optional mask.
- source-address prefix—IP source
address and mask
- destination-address prefix—IP
destination address and mask
- destination-port value {mask
value}—IP destination port, accepts optional mask
- source-port [value {mask
value}|range]—TCP or UDP source port with optional mask or TCP or
UDP source port range
- destination-port [port {mask
value} |range]—TCP or
UDP destination port with optional mask or TCP or UDP destination port range
- ttl value {mask
value}—condition with optional mask that matches IPv4
Time-To-Live and IPv6 Hop Limit.
- ip-tos value {mask
value}—this condition accepts
optional masks
- vlan-format—matches packets based on their VLAN format. Can be one of
the following values:
- untagged—all untagged packets
- single-tagged—all packets with only a single tag
- double-tagged—all packets with a double tag
- outer-tagged—all packets with at least one tag; for example, single tag or
double tag
- fragments—matches any fragment of fragmented packet, including the
first fragment
- first-fragments—matches only the first fragment of a fragmented
packet.
ACL Match Conditions describes all the possible match
conditions.