ACL Rule Syntax Details

The following table lists the match conditions that can be used with ACLs, and whether the condition can be used for ingress ACLs only, or with both ingress and egress. The conditions are not case-sensitive; for example, the match condition listed in the table as TCP-flags can also be written as tcp-flags. Within the following table are five different data types used in matching packets. The first table below lists general match conditions that apply to all traffic, unless otherwise noted. The second table lists the data types and details on using them.

Click to expand in new window

ACL Match Conditions

Match Conditions Description Applicable IP Protocols/ Direction
ethernet-type number

Ethernet packet type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ETHER-P-IP (0x0800), ETHER-P-8021Q (0x8100), ETHER-P-IPV6 (0x86DD)1.

Ethernet/Ingress and Egress

ethernet-source-address mac-address

Ethernet source MAC address

Ethernet/Ingress and Egress

ethernet-source-address mac-address mask mask

or

ethernet-source-address mac-address/mask

Ethernet source MAC address and mask. The mask is optional, and is in the same format as the MAC address, for example:

ethernet-source-address 00:01:02:03:01:01 mask ff:ff:ff:ff:00:00

or

ethernet-source-address 00:01:02:03:01:01 / ff:ff:ff:ff:00:00

Only those bits of the MAC address whose corresponding bit in the mask is set to 1 will be used as match criteria. So, the example above will match 00:01:02:03:xx:xx.

If the mask is not supplied then it will be assumed to be ff:ff:ff:ff:ff:ff. In other words, all bits of the MAC address will be used for matching.

Ethernet/Ingress and Egress

ethernet-destination-address mac-address

Ethernet destination MAC address

Ethernet/Ingress and Egress

ethernet-destination-address mac-address mask mask

or

ethernet-source-address mac-address/mask

Ethernet destination MAC address and mask. The mask is optional, and is in the same format as the MAC address, for example:

ethernet-destination-address 00:01:02:03:01:01 mask ff:ff:ff:ff:00:00

or

ethernet-destination-address 00:01:02:03:01:01 / ff:ff:ff:ff:00:00

Only those bits of the MAC address whose corresponding bit in the mask is set to 1 will be used as match criteria. So, the example above will match 00:01:02:03:xx:xx.

If the mask is not supplied then it will be assumed to be ff:ff:ff:ff:ff:ff. In other words, all bits of the MAC address will be used for matching.

Ethernet/Ingress and Egress

source-address prefix

IP source address and mask. Use either all IPv4 or all IPv6 addresses in an ACL.

On BD8K, BDX8 and Summit series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the source-address that should be used as part of the match criteria.

All IP/Ingress and Egress

destination-address prefix

IP destination address and mask.

On BD8K, BDX8 and Summit series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the destination-address that should be used as part of the match criteria.

All IP/Ingress and Egress

source-port {number|range}

TCP or UDP source port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the text synonyms listed under destination port. If no source-port is specified, the default source-port is “any.”

TCP, UDP/Ingress and Egress

source-port number { mask value } TCP or UDP port and mask. The mask is optional, and it can be decimal value or a hexadecimal value. TCP,UDP/Ingress and Egress

destination-port {number|range}

TCP or UDP destination port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): afs(1483), bgp(179), biff(512), bootpc(68), bootps(67), cmd(514), cvspserver(2401), DHCP(67), domain(53), eklogin(2105), ekshell(2106), exec(512), finger(79), ftp(21), ftp-data(20), http(80), https(443), ident(113), imap(143), kerberos-sec(88), klogin(543), kpasswd(761), krb-prop(754), krbupdate(760), kshell(544), ldap(389), login(513), mobileip-agent(434), mobileip-mn(435), msdp(639), netbios-dgm(138), netbios-ns(137), netbios-ssn(139), nfsd(2049), nntp(119), ntalk(518), ntp(123), pop3(110), pptp(1723), printer(515), radacct(1813), radius(1812), rip(520), rkinit(2108), smtp(25), snmp(161), snmptrap(162), snpp(444), socks(1080), ssh(22), sunrpc(111), syslog(514), tacacs-ds(65), talk(517), telnet(23), tftp(69), timed(525), who(513), xdmcp(177), zephyr-clt(2103), or zephyr-hm(2104).

TCP, UDP/Ingress and Egress

destination-port number {mask value} TCP or UDP port and mask. The mask is optional, and it can be decimal value or a hexadecimal value. Only those bits of the destination-port whose corresponding bit in the mask is set to 1 will be used as match criteria. TCP,UDP/Ingress and Egress

TCP-flags bitfield

TCP flags. Normally, you specify this match in conjunction with the protocol match statement. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ACK(0x10), FIN(0x01), PUSH(0x08), RST(0x04), SYN(0x02), URG(0x20), SYN_ACK(0x12).

TCP/Ingress and Egress

IGMP-msg-type number

IGMP message type. Possible values and text synonyms: v1-report(0x12), v2-report(0x16), v3-report(0x22), V2-leave (0x17), or query(0x11).

IGMP/Ingress only

ICMP-Type number

ICMP type field. Normally, you specify this match in conjunction with the protocol match statement. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply(0), echo-request(8), info-reply(16), info-request(15), mask-request(17), mask-reply(18), parameter-problem(12), redirect(5), router-advertisement(9), router-solicit(10), source-quench(4), time-exceeded(11), timestamp(13), timestamp-reply(14), or unreachable(3), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140), v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140) v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140).

ICMP/Ingress only

ICMP-Code number

ICMP code field. This value or keyword provides more specific information than the icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code (only available in IPv4). In place of the numeric value, you can specify one of the following text synonyms (the field values also listed); the keywords are grouped by the ICMP type with which they are associated:

Parameter-problem:

ip-header-bad(0), required-option-missing(1)

Redirect:

redirect-for-host (1), redirect-for-network (2), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

Time-exceeded:

ttl-eq-zero-during-reassembly(1), ttl-eq-zero-during-transit(0)

Unreachable:

communication-prohibited-by-filtering(13), destination-host-prohibited(10), destination-host-unknown(7), destination-network-prohibited(9), destination-network-unknown(6), fragmentation-needed(4), host-precedence-violation(14), host-unreachable(1), host-unreachable-for-TOS(12), network-unreachable(0), network-unreachable-for-TOS(11), port-unreachable(3), precedence-cutoff-in-effect(15), protocol-unreachable(2), source-host-isolated(8), source-route-failed(5)

IPv4 only/ICMP/Ingress only

source-sap

SSAP is a 1 byte field with possible values 0-255 decimal. The value can be specified in decimal or hexadecimal. The SSAP field can be found at byte offset 15 in 802.3 SNAP and LLC formatted packets. (Available on Summit family switches, SummitStack, and BlackDiamond 8000 c-, e-, xl-, and xm-series modules only.)

Ethernet/Ingress Only

destination-sap

DSAP is a 1 byte field with possible values 0-255 decimal. The value can be specified in decimal or hexadecimal. The DSAP field can be found at byte offset 14 in 802.3 SNAP and LLC formatted packets. (Available on Summit family switches, SummitStack, and BlackDiamond 8000 c-, e-, xl-, and xm-series modules only.)

Ethernet/Ingress Only

snap-type

SNAP type is a 2 byte field with possible values 0-65535 decimal. The value can be specified in decimal or hexadecimal. The SNAP type field can be found a byte offset 20 in 802.3 SNAP formatted packets. (Available on Summit family switches, SummitStack, and BlackDiamond 8000 c-, e-, xl-, and xm-series modules only.)

Ethernet/Ingress Only

ttl number {mask value} Time To Live with mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the ttl whose corresponding bit in the mask is set to 1 will be used as match criteria.This can be used to match IPv4 Time-To-Live and IPv6 Hop Limit. All IP/Ingress and Egress.

IP-TOS number

IP TOS field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): minimize-delay 16 (0x10), maximize-reliability 4(0x04), minimize-cost2 (0x02), and normal-service 0(0x00).

All IP/Ingress and Egress

IP-TOS number {mask value} IP-TOS and mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the IP-TOS whose corresponding bit in the mask is set to 1 will be used as match criteria. All IP/Ingress and Egress

dscp value

DSCP field. In place of the value, you can specify one of the DSCP numeric values (for example, 8, 16, or 24).

All IP/Ingress and Egress

fragments

BlackDiamond X8 series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules, and Summit family switches only—IP fragmented packet including first fragment. FO = 0 (FO = Fragment Offset in IP header)2

All IP, no L4 rules/Ingress only

first-fragment

Matches only first fragmented packet. FO==0.

All IP/Ingress only

protocol number

IP protocol field. For IPv63, this matches the Next Header field in the packet. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): egp(8), gre(47), icmp(1), igmp(2), ipip(4), Ipv6 over ipv4(41), ospf(89), pim(103), rsvp(46), st(5), tcp(6), or udp(17).

All IP/Ingress and Egress

vlan-format format VLAN-format matches packets based on its vlan format. Can be one of the 4 values: untagged - will match all untagged packets single-tagged - will match all packets with only single tag. double-tagged - will match all packets with double tag outer-tagged - will match all packets with at least one tag ex. single tag or double tag. Ethernet/Ingress and Egress

vlan-id number

Matches the VLAN tag number or the VLAN ID which is given to a VLAN when created. The ACL rule can only be applied to ports or any, and not VLANs.

The following restriction applies to all platforms:

The vlan-id match condition matches on the “outer” tag of a VMAN.The vlan-id ACL keyword can be used in egress ACL.

Ethernet/Ingress and Egress

vlan-id number {mask value} VLAN-id and mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the Vlan tag Number or vlan id whose corresponding bit in the mask is set to 1 will be used as match criteria. Ethernet/Ingress and Egress

dot1p priority tag

Creates an ACL with 802.1p match conditions, allowing the ACL to take action based on the VLAN tag priority. (Available on all platforms.)

All IP/Ingress

arp-sender-address prefix

and

arp-target-address prefix

Matches the ARP sender protocol address and target protocol address respectively.

prefix => IPv4 address / mask length.

They cannot be combined with an Ethernet-source-address or Ethernet-destination-address in the same rule.

They can be used only when the ACL hardware database is configured to be internal for those platforms that support “external-table” ACL databases. (for example, Summit X480 switches and BlackDiamond 8900 and X8 xl-series modules).

(Available on BlackDiamond X8 series switches, BlackDiamond 8800 switches and Summit family switches only.)

ARP packets/Ingress

cvid Use this match criteria in the following scenarios:

Tagged VMAN ports: installing an ACL matching “cvid” on ingress or egress will match the inner vlan-id of a double tagged packet on a tagged VMAN port.

Untagged VMAN ports: installing an ACL matching “cvid” on ingress or egress will match the single VLAN tag on an untagged VMAN port.

CEP VMAN ports (with or without VPLS): installing an ACL matching “cvid” on ingress or egress will match the single VLAN tag on a CEP VMAN port (without translation).

CEP VMAN ports with cvid translation (with or without translation): installing an ACL matching “cvid” on ingress will match the post-translation cvid. Installing an ACL matching “cvid” on egress will match the post-translation cvid.

Ethernet/Ingress and Egress

class-id

This match condition can be specified on any rule within a policy file or within a list of dynamic access-lists. A rule cannot both match a class-id and specify a class-id as an action. When a “class-id” match criteria is specified, the associated rule will be programmed into the normal “INGRESS stage” access-list hardware resource. The range of valid class-id values varies per platform.

Ingress only.
unknown-l2-unicast Matches the unknown L2 unicast packets Ingress only
unknown-l2-multicast Matches the unknown L2 multicast packets Ingress only
unknown-l3-multicast Matches the unknown L3 multicast packets Ingress only
l2-da-hit Matches the known L2 unicast packets Ingress only
Note

Note

When you use a configured ACL that contains a match condition with any mac-address, IGMP snooping stops working and IGMP joins are flooded to all ports in a VLAN. When you unconfigure the ACL, IGMP joins stop flooding.
Note

Note

An ACL that matches the EAPS ethernet-destination-address (00:e0:2b:00:00:04) or ethernet-source-address (00:e0:2b:00:00:01) match condition with the permit action should not be applied to an EAPS master node on EAPS ring ports. Doing so causes an EAPS PDU loop. For the EAPS master node, you should use the copy-cpu-and-drop action with either of these match conditions. For an EAPS transit node, use the permit action with either of these match conditions. This applies only to BlackDiamond 8000 series modules and Summit switches.
Note

Note

Directed ARP response packets cannot be blocked with ACLs from reaching the CPU and being learned on BlackDiamond X8 series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules and the Summit family switches.

Along with the data types described in the following table, you can use the operators <, <=, >, and >= to specify match conditions. For example, the match condition, source-port 190, will match packets with a source port greater than 190. Be sure to use a space before and after an operator.

Click to expand in new window

ACL Match Condition Data Types

Condition Data Type Description
prefix IP source and destination address prefixes. To specify the address prefix, use the notation prefix/prefix-length. For a host address, prefix-length should be set to 32.
number Numeric value, such as TCP or UDP source and destination port number, IP protocol number.
range A range of numeric values. To specify the numeric range, use the notation: number - number
bit-field Used to match specific bits in an IP packet, such as TCP flags and the fragment flag.
mac-address 6-byte hardware address.

1 However, packets using the Ethernet type for VMANs, 0x88a8 by default, are handled by VMAN ACLs.
2 See the section Fragmented packet handlingfor details,
3 See the section IPv6 Traffic with L4 Match Conditionsfor details about specifying a protocol/port match with IPv6.