The slices can support a variety of different ACL (Access Control List) match conditions, but there are some limitations on how you combine the match conditions in a single slice. A slice is divided up into fields, and each field uses a single selector. A selector is a combination of match conditions or packet conditions that are used together. To show all the possible combinations, the conditions in Abbreviations Used in Field Selector Table are abbreviated.
Abbreviations Used in Field Selector Table
| Abbreviation | Condition |
|---|---|
| Ingress | |
| DIP | destination address <prefix> (IPv4 addresses only) |
| DIPv6/128 | destination address <prefix> (IPv6 address with a prefix length longer than 64) |
| DIPv6/64 | destination address <prefix> (IPv6 address with a prefix length up to 64) |
| DSCP | dscp <number> |
| Etype | ethernet-type <number> |
| First Fragment | first ip fragment |
| FL | IPv6 Flow Label |
| Fragments | fragments |
| IP-Proto | protocol <number> |
| L4DP | destination-port <number> (a single port) |
| L4-Range | A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry. |
| L4SP | source-port <number> (a single port) |
| MACDA | ethernet-destination-address <mac-address> <mask> |
| MACSA | ethernet-source-address <mac-address> |
| NH | IPv6 Next Header field. Use protocol <number> to match. See IP-Proto |
| OVID | This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs. |
| packet-type | This selector is used internally and not accessible by users through explicit ACLs. |
| Port-list | This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. |
| SIP | source address <prefix> (IPv4 addresses only) |
| SIPv6/128 | source address <prefix> (IPv6 address with a prefix length longer than 64) |
| SIPv6/64 | source address <prefix> (IPv6 address with a prefix length up to 64) |
| TC | IPv6 Traffic Class field. Use dscp <number> |
| TCP-Flags | TCP-flags <bitfield> |
| TPID | 802.1Q Tag Protocol Identifier |
| TTL | Time-to-live |
| UDF | User-defined field. This selector is used internally and not accessible by users through explicit ACLs. |
| VID-inner | Inner VLAN ID |
| VRF | virtual router and forwarding instance |
| Egress | |
| DestIPv6 | destination-address <ipv6> |
| DIP | destination-address |
| Etype | ethernet-type |
| IP-Proto | protocol |
| L4DP | destination-port. Support only single L4 ports and not port ranges. |
| L4SP | source-port. Support only single L4 ports and not port ranges. |
| MACDA | ethernet-destination-address |
| MACSA | ethernet-source-address |
| NH | IPv6 Next Header field. |
| SIP | source-address |
| SIPv6 | source-address <ipv6> |
| TC | IPv6 Traffic Class field. |
| Tcp-Flags | tcp-flags |
| TOS | ip-tos or diffserv-codepoint |
| VlanId | vlan-id |
Field Selectors for ExtremeSwitching and Summit Series Switches lists all the combinations of match conditions that are available. Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.
If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.
Field Selectors for ExtremeSwitching and Summit Series Switches
| Fixed Field | Field 1 | Field 2 | Field 3 |
|---|---|---|---|
| Port-list | OVID, VID-inner | DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag | OVID |
| Etype, OVID | DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag | OVID, IpInfo(First-Fragment, Fragments) | |
| VID-inner | DIPv6/128 | OVID, VID-inner | |
| IpInfo(First-Fragment, Fragments), OVID | SIPv6/128 | OVID, Etype | |
| OVID | DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag | VID-Inner | |
| IP-Proto, DSCP | MACDA, MACSA, OVID, Etype | L4-Range | |
| "User Defined Field” 1b | MACSA, OVID, Etype, SIP | FL | |
| MACDA, OVID, Etype, DIP, IP-Proto | UDF1[95..64] | ||
| "User Defined Field” 1 | |||
| "User Defined Field” 2 | |||
| DIPv6/64, SIPv6/64 |
Print
this page
Email this topic
Feedback
View PDF
Download EPUB