Compatible and Conflicting Rules

The slices can support a variety of different ACL (Access Control List) match conditions, but there are some limitations on how you combine the match conditions in a single slice. A slice is divided up into fields, and each field uses a single selector. A selector is a combination of match conditions or packet conditions that are used together. To show all the possible combinations, the conditions in Abbreviations Used in Field Selector Table are abbreviated.

Click to expand in new window

Abbreviations Used in Field Selector Table

Abbreviation Condition
Ingress  
DIP destination address <prefix> (IPv4 addresses only)
DIPv6/128 destination address <prefix> (IPv6 address with a prefix length longer than 64)
DIPv6/64 destination address <prefix> (IPv6 address with a prefix length up to 64)
DSCP dscp <number>
Etype ethernet-type <number>
First Fragment first ip fragment
FL IPv6 Flow Label
Fragments fragments
IP-Proto protocol <number>
L4DP destination-port <number> (a single port)
L4-Range A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry.
L4SP source-port <number> (a single port)
MACDA ethernet-destination-address <mac-address> <mask>
MACSA ethernet-source-address <mac-address>
NH IPv6 Next Header field. Use protocol <number> to match. See IP-Proto
OVID This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs.
packet-type This selector is used internally and not accessible by users through explicit ACLs.
Port-list This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN.
SIP source address <prefix> (IPv4 addresses only)
SIPv6/128 source address <prefix> (IPv6 address with a prefix length longer than 64)
SIPv6/64 source address <prefix> (IPv6 address with a prefix length up to 64)
TC IPv6 Traffic Class field. Use dscp <number>
TCP-Flags TCP-flags <bitfield>
TPID 802.1Q Tag Protocol Identifier
TTL Time-to-live
UDF User-defined field. This selector is used internally and not accessible by users through explicit ACLs.
VID-inner Inner VLAN ID
VRF virtual router and forwarding instance
Egress  
DestIPv6 destination-address <ipv6>
DIP destination-address
Etype ethernet-type
IP-Proto protocol
L4DP destination-port. Support only single L4 ports and not port ranges.
L4SP source-port. Support only single L4 ports and not port ranges.
MACDA ethernet-destination-address
MACSA ethernet-source-address
NH IPv6 Next Header field.
SIP source-address
SIPv6 source-address <ipv6>
TC IPv6 Traffic Class field.
Tcp-Flags tcp-flags
TOS ip-tos or diffserv-codepoint
VlanId vlan-id
The following ingress conditions are not supported on egress:
  • fragments
  • first-fragment
  • IGMP-msg-type
  • ICMP-type
  • ICMP-code

Field Selectors for ExtremeSwitching and Summit Series Switches lists all the combinations of match conditions that are available. Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.

If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.

Click to expand in new window

Field Selectors for ExtremeSwitching and Summit Series Switches

Fixed Field Field 1 Field 2 Field 3
Port-list OVID, VID-inner DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag OVID
Etype, OVID DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag OVID, IpInfo(First-Fragment, Fragments)
VID-inner DIPv6/128 OVID, VID-inner
IpInfo(First-Fragment, Fragments), OVID SIPv6/128 OVID, Etype
OVID DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag VID-Inner
IP-Proto, DSCP MACDA, MACSA, OVID, Etype L4-Range
"User Defined Field” 1b MACSA, OVID, Etype, SIP FL
MACDA, OVID, Etype, DIP, IP-Proto UDF1[95..64]
"User Defined Field” 1
"User Defined Field” 2
DIPv6/64, SIPv6/64