Print
this page
Email this topic
Feedback
View PDF
Download EPUBAccess Control List (ACL) Library Enhancements
To implement ONEPolicy requires enhancements to certain existing Access Control List (ACL) conditions and actions, plus the addition of some new ones:
- ttl—New condition with optional mask. Matches IPv4 Time-To-Live and IPv6 Hop Limit.
Syntax: ttl value {mask value}
- add-vlan-id—New action that adds a new outer VLAN ID. If the packet is untagged it
adds a VLAN tag to the packet. If the packet is tagged, it adds an additional VLAN tag. Only
supported in VLAN lookup stage (VFP).
Syntax: add-vlan-id value
- ip-tos—Existing condition that now accepts an optional mask.
Syntax: ip-tos value {mask value}
- vlan-format—New condition matches packets based on its VLAN format. Can be one of the
four values:
- untagged—all untagged packets
- single-tagged—all packets with only single tag
- double-tagged—all packets with double tag
- outer-tagged—all packets with at least one tag (single tag or double tag)
Syntax: vlan-format untagged | single-tagged | doubletagged | outer-tagged
- replace-dscp-value—New action that replaces the existing Differentiated services code
point (DSCP) value of the packet.
Syntax: replace-dscp-value value
- ethernet-type—Existing condition that can now accept an optional mask.
Syntax: ethernet-type value {mask value}
- destination-port—Existing condition that can now accept an optional mask.
Syntax: destination-port value {mask value}
- source-port—Existing condition that can now accept an optional mask
Syntax: source-port value {mask value}
- fragments—Existing condition that matches any fragment of a fragmented packet,
including the first fragment. Previously, this condition didn't include the first fragment.
Syntax: fragments
- first-fragments—Existing condition that matches only the first fragment of a
fragmented packet. Previously, this condition also matched non-fragmented packets.
Syntax: first-fragments
- do-ipfix—New action that records the matching packet. Can be used on both ingress and
egress.
Syntax: do-ipfix
- do-not-ipfix—New action that cancels recording for the matching packet. Can be used to
reduce demand on egress IPFIX capacity (and to reduce recording loss) during packet flooding
situations. For example, egress ACLs that recognize broadcast and/or IP multicast packets could
prevent egress IPFIX recording. Can be used on both ingress and egress.
Syntax: do-not-ipfix
- redirect-port-copy-cpu-allowed—The existing "redirect-port" action in ACL includes
three hardware actions: RedirectPort, CopyToCpuCancel and GpDropCancel. Because of this, the
"redirect-port" action cannot be used with another actions that try to copy a packet to CPU,
like "copy-cpu-sdn". This new action redirects a packet out of an output port, but does not
enforce a requirement that Copy to CPU must be canceled.
Syntax: redirect-port-copy-cpu-allowed value
- redirect-port-list-copy-cpu-allowed—Same as redirect-port-copy-cpu-allowed, but allows
redirect to a list of ports.
Syntax: redirect-port-list-copy-cpu-allowed value {,value}
Supported Platforms
- BlackDiamond X8 and BlackDiamond 8800 series switches
- Summit X770, X670, X670-G2, X480, X460, X460-G2, X450-G2, X440, and X430 series switches
- E4G-200 and E4G-400 cell site routers
Limitations
- vlan-format mistakenly identifies untagged packets as tagged in the IFP stage for the following switches: Summit X480, Summit X650, BlackDiamond 8900-G96T-c, BlackDiamond 8900-10G24X-c, BlackDiamond 8900-G48T-xl, BlackDiamond 8900-G48X-xl, and BlackDiamond 8900-10G8X-xl.
- fragments is partially supported on the BlackDiamond G48Te2 I/O modules. On this modules, this condition only matches fragmented packets and the last fragmented packet, and does not match the first fragment of the packet.
- add-vlan-id is only available on switches with VFP stages.
- IPFIX actions are only supported on Summit X460, X460-G2, and X480 series switches, BlackDiamond 8900-xl and -96T modules, and BlackDiamond X8-100G4X and BDX X8 xl-series modules.