Compatible and Conflicting Rules

The slices can support a variety of different ACL match conditions, but there are some limitations on how you combine the match conditions in a single slice. A slice is divided up into fields, and each field uses a single selector. A selector is a combination of match conditions or packet conditions that are used together. To show all the possible combinations, the conditions in Abbreviations Used in Field Selector Table are abbreviated.

Table 1. Abbreviations Used in Field Selector Table
Abbreviation Condition
Ingress
DIP destination address <prefix> (IPv4 addresses only)
DIPv6/128 destination address <prefix> (IPv6 address with a prefix length longer than 64)
DIPv6/64 destination address <prefix> (IPv6 address with a prefix length up to 64)
DSCP dscp <number>
Etype ethernet-type <number>
First Fragment first ip fragment
FL IPv6 Flow Label
Fragments fragments
IP-Proto protocol <number>
L4DP destination-port <number> (a single port)
L4-Range A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry.
L4SP source-port <number> (a single port)
MACDA ethernet-destination-address <mac-address> <mask>
MACSA ethernet-source-address <mac-address>
NH IPv6 Next Header field. Use protocol <number> to match. See IP-Proto
OVID This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs.
packet-type This selector is used internally and not accessible by users through explicit ACLs.
Port-list This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN.
SIP source address <prefix> (IPv4 addresses only)
SIPv6/128 source address <prefix> (IPv6 address with a prefix length longer than 64)
SIPv6/64 source address <prefix> (IPv6 address with a prefix length up to 64)
TC IPv6 Traffic Class field. Use dscp <number>
TCP-Flags TCP-flags <bitfield>
TPID 802.1Q Tag Protocol Identifier
TTL Time-to-live
UDF User-defined field. This selector is used internally and not accessible by users through explicit ACLs.
VID-inner Inner VLAN ID
VRF virtual router and forwarding instance
Egress
DestIPv6 destination-address <ipv6>
DIP destination-address
Etype ethernet-type
IP-Proto