The slices can support a variety of different ACL match conditions, but there are some limitations on how you combine the match conditions in a single slice. A slice is divided up into fields, and each field uses a single selector. A selector is a combination of match conditions or packet conditions that are used together. To show all the possible combinations, the conditions in Abbreviations Used in Field Selector Table are abbreviated.
| Abbreviation | Condition |
|---|---|
| Ingress | |
| DIP | destination address <prefix> (IPv4 addresses only) |
| DIPv6/128 | destination address <prefix> (IPv6 address with a prefix length longer than 64) |
| DIPv6/64 | destination address <prefix> (IPv6 address with a prefix length up to 64) |
| DSCP | dscp <number> |
| Etype | ethernet-type <number> |
| First Fragment | first ip fragment |
| FL | IPv6 Flow Label |
| Fragments | fragments |
| IP-Proto | protocol <number> |
| L4DP | destination-port <number> (a single port) |
| L4-Range | A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 - 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges. Also, you can have a source port range, or a destination port range, but not both kinds of ranges together in the same entry. |
| L4SP | source-port <number> (a single port) |
| MACDA | ethernet-destination-address <mac-address> <mask> |
| MACSA | ethernet-source-address <mac-address> |
| NH | IPv6 Next Header field. Use protocol <number> to match. See IP-Proto |
| OVID | This is not a match condition used in ACLs, but is used when an ACL is applied to VLANs. An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. VLAN IDs are outer VLAN IDs unless specified as inner VLAN IDs. |
| packet-type | This selector is used internally and not accessible by users through explicit ACLs. |
| Port-list | This is not a match condition used in ACLs, but is used when an ACL is applied to ports, or to all ports (the wildcard ACL). An ACL applied to a port uses a different field selector than an ACL applied to a VLAN. |
| SIP | source address <prefix> (IPv4 addresses only) |
| SIPv6/128 | source address <prefix> (IPv6 address with a prefix length longer than 64) |
| SIPv6/64 | source address <prefix> (IPv6 address with a prefix length up to 64) |
| TC | IPv6 Traffic Class field. Use dscp <number> |
| TCP-Flags | TCP-flags <bitfield> |
| TPID | 802.1Q Tag Protocol Identifier |
| TTL | Time-to-live |
| UDF | User-defined field. This selector is used internally and not accessible by users through explicit ACLs. |
| VID-inner | Inner VLAN ID |
| VRF | virtual router and forwarding instance |
| Egress | |
| DestIPv6 | destination-address <ipv6> |
| DIP | destination-address |
| Etype | ethernet-type |
| IP-Proto | protocol |
| L4DP | destination-port. Support only single L4 ports and not port ranges. |
| L4SP | source-port. Support only single L4 ports and not port ranges. |
| MACDA | ethernet-destination-address |
| MACSA | ethernet-source-address |
| NH | IPv6 Next Header field. |
| SIP | source-address |
| SIPv6 | source-address <ipv6> |
| TC | IPv6 Traffic Class field. |
| Tcp-Flags | tcp-flags |
| TOS | ip-tos or diffserv-codepoint |
| VlanId | vlan-id |
Field Selectors for ExtremeSwitching Series Switches lists all the combinations of match conditions that are available. Any number of match conditions in a single row for a particular field may be matched. For example if Field 1 has row 1 (Port-list) selected, Field 2 has row 8 (MACDA, MACSA, Etype, OVID) selected, and Field 3 has row 7 (Dst-Port) selected, any combination of Port-list, MACDA, MACSA, Etype, OVID, and Dst-Port may be used as match conditions.
If an ACL requires the use of field selectors from two different rows, it must be implemented on two different slices.
| Fixed Field | Field 1 | Field 2 | Field 3 |
|---|---|---|---|
| Port-list | OVID, VID-inner | DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IPFlag, TCP-Flag | OVID |
| Etype, OVID | DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, IpInfo(First-Fragment, Fragments) TCP-Flag | OVID, IpInfo(First-Fragment, Fragments) | |
| VID-inner | DIPv6/128 | OVID, VID-inner | |
| IpInfo(First-Fragment, Fragments), OVID | SIPv6/128 | OVID, Etype | |
| OVID | DIPv6/64, IP-Proto, DSCP, FL, TCP-Flag | VID-Inner | |
| IP-Proto, DSCP | MACDA, MACSA, OVID, Etype | L4-Range | |
| "User Defined Field” 1b | MACSA, OVID, Etype, SIP | FL | |
| MACDA, OVID, Etype, DIP, IP-Proto | UDF1[95..64] | ||
| "User Defined Field” 1 | |||
| "User Defined Field” 2 | |||
| DIPv6/64, SIPv6/64 |