Match Conditions

You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all packets match the rule entry. Commonly used match conditions are:

• ethernet-source-address [mac-address | pre-defined-mac ] mask—Ethernet source address
• ethernet-destination-address [mac-address | pre-defined-mac ] mask—Ethernet destination address and mask
• ethernet-type value {mask value}—Ethernet type, accepts an optional mask.
• source-address prefix—IP source address and mask
• destination-address prefix—IP destination address and mask
• destination-port value {mask value}—IP destination port, accepts optional mask
• source-port [value {mask value}|range]—TCP or UDP source port with optional mask or TCP or UDP source port range
• destination-port [port {mask value} |range]—TCP or UDP destination port with optional mask or TCP or UDP destination port range
• ttl value {mask value}—condition with optional mask that matches IPv4 Time-To-Live and IPv6 Hop Limit.
• ip-tos value {mask value}—this condition accepts optional masks
• vlan-format—matches packets based on their VLAN format. Can be one of the following values:
  • untagged—all untagged packets
  • single-tagged—all packets with only a single tag
  • double-tagged—all packets with a double tag
  • outer-tagged—all packets with at least one tag; for example, single tag or double tag
• fragments—matches any fragment of fragmented packet, including the first fragment
• first-fragments—matches only the first fragment of a fragmented packet.
• l4-match value offset offset mask mask value—generic bit-matching pattern starting at the Layer 4 header of four separate chunks of 32-bits, each fully bit-maskable with a unique offset. Unlike others, this match criteria can appear up to four times in a single rule, each specified as a logical AND, to match up to four separate chunks of 32-bits. Each chunk is fully bit-maskable with a unique offset. The matching data must be within the first 128 bytes of the packet. This match criteria is intended for advanced users only.
  • value—32-bit value
  • offset—number of bytes from the start of the Layer 4 header (for example, TCP header)
  • mask—32-bit mask value applied to value for matching. Mask is optional. The default is 0xffffffff.

ACL Match Conditions describes all the possible match conditions.