Match Conditions

You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all packets match the rule entry. Commonly used match conditions are:

ethernet-source-address [mac-address | pre-defined-mac ] mask—Ethernet source address
ethernet-destination-address [mac-address | pre-defined-mac ] mask—Ethernet destination address and mask
ethernet-type value {mask value}—Ethernet type, accepts an optional mask.
source-address prefix—IP source address and mask
destination-address prefix—IP destination address and mask
destination-port value {mask value}—IP destination port, accepts optional mask
source-port [value {mask value}|range]—TCP or UDP source port with optional mask or TCP or UDP source port range
destination-port [port {mask value} |range]—TCP or UDP destination port with optional mask or TCP or UDP destination port range
ttl value {mask value}—condition with optional mask that matches IPv4 Time-To-Live and IPv6 Hop Limit.
ip-tos value {mask value}—this condition accepts optional masks
vlan-format—matches packets based on their VLAN format. Can be one of the following values:
- untagged—all untagged packets
- single-tagged—all packets with only a single tag
- double-tagged—all packets with a double tag
- outer-tagged—all packets with at least one tag; for example, single tag or double tag
fragments—matches any fragment of fragmented packet, including the first fragment
first-fragments—matches only the first fragment of a fragmented packet.
l4-match value offset offset mask mask value—generic bit-matching pattern starting at the Layer 4 header of four separate chunks of 32-bits, each fully bit-maskable with a unique offset. Unlike others, this match criteria can appear up to four times in a single rule, each specified as a logical AND, to match up to four separate chunks of 32-bits. Each chunk is fully bit-maskable with a unique offset. The matching data must be within the first 128 bytes of the packet. This match criteria is intended for advanced users only.
- value—32-bit value
- offset—number of bytes from the start of the Layer 4 header (for example, TCP header)
- mask—32-bit mask value applied to value for matching. Mask is optional. The default is 0xffffffff.

ACL Match Conditions describes all the possible match conditions.

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Match Conditions