ACL Rule Syntax Details

Match Ethernet source MAC address or Ethernet destination MAC address.

The mask is optional, and is in the same format as the MAC address for example: ethernet-source-address 00:01:02:03:01:01 mask ff:ff:ff:ff:00:00 or ethernet-source-address 00:01:02:03:01:01 / ff:ff:ff:ff:00:00

Pre-defined-mac can be any one of the following: cdp-mac, csp-mac (Port Extender Control and Status Protocol), eaps-flush-fdb-mac, eaps-mac, eaps-ver1-mac, eaps-ver2-mac, edp-mac, elrp-dst-mac, elrpsrc-mac, elsm-mac, erps-mac, esrp-mac, lacp-mac, lldp-mac, msrp-mac, pvstp-mac, stp-mac, system-lla-mac and system-mac

Example with pre-defined-mac:

ethernet-source-address edp-mac mask ff:ff:ff:ff:00:00 or ethernet-source-address edp-mac / ff:ff:ff:ff:00:00

Only those bits of the MAC address whose corresponding bit in the mask is set to 1 will be used as match criteria. Therefore, the preceding example matches 00:01:02:03:xx:xx. If the mask is not supplied, it is assumed to be ff:ff:ff:ff:ff:ff. In other words, all bits of the MAC address are used for matching.

IP source address and mask. Use either all IPv4 or all IPv6 addresses in an ACL.

On ExtremeSwitching series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the source-address that should be used as part of the match criteria.

IP destination address and mask.

On ExtremeSwitching series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the destination-address that should be used as part of the match criteria.

TCP or UDP source port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the text synonyms listed under destination port. If no source-port is specified, the default source-port is “any.”

ICMP type field. Normally, you specify this match in conjunction with the protocol match statement. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply(0), echo-request(8), info-reply(16), info-request(15), mask-request(17), mask-reply(18), parameter-problem(12), redirect(5), router-advertisement(9), router-solicit(10), source-quench(4), time-exceeded(11), timestamp(13), timestamp-reply(14), or unreachable(3), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140), v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140) v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140).

ICMP code field. This value or keyword provides more specific information than the icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code (only available in IPv4). In place of the numeric value, you can specify one of the following text synonyms (the field values also listed); the keywords are grouped by the ICMP type with which they are associated:

Parameter-problem:

ip-header-bad(0), required-option-missing(1)

Redirect:

redirect-for-host (1), redirect-for-network (2), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

Time-exceeded:

ttl-eq-zero-during-reassembly(1), ttl-eq-zero-during-transit(0)

Unreachable:

communication-prohibited-by-filtering(13), destination-host-prohibited(10), destination-host-unknown(7), destination-network-prohibited(9), destination-network-unknown(6), fragmentation-needed(4), host-precedence-violation(14), host-unreachable(1), host-unreachable-for-TOS(12), network-unreachable(0), network-unreachable-for-TOS(11), port-unreachable(3), precedence-cutoff-in-effect(15), protocol-unreachable(2), source-host-isolated(8), source-route-failed(5)

Matches the VLAN tag number or the VLAN ID which is given to a VLAN when created. The ACL rule can only be applied to ports or any, and not VLANs.

The following restriction applies to all platforms:

The vlan-id match condition matches on the “outer” tag of a VMAN.The vlan-id ACL keyword can be used in egress ACL.

VNI on an egress-terminated VXLAN packet (egress VTEP scenario) or on a transit switch.

Available for both static and dynamic ingress ACLs.

arp-sender-address prefix

and

arp-target-address prefix

Matches the ARP sender protocol address and target protocol address respectively.

prefix => IPv4 address / mask length.

They cannot be combined with an Ethernet-source-address or Ethernet-destination-address in the same rule.

They can be used only when the ACL hardware database is configured to be internal for those platforms that support “external-table” ACL databases.

ccos <ccos value>

Tagged VMAN ports: installing an ACL matching “cvid” on ingress or egress will match the inner vlan-id of a double tagged packet on a tagged VMAN port.

Untagged VMAN ports: installing an ACL matching “cvid” on ingress or egress will match the single VLAN tag on an untagged VMAN port.

CEP VMAN ports (with or without VPLS): installing an ACL matching “cvid” on ingress or egress will match the single VLAN tag on a CEP VMAN port (without translation).

CEP VMAN ports with cvid translation (with or without translation): installing an ACL matching “cvid” on ingress will match the post-translation cvid. Installing an ACL matching “cvid” on egress will match the post-translation cvid.

This match condition can be specified on any rule within a policy file or within a list of dynamic access-lists. A rule cannot both match a class-id and specify a class-id as an action. When a “class-id” match criteria is specified, the associated rule will be programmed into the normal “INGRESS stage” access-list hardware resource. The range of valid class-id values varies per platform.

Matches OSPF messages types and optionally OSPF version. If version is not specified, the rule matches both OSPFv2 and OSPFv3 packets. Valid OSPF message types are:

hello

db-desc

ls-request

ls-update

ls-ack

Valid OSPF version keywords are:

v2

v3

Matches PIM message types. Valid PIM message types are:

hello

register

register-stop

join-prune

boot-strap

assert

graft

graft-ack

crp-advt

state-refresh

df-election

ecmp-redirect

pim-flooding

Valid packet types are:

l2-broadcast

known-l2-unicast

unknown-l2-unicast

known-l2-multicast

unknown-l2-multicast

known-l3-unicast

unknown-l3-unicast

known-l3-multicast

unknown-l3-multicast

packet-lookup-status destination-mac-hit

packet-lookup-status destination-mac-miss, source-mac-hit

packet-lookup-status source-mac-move, source-mac-static