The following table lists the match conditions that can be used with ACLs, and whether the condition can be used for ingress ACLs only, or with both ingress and egress. The conditions are not case-sensitive; for example, the match condition listed in the table as TCP-flags can also be written as tcp-flags. Within ACL Match Conditions are five different data types used in matching packets.
ACL Match Conditions lists general match conditions that apply to all traffic, unless otherwise noted. ACL Match Condition Data Types the data types and details on using them.
Match Conditions | Description | Applicable IP Protocols/ Direction |
---|---|---|
ethernet-type number | Ethernet packet type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ETHER-P-IP (0x0800), ETHER-P-8021Q (0x8100), ETHER-P-IPV6 (0x86DD). | Ethernet/Ingress and Egress |
[ethernet-source-address | ethernet-destination-address][ mac-address | pre-defined-mac ] { [ mask | / ] mask } |
Match Ethernet source MAC address or Ethernet destination MAC address. The mask is optional, and is in the same format as the MAC address for example: ethernet-source-address 00:01:02:03:01:01 mask ff:ff:ff:ff:00:00 or ethernet-source-address 00:01:02:03:01:01 / ff:ff:ff:ff:00:00 Pre-defined-mac can be any one of the following: cdp-mac, csp-mac (Port Extender Control and Status Protocol), eaps-flush-fdb-mac, eaps-mac, eaps-ver1-mac, eaps-ver2-mac, edp-mac, elrp-dst-mac, elrpsrc-mac, elsm-mac, erps-mac, esrp-mac, lacp-mac, lldp-mac, msrp-mac, pvstp-mac, stp-mac, system-lla-mac and system-mac Example with pre-defined-mac: ethernet-source-address edp-mac mask ff:ff:ff:ff:00:00 or ethernet-source-address edp-mac / ff:ff:ff:ff:00:00 Only those bits of the MAC address whose corresponding bit in the mask is set to 1 will be used as match criteria. Therefore, the preceding example matches 00:01:02:03:xx:xx. If the mask is not supplied, it is assumed to be ff:ff:ff:ff:ff:ff. In other words, all bits of the MAC address are used for matching. |
Ethernet/ Ingress and Egress |
source-address prefix |
IP source address and mask. Use either all IPv4 or all IPv6 addresses in an ACL. On ExtremeSwitching series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the source-address that should be used as part of the match criteria. |
All IP/Ingress and Egress |
destination-address prefix |
IP destination address and mask. On ExtremeSwitching series switches, using arbitrary mask arguments is supported. Masks are not restricted to be of a subnet type. Examples of arbitrary IPv4 and IPv6 masks include 10.22.3.4 and 1:0:0:ffff:2:4. The 1s in the mask indicate the corresponding bits of the destination-address that should be used as part of the match criteria. |
All IP/Ingress and Egress |
source-port number |
TCP or UDP source port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the text synonyms listed under destination port. If no source-port is specified, the default source-port is “any.” |
TCP, UDP/ Ingress and Egress |
source-port range | TCP or UDP source port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the text synonyms listed under destination port. If no source-port is specified, the default source-port is “any.” | TCP, UDP/ Ingress |
source-port number { mask value } | TCP or UDP port and mask. The mask is optional, and it can be decimal value or a hexadecimal value. | TCP,UDP/ Ingress and Egress |
destination-port number | TCP or UDP destination port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): afs(1483), bgp(179), biff(512), bootpc(68), bootps(67), cmd(514), cvspserver(2401), dhcp(67), domain(53), eklogin(2105), ekshell(2106), exec(512), finger(79), ftp(21), ftp-data(20), http(80), https(443), ident(113), imap(143), kerberos-sec(88), klogin(543), kpasswd(761), krbprop( 754), krbupdate(760), kshell(544), ldap(389), login(513), mobileip-agent(434), mobileip-mn(435), msdp(639), netbiosdgm( 138), netbios-ns(137), netbios-ssn(139), nfsd(2049), nntp(119), ntalk(518), ntp(123), pop3(110), pptp(1723), printer(515), radacct(1813), radius(1812), rip(520), rkinit(2108), smtp(25), snmp(161), snmptrap(162), snpp(444), socks(1080), ssh(22), sunrpc(111), syslog(514), tacacs-ds(65), talk(517), telnet(23), tftp(69), timed(525), who(513), xdmcp(177), zephyrclt( 2103), or zephyr-hm(2104). | TCP, UDP/ Ingress and Egress |
destination-port range | TCP or UDP destination port. You must also specify the protocol match condition to determine which protocol is being used on the port, any time you use the this match condition. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): afs(1483), bgp(179), biff(512), bootpc(68), bootps(67), cmd(514), cvspserver(2401), dhcp(67), domain(53), eklogin(2105), ekshell(2106), exec(512), finger(79), ftp(21), ftp-data(20), http(80), https(443), ident(113), imap(143), kerberos-sec(88), klogin(543), kpasswd(761), krbprop( 754), krbupdate(760), kshell(544), ldap(389), login(513), mobileip-agent(434), mobileip-mn(435), msdp(639), netbiosdgm( 138), netbios-ns(137), netbios-ssn(139), nfsd(2049), nntp(119), ntalk(518), ntp(123), pop3(110), pptp(1723), printer(515), radacct(1813), radius(1812), rip(520), rkinit(2108), smtp(25), snmp(161), snmptrap(162), snpp(444), socks(1080), ssh(22), sunrpc(111), syslog(514), tacacs-ds(65), talk(517), telnet(23), tftp(69), timed(525), who(513), xdmcp(177), zephyrclt( 2103), or zephyr-hm(2104). | TCP, UDP/ Ingress |
destination-port number {mask value} | TCP or UDP port and mask. The mask is optional, and it can be decimal value or a hexadecimal value. Only those bits of the destination-port whose corresponding bit in the mask is set to 1 will be used as match criteria. | TCP,UDP/Ingress and Egress |
TCP-flags bitfield | TCP flags. Normally, you specify this match in conjunction with the protocol match statement. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ACK(0x10), FIN(0x01), PUSH(0x08), RST(0x04), SYN(0x02), URG(0x20), SYN_ACK(0x12). | TCP/Ingress and Egress |
IGMP-msg-type number | IGMP message type. Possible values and text synonyms: v1-report(0x12), v2-report(0x16), v3-report(0x22), V2-leave (0x17), or query(0x11). | IGMP/Ingress only |
ICMP-Type number |
ICMP type field. Normally, you specify this match in conjunction with the protocol match statement. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply(0), echo-request(8), info-reply(16), info-request(15), mask-request(17), mask-reply(18), parameter-problem(12), redirect(5), router-advertisement(9), router-solicit(10), source-quench(4), time-exceeded(11), timestamp(13), timestamp-reply(14), or unreachable(3), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140), v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140) v6-unreachable(1), v6-packet-too-big(2), v6-time-exceeded(3), v6-parameter-problem(4), v6-echo-request(128), v6-echo-reply(129), v6-mld-query(130), v6-mld-report(131), v6-mld-reduction(132), v6-router-soliciation(133), v6-router-advertisement(134), v6-neighbor-solicitation(135), v6-neighbor-advertisement(136), v6-redirect(137), v6-node-info-query(139), v6-node-info-reply(140). |
ICMP/Ingress only |
ICMP-Code number |
ICMP code field. This value or keyword provides more specific information than the icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code (only available in IPv4). In place of the numeric value, you can specify one of the following text synonyms (the field values also listed); the keywords are grouped by the ICMP type with which they are associated: Parameter-problem: ip-header-bad(0), required-option-missing(1) Redirect: redirect-for-host (1), redirect-for-network (2), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) Time-exceeded: ttl-eq-zero-during-reassembly(1), ttl-eq-zero-during-transit(0) Unreachable: communication-prohibited-by-filtering(13), destination-host-prohibited(10), destination-host-unknown(7), destination-network-prohibited(9), destination-network-unknown(6), fragmentation-needed(4), host-precedence-violation(14), host-unreachable(1), host-unreachable-for-TOS(12), network-unreachable(0), network-unreachable-for-TOS(11), port-unreachable(3), precedence-cutoff-in-effect(15), protocol-unreachable(2), source-host-isolated(8), source-route-failed(5) |
IPv4 only/ICMP/Ingress only |
source-sap | SSAP is a 1 byte field with possible values 0-255 decimal. The value can be specified in decimal or hexadecimal. The SSAP field can be found at byte offset 15 in 802.3 SNAP and LLC formatted packets. | Ethernet/Ingress Only |
destination-sap | DSAP is a 1 byte field with possible values 0-255 decimal. The value can be specified in decimal or hexadecimal. The DSAP field can be found at byte offset 14 in 802.3 SNAP and LLC formatted packets. (Available on ExtremeSwitching series switches, SummitStack.) | Ethernet/Ingress Only |
snap-type | SNAP type is a 2 byte field with possible values 0-65535 decimal. The value can be specified in decimal or hexadecimal. The SNAP type field can be found a byte offset 20 in 802.3 SNAP formatted packets. | Ethernet/Ingress Only |
ttl number {mask value} | Time To Live with mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the ttl whose corresponding bit in the mask is set to 1 will be used as match criteria.This can be used to match IPv4 Time-To-Live and IPv6 Hop Limit. | All IP/Ingress and Egress. |
IP-TOS number | IP TOS field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): minimize-delay 16 (0x10), maximize-reliability 4(0x04), minimize-cost2 (0x02), and normal-service 0(0x00). | All IP/Ingress and Egress |
IP-TOS number {mask value} | IP-TOS and mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the IP-TOS whose corresponding bit in the mask is set to 1 will be used as match criteria. | All IP/Ingress and Egress |
dscp value | DSCP field. In place of the value, you can specify one of the DSCP numeric values (for example, 8, 16, or 24). | All IP/Ingress and Egress |
fragments | IP fragmented packet including first fragment. FO = 0 (FO = Fragment Offset in IP header) |