ACL Filter Policy Overview
472 Router Configuration Guide
• multiple-option — Match for the presence of multiple IP options in the IPv4 packet.
• src-route-option — Match for the presence of IP Option 3 or 9 (Loose or Strict
Source Route) in the first 3 IP Options of the IPv4 packet. A packet will also match
this rule if the packet has more than 3 IP Options.
IPv6 next-header match criteria (see also Upper-layer protocol match next-header
description below):
• ah-ext-header — Match for presence/absence of the Authentication Header
extension header in the IPv6 packet. This match criterion is supported on ingress only
and requires minimum FP-2-based line cards. Up to 6 extension headers are matched
against.
• esp-ext-header — Match for presence/absence of the Encapsulating Security
Payload extension header in the IPv6 packet. This match criterion is supported on
ingress only and requires minimum FP-2-based line cards. Up to 6 extension headers
are matched against.
• hop-by-hop-opt — Match for the presence/absence of Hop-by-hop options
extension header in the IPv6 packet. This match criterion is supported on ingress only
and requires minimum FP-2-based line cards. Up to 6 extension headers are matched
against.
• routing-type0 — Match for the presence/absence of Routing extension header type
0 in the IPv6 packet. This match criterion is supported on ingress only and requires
minimum FP-2-based line cards. Up to 6 extension headers are matched against.
Upper-layer protocol match:
• next-header — Match for the specified upper layer protocol (for example, TCP,
UDP, IGMPv6) against the Next Header field of the IPv6 packet header. “*” can be
used to specify TCP or UDP upper-layer protocol match (Logical OR). Next-header
matching allows also matching on presence of a subset of IPv6 extension headers.
See CLI section for details on which extension header match is supported.
• protocol — Match for the specified protocol against the Protocol field in the IPv4
packet header (for example, TCP, UDP, IGMP) of the outer IPv4. “*” can be used to
specify TCP or UDP upper-layer protocol match (Logical OR).
• icmp-code — Match for the specified value against the Code field of the ICMP/
ICMPv6 header of the packet. This match is supported only for entries that also
define protocol/next-header match for “ICMP”/”ICMPv6” protocol.
• icmp-type — Match for the specified value against the Type field of the ICMP/
ICMPv6 header of the packet. This match is supported only for entries that also
define protocol/next-header match for “ICMP”/”ICMPv6” protocol.
To Next Page
Loading...
