ACLs
ExtremeWare XOS 11.3 Concepts Guide
267
NOTE
Directed ARP response packets cannot be blocked with ACLs from reaching the CPU and being learned on the
BlackDiamond 8800 family and Summit X450 switches.
Along with the data types described in Table 35, you can use the operators <, <=, >, and >= to specify
match conditions. For example, the match condition,
source-port > 190, will match packets with a
source port greater than 190. Be sure to use a space before and after an operator.
ICMP-code <number> ICMP code field. This value or keyword provides more specific
information than the icmp-type. Because the value's meaning
depends upon the associated icmp-type, you must specify the
icmp-type along with the icmp-code. In place of the numeric
value, you can specify one of the following text synonyms (the
field values also listed); the keywords are grouped by the ICMP
type with which they are associated:
Parameter-problem:
ip-header-bad(0), required-option-missing(1)
Redirect:
redirect-for-host (1), redirect-for-network (2), redirect-for-tos-
and-host (3), redirect-for-tos-and-net (2)
Time-exceeded:
ttl-eq-zero-during-reassembly(1), ttl-eq-zero-during-transit(0)
Unreachable:
communication-prohibited-by-filtering(13), destination-host-
prohibited(10), destination-host-unknown(7), destination-
network-prohibited(9), destination-network-unknown(6),
fragmentation-needed(4), host-precedence-violation(14), host-
unreachable(1), host-unreachable-for-TOS(12), network-
unreachable(0), network-unreachable-for-TOS(11), port-
unreachable(3), precedence-cutoff-in-effect(15), protocol-
unreachable(2), source-host-isolated(8), source-route-failed(5)
ICMP/Ingress
and Egress
IP-TOS <number>
(BlackDiamond 10K Only)
IP TOS field. In place of the numeric value, you can specify one
of the following text synonyms (the field values are also listed):
minimize-delay 16 (0x10), maximize-reliability 4(0x04),
minimize-cost2 (0x02), and normal-service 0(0x00)
All IP/
Ingress and
Egress
DSCP <number>
(BlackDiamond 10K Only)
Differentiated Service Code Point. The DiffServ protocol uses
the type of service (TOS) byte in the IP header, and the most
significant six bits of this type form the DSCP. In place of the
numeric value, you can specify one of the following text
synonyms (the field values are also listed):
The Expedited Forwarding RFC defines one code point: ef(46)
The Assured Forwarding RFC defines 4 classes, with 3 drop
precedences in each class, for a total of 12 code points:
af11(10), af12(12), af13(14), af21(18), af22(20), af23(22),
af31(26), af32(28),af33(30), af41(34), af42(36), af43(38)
All IP/
Ingress only
1. You can not specify an IPv6 address with a 128-bit mask (host entry) for the Summit X450.
Table 34: ACL match conditions (Continued)
Match Conditions Description
Applicable
IP Protocols/
Direction
To Next Page
Loading...