Users Guide

Table Of Contents
NOTE: Apply control-plane ACLs on ingress trac only.
Control-plane ACL qualiers
This section lists the supported control-plane ACL rule qualiers.
NOTE: OS10 supports only the qualiers listed below. Ensure that you use only these qualiers in ACL rules.
IPv4 qualiers:
DST_IP—Destination IP address
SRC_IP—Source IP address
IP_TYPE—IP type
IP_PROTOCOL—Protocols such as TCP, UDP, and so on
L4_DST_PORT—Destination port number
IPv6 qualiers:
DST_IPv6—Destination address
SRC_IPv6—Source address
IP_TYPE—IP Type; for example, IPv4 or IPv6
IP_PROTOCOLTCP, UDP, and so on
L4_DST_PORT—Destination port
MAC qualiers:
OUT_PORT—Egress CPU port
SRC_MAC—Source MAC address
DST_MAC—Destination MAC address
ETHER_TYPE—Ethertype
OUTER_VLAN_IDVLAN ID
IP_TYPE—IP type
OUTER_VLAN_PRI—DOT1P value
IP fragment handling
OS10 supports a congurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent packets. This
option extends the existing ACL command syntax with the fragments keyword for all L3 rules:
Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is denied
eventually, the rst fragment must be denied and the packet as a whole cannot be reassembled.
The system applies implicit permit for the second and subsequent fragment before the implicit deny.
If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.
IP fragments ACL
When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain portions of the
contents of the original packet. This packet ow begins with an initial packet that contains all of the L3 and Layer 4 (L4) header information
contained in the original packet, and is followed by a number of packets that contain only the L3 header information.
This packet ow contains all of the information from the original packet distributed through packets that are small enough to avoid the
maximum packet size limit. This provides a particular problem for ACL processing.
Access Control Lists
1037