Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare XOS Command

141

142

143

144

145

146

147

148

149

150

150 ExtremeWare XOS 11.0 Concepts Guide

Security

• If the packet does not match all the match conditions, the next rule entry in the ACL is evaluated.

• This process continues until either the packet matches all the match conditions in one of the

subsequent rule entries or there are no more entries.

• If a packet passes through all the rule entries in the ACL without matching any of them, it is

permitted.

Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will

match any packets not otherwise processed, so that user can specify an action to overwrite the default

permit action.

Match Conditions. You can specify multiple, single, or zero match conditions. If no match condition is

specified, all packets match the rule entry. Among the match conditions commonly used are:

• IP source address and mask

• IP destination address and mask

• TCP or UDP source port range

• TCP or UDP destination port range

Table 28 describes all the possible match conditions.

Actions. The action is either permit or deny or no action is specified. No action specified permits the

packet. The deny action drops the packet.

Action Modifiers. The action modifiers are count and qosprofile. The count action increments the

counter named in the condition. The QoS profile action forwards the packet to the specified QoS profile.

Table 28 lists the match conditions that can be used with ACLs. The conditions are case-insensitive; for

example, the match condition listed in the table as

TCP-flags can also be written as tcp-flags. Within

Table 28 are five different data types used in matching packets. Table 29 lists the data types and details

on using them.

Table 28: ACL match conditions

Match Conditions Description

Applicable

IP Protocols

ethernet-type <number> Ethernet packet type. In place of the numeric value, you can

specify one of the following text synonyms (the field values are

also listed): ETHER-P-IP (0x0800), ETHER-P-8021Q (0x8100),

ETHER-P-IPV6 (0x86DD)

Ethernet

ethernet-source-address

<mac-address>

Ethernet source MAC address Ethernet

ethernet-destination-address

<mac-address>

Ethernet destination MAC address Ethernet

source-address <prefix> IP source address and mask. All IP

destination-address <prefix> IP destination address and mask. All IP

protocol <number> IP protocol field. In place of the numeric value, you can specify

one of the following text synonyms (the field values are also

listed): egp(8), esp(5), gre(47), icmp(1), igmp(2), ipip(4), ipv6(41),

ospf(89), pim(102), rsvp(46), tcp(6), or udp(17)

All IP

fragments IP fragmented packet. FO > 0 (FO = Fragment Offset in IP

header)

All IP, no L4

rules