Manualshelf

Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806
301302303304305306307308309310
310 | Chapter 13. ACLs
NETGEAR 8800 User Manual
Note: Directed ARP response packets cannot be blocked with ACLs from
reaching the CPU and being learned.
Along with the data types described in Table 32, you can use the operators <, <=, >, and >= to
specify match conditions. For example, the match condition, source-port > 190, will match
packets with a source port greater than 190. Be sure to use a space before and after an
operator.
snap-type SNAP type is a 2 byte field with possible values 0-65535
decimal. The value can be specified in decimal or
hexadecimal. The SNAP type field can be found a byte offset
20 in 802.3 SNAP formatted packets.
Ethernet/Ingress
Only
IP-TOS <number> IP TOS field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also
listed): minimize-delay 16 (0x10), maximize-reliability 4(0x04),
minimize-cost2 (0x02), and normal-service 0(0x00).
All IP/Ingress and
Egress
fragments IP fragmented packet. FO > 0 (FO = Fragment Offset in IP
header)
a
All IP, no L4
rules/Ingress only
first-fragments Non-IP fragmented packet or first fragmented packet. FO==0. All IP/Ingress only
protocol <number> IP protocol field. For IPv6
b
, this matches the Next Header field
in the packet. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also
listed): egp(8), esp(5), gre(47), icmp(1), igmp(2), ipip(4),
ipv6(41), ospf(89), pim(102), rsvp(46), tcp(6), or udp(17).
All IP/Ingress and
Egress
vlan-id <number> Matches the VLAN tag number or the VLAN ID which is given
to a VLAN when created. The ACL rule can only be applied to
ports or any, and not VLANs.
All IP/Ingress
a. See the section Fragmented packet handling on page 311 for details.
b. See the section IPv6 Traffic with L4 Match Conditions on page 311 for details about specifying a protocol/port match
with IPv6.
Table 32. ACL Match Condition Data Types
Condition Data Type Description
prefix IP source and destination address prefixes. To specify the address prefix, use the
notation prefix/prefix-length. For a host address, prefix-length should be
set to 32.
number Numeric value, such as TCP or UDP source and destination port number, IP protocol
number.
Table 31. ACL Match Conditions (Continued)
Match Conditions Description Applicable
IP Protocols/
Direction