Owner's Manual
312 | Chapter 13. ACLs
NETGEAR 8800 User Manual
Policy file syntax checker
The following rules are used to evaluate fragmented packets or rules that use the fragments
or
first-fragments keywords.
With no keyword specified, processing proceeds as follows:
• An L3-only rule that does not contain first-fragments keyword matches any IP packets.
• An L4 rule that does not contain first-fragments keyword matches non-fragmented or
initial-fragment packets.
With the first-fragments keyword specified:
• An L3-only rule with the first-fragments keyword matches non-fragmented or initial
fragment packets.
• An L4 rule with the first-fragments keyword matches non-fragmented or initial fragment
packets.
Layer-2 Protocol Tunneling ACLs
Three ACL match conditions and one ACL action interoperate with vendor-proprietary
Layer-2 protocol tunneling.
The following fields within 802.3 Subnetwork Access Protocol (SNAP) and LLC formatted
packets can be matched:
• Destination service access point (SAP)
• Source SAP
The following field can be matched within Subnetwork Access Protocol (SNAP) packets only:
• SNAP type
The following ACL action is added to the specified switches:
• Replacement of the Ethernet MAC destination address
This action replaces the destination MAC address of any matching Layer-2 forwarded
packets on the supported platforms. This action can be used to effectively tunnel protocol
packets, such as STP, across a network by replacing the well-known protocol MAC address
with a different proprietary or otherwise unique MAC address. After tunnel egress, the MAC
destination address can be reverted back to the well-known MAC address.
Note: The “replace-ethernet-destination-address” action applies only to
Layer-2 forwarded packets.