Users Guide

Table Of Contents
Control-plane ACL qualifiers
This section lists the supported control-plane ACL rule qualifiers.
NOTE: OS10 supports only the qualifiers listed below. Ensure that you use only these qualifiers in ACL rules.
IPv4 qualifiers:
DST_IPDestination IP address
SRC_IPSource IP address
IP_TYPEIP type
IP_PROTOCOLProtocols such as TCP, UDP, and so on
L4_DST_PORTDestination port number
IPv6 qualifiers:
DST_IPv6Destination address
SRC_IPv6Source address
IP_TYPEIP Type; for example, IPv4 or IPv6
IP_PROTOCOLTCP, UDP, and so on
L4_DST_PORTDestination port
MAC qualifiers:
OUT_PORTEgress CPU port
SRC_MACSource MAC address
DST_MACDestination MAC address
ETHER_TYPEEthertype
OUTER_VLAN_IDVLAN ID
IP_TYPEIP type
OUTER_VLAN_PRIDOT1P value
IP fragment handling
OS10 supports a configurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent
packets. This option extends the existing ACL command syntax with the fragments keyword for all L3 rules:
Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is
denied eventually, the first fragment must be denied and the packet as a whole cannot be reassembled.
The system applies implicit permit for the second and subsequent fragment before the implicit deny.
If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.
IP fragments ACL
When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain
portions of the contents of the original packet. This packet flow begins with an initial packet that contains all of the L3 and
Layer 4 (L4) header information contained in the original packet, and is followed by a number of packets that contain only the L3
header information.
This packet flow contains all of the information from the original packet distributed through packets that are small enough to
avoid the maximum packet size limit. This provides a particular problem for ACL processing.
If the ACL filters based on L4 information, the non-initial packets within the fragmented packet flow will not match the L4
information, even if the original packet would have matched the filter. Because of this filtering, packets are not processed by
the ACL.
The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1, but permit the first fragment and non-fragmented packets with
destination IP 10.1.1.1. The second example shows ACLs which permits all packets both fragmented and non-fragmented
with destination IP 10.1.1.1.
Access Control Lists
1441