...
| Note |
|---|
ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet. |
| Note |
|---|
It is not required to set |
| Note |
|---|
When switch ACL rules are modified (e.g. added, removed, disabled, enabled, or moved), the existing switch rules will be inactive for a short time. This can cause some packet leakage during the ACL rule modifications. |
...
| Property | Description |
|---|---|
| copy-to-cpu (no | yes; Default: no) | Clones the matching packet and sends it to the CPU. |
| disabled (yes | no; Default: no) | Enables or disables ACL entry. |
| dscp (0..63) | Matching the DSCP field of the packet (only applies to IPv4 packets). |
| dst-address (IP address/Mask) | Matching destination IP IPv4 address and mask, also matches the destination IP in ARP packets. |
| dst-address6 (IPv6 address/Mask) | Matching destination IPv6 address and mask, also matches source IP in ARP packets. |
| dst-mac-address (MAC address/Mask) | Matching destination MAC address and mask. |
| dst-port (0..65535) | Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
| flow-label (0..1048575) | Matching IPv6 flow label. |
| mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) | Matching particular MAC protocol specified by protocol name or number |
| mirror (no | yes) | Clones the matching packet and sends it to the mirror-target port. |
| new-dst-ports (ports) | Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported. |
| new-vlan-id (0..4095) | Changes the VLAN ID to the specified value. Requires vlan-filtering=yes. |
| new-vlan-priority (0..7) | Changes the VLAN priority (priority code point). Requires vlan-filtering=yes. |
| ports (ports) | Matching ports on which will the rule apply on received traffic. |
| protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) | Matching particular IP protocol specified by protocol name or number. Only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting. |
| rate (0..4294967295) | Sets ingress traffic limitation (bits per second) for matched traffic. |
| redirect-to-cpu (no | yes) | Changes the destination port of a matching packet to the CPU. |
| src-address (IP address/Mask) | Matching source IP IPv4 address and mask, also matches the source IP in ARP packets. |
| src-address6 (IPv6 address/Mask) | Matching source IPv6 address and mask. |
| src-mac-address (MAC address/Mask) | Matching source MAC address and mask. |
| src-port (0..65535) | Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
| switch (switch group) | Matching switch group on which will the rule apply. |
| traffic-class (0..255) | Matching IPv6 traffic class. |
| vlan-id (0..4095) | Matching VLAN ID. Requires vlan-filtering=yes. |
| vlan-header (not-present | present) | Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes. |
| vlan-priority (0..7) | Matching VLAN priority (priority code point). |
...