...
Note |
---|
ACL rules are checked for each received packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet. |
Note |
---|
It is not required to set |
Note |
---|
When switch ACL rules are modified (e.g. added, removed, disabled, enabled, or moved), the existing switch rules will be inactive for a short time. This can cause some packet leakage during the ACL rule modifications. |
...
Property | Description |
---|---|
copy-to-cpu (no | yes; Default: no) | Clones the matching packet and sends it to the CPU. |
disabled (yes | no; Default: no) | Enables or disables ACL entry. |
dscp (0..63) | Matching the DSCP field of the packet (only applies to IPv4 packets). |
dst-address (IP address/Mask) | Matching destination IP IPv4 address and mask, also matches the destination IP in ARP packets. |
dst-address6 (IPv6 address/Mask) | Matching destination IPv6 address and mask, also matches source IP in ARP packets. |
dst-mac-address (MAC address/Mask) | Matching destination MAC address and mask. |
dst-port (0..65535) | Matching destination protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
flow-label (0..1048575) | Matching IPv6 flow label. |
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff) | Matching particular MAC protocol specified by protocol name or number |
mirror (no | yes) | Clones the matching packet and sends it to the mirror-target port. |
new-dst-ports (ports) | Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple "new-dst-ports" are not supported. |
new-vlan-id (0..4095) | Changes the VLAN ID to the specified value. Requires vlan-filtering=yes . |
new-vlan-priority (0..7) | Changes the VLAN priority (priority code point). Requires vlan-filtering=yes . |
ports (ports) | Matching ports on which will the rule apply on received traffic. |
protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255) | Matching particular IP protocol specified by protocol name or number. Only applies to IPv4 packets if mac-protocol is not specified. To match certain IPv6 protocols, use the mac-protocol=ipv6 setting. |
rate (0..4294967295) | Sets ingress traffic limitation (bits per second) for matched traffic. |
redirect-to-cpu (no | yes) | Changes the destination port of a matching packet to the CPU. |
src-address (IP address/Mask) | Matching source IP IPv4 address and mask, also matches the source IP in ARP packets. |
src-address6 (IPv6 address/Mask) | Matching source IPv6 address and mask. |
src-mac-address (MAC address/Mask) | Matching source MAC address and mask. |
src-port (0..65535) | Matching source protocol port number (applies to IPv4 and IPv6 packets if mac-protocol is not specified). |
switch (switch group) | Matching switch group on which will the rule apply. |
traffic-class (0..255) | Matching IPv6 traffic class. |
vlan-id (0..4095) | Matching VLAN ID. Requires vlan-filtering=yes . |
vlan-header (not-present | present) | Matching VLAN header, whether the VLAN header is present or not. Requires vlan-filtering=yes . |
vlan-priority (0..7) | Matching VLAN priority (priority code point). |
...