Connectivity Guide
To congure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny trac as needed, similar
to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in CONTROL-PLANE mode
instead of VTY mode. For example:
OS10# configure terminal
OS10(config)# control-plane
OS10(config-control-plane)# ip access-group acl_name in
where acl_name is the name of the control-plane ACL, a maximum of 140 characters.
NOTE: Apply control-plane ACLs on ingress trac only.
Control-plane ACL qualiers
This section lists the supported control-plane ACL rule qualiers.
NOTE: OS10 supports only the qualiers listed below. Ensure that you use only these qualiers in ACL rules.
• IPv4 qualiers:
– DST_IP—Destination IP address
– SRC_IP—Source IP address
– IP_TYPE—IP type
– IP_PROTOCOL—Protocols such as TCP, UDP, and so on
– L4_DST_PORT—Destination port number
• IPv6 qualiers:
– DST_IPv6—Destination address
– SRC_IPv6—Source address
– IP_TYPE—IP Type; for example, IPv4 or IPv6
– IP_PROTOCOL—TCP, UDP, and so on
– L4_DST_PORT—Destination port
• MAC qualiers:
– OUT_PORT—Egress CPU port
– SRC_MAC—Source MAC address
– DST_MAC—Destination MAC address
– ETHER_TYPE—Ethertype
– OUTER_VLAN_ID—VLAN ID
– IP_TYPE—IP type
– OUTER_VLAN_PRI—DOT1P value
IP fragment handling
OS10 supports a congurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent packets. This
option extends the existing ACL command syntax with the fragments keyword for all L3 rules:
• Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is denied
eventually, the rst fragment must be denied and the packet as a whole cannot be reassembled.
• The system applies implicit permit for the second and subsequent fragment before the implicit deny.
• If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.
882
Access Control Lists