Reference Guide
To congure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny trac as needed, similar
to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in CONTROL-PLANE mode
instead of VTY mode. For example:
OS10# configure terminal
OS10(config)# control-plane
OS10(config-control-plane)# ip access-group acl_name in
where acl_name is the name of the control-plane ACL, a maximum of 140 characters.
NOTE: Apply control-plane ACLs on ingress trac only.
Control-plane ACL qualiers
This section lists the control-plane ACL rule qualiers.
• IPv4 qualiers:
– DST_IP—Destination IP address
– SRC_IP—Source IP address
– IP_TYPE—IP type
– IP_PROTOCOL—Protocols such as TCP, UDP, and so on
– L4_DST_PORT—Destination port number
NOTE
: The destination port number qualier supports only the eq option. Port range is not supported.
• IPv6 qualiers:
– DST_IPv6—Destination address
– SRC_IPv6—Source address
– IP_TYPE—IP Type; for example, IPv4 or IPv6
– IP_PROTOCOL—TCP, UDP, and so on
– L4_DST_PORT—Destination port
NOTE
: The destination port number qualier supports only the eq option. Port range is not supported.
• MAC qualiers:
– OUT_PORT—Egress CPU port
– SRC_MAC—Source MAC address
– DST_MAC—Destination MAC address
– ETHER_TYPE—Ethertype
– OUTER_VLAN_ID—VLAN ID
– IP_TYPE—IP type
– OUTER_VLAN_PRI—DOT1P value
IP fragment handling
OS10 supports a congurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This
option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules:
• Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied
eventually, the rst fragment must be denied and the packet as a whole cannot be reassembled.
• The system applies implicit permit for the second and subsequent fragment prior to the implicit deny.
• If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.
594
Access Control Lists