API Guide

○ SRC_MAC—Source MAC address

○ DST_MAC—Destination MAC address

○ ETHER_TYPE—Ethertype

○ OUTER_VLAN_ID—VLAN ID

○ IP_TYPE—IP type

○ OUTER_VLAN_PRI—DOT1P value

IP fragment handling

OS10 supports a configurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent

packets. This option extends the existing ACL command syntax with the fragments keyword for all L3 rules:

● Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is

Layer 4 (L4) header information contained in the original packet, and is followed by a number of packets that contain only the L3

header information.

This packet flow contains all of the information from the original packet distributed through packets that are small enough to

avoid the maximum packet size limit. This provides a particular problem for ACL processing.

If the ACL filters based on L4 information, the non-initial packets within the fragmented packet flow will not match the L4

information, even if the original packet would have matched the filter. Because of this filtering, packets are not processed by

the ACL.

The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all

second and subsequent fragments with destination IP 10.1.1.1, but permit the first fragment and non-fragmented packets with

destination IP 10.1.1.1. The second example shows ACLs which permits all packets — both fragmented and non-fragmented —

L3 ACL rules

Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are

permitted, and all others are denied.