1.1.6 Access list
To perform flow detection for the filter, set access lists in the configuration. The access list you need to set depends on the flow detection condition. The type of detectable frames also depends on the flow detection condition. The following table describes the relationship between the access lists for flow detection conditions and detectable frame types.
|
Configurable Flow detection conditions |
Access lists |
Receiving-side flow detection mode |
Sender Flow detection mode |
Detectable Frame type |
||
|---|---|---|---|---|---|---|
|
Non-IP |
IPv4 |
IPv6 |
||||
|
MAC conditions |
mac access-list |
layer3-1, layer3-mirror-1, layer3-mirror-3, layer3-mirror-5, layer3-suppress-1, layer3-suppress-mirror-1, custom |
layer3-2-out |
OK |
OK |
OK |
|
IPv4 conditions |
access-list ip access-list |
layer3-1, layer3-2, layer3-6, layer3-dhcp-1, layer3-mirror-1, layer3-mirror-2, layer3-mirror-3, layer3-mirror-4, layer3-mirror-5, layer3-suppress-1, layer3-suppress-2, layer3-suppress-dhcp-1, layer3-suppress-mirror-1, layer3-suppress-mirror-2, custom |
layer3-1-out, layer3-2-out |
- |
OK |
- |
|
IPv6 conditions |
ipv6 access-list |
layer3-6, layer3-mirror-3, layer3-mirror-4, layer3-mirror-5, layer3-suppress-2, layer3-suppress-mirror-2, custom |
layer3-2-out |
- |
- |
OK |
(Legend) OK: Can be detected-: Cannot be detected
The order in which filter entries are applied is determined by the sequence number specified as a parameter of an access list.
- <Structure of this section>
(1) Operation When Multiple Flow Detection Conditions are Set Simultaneously
If filtering is performed for outgoing and incoming frames of the interface when multiple flow detection conditions are set, frames are detected in the order shown in the below table. Multiple filter entries are not matched.
|
Flow detection order |
Access lists |
interface |
|---|---|---|
|
1 |
mac access-list |
Ethernet |
|
2 |
VLAN |
|
|
3 |
access-list ip access-list |
Ethernet |
|
4 |
VLAN |
|
|
5 |
ipv6 access-list |
Ethernet |
|
6 |
VLAN |
(2) Frames that cannot be discarded
The following frames on the receiving-side interface cannot be discarded regardless of whether filtering is enabled.
- The following frames received by the Switch:
-
-
Incoming frames for which the learned source MAC addresses are determined to have been moved
-
- Of the frames received by the Switch by Layer 3 forwarding, the following packets and frames:
-
-
IPv4 and IPv6 packets exceeding the MTU
-
Frames whose TTL is set to 1
-
Frames whose hop limit is set to 1
-
Frames with an IP option
-
Frames with an IPv6 extension header
-
IPv4 or IPv6 packets with an unknown receiver address
-