Ubiquiti EdgeSwitch ES-24-250W Administration Manual page 235

EdgeSwitch Administration Guide
™
Field
Service Type*
Time Range Name
Committed Rate / Burst
Size
Match Criteria (IPv6 ACLs) – The fields in this section specify the criteria to use to determine whether an IP packet matches the rule.
The fields described below apply to IPv6 ACLs.
Every
Protocol
Fragments
Source Prefix / Prefix
Length
Source L4 Port
Destination Prefix /
Prefix Length
Destination L4 Port
ICMP Type
ICMP Code
ICMP Message
TCP Flags
Flow Label
Ubiquiti Networks, Inc.
Access Control List Configuration Fields (Continued)
Description
The service type to match in the IP header. The available options are alternate ways to specify a match
condition for the same Service Type field in the IP header, but each service type uses a different user
notation. After you select the service type, specify the value for the service type in the appropriate
field. Only the field associated with the selected service type can be configured. The services types are:
• IP DSCP Matches the packet IP DiffServ Code Point (DSCP) value to the rule. The DSCP value is
defined as the high-order six bits of the Service Type octet in the IP header.
• IP Precedence Matches the IP Precedence value to the rule. The IP Precedence field in a packet is
defined as the high-order three bits of the Service Type octet in the IP header.
IP TOS Bits
• Matches on the Type of Service (TOS) bits in the IP header. The IP TOS field in a packet
is defined as all eight bits of the Service Type octet in the IP header. For example, to check for an
IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use a TOS Bits
value of 0xA0 and a TOS Mask of 0xFF.
• TOS Bits Requires the bits in a packet's TOS field to match the two-digit hexadecimal number
entered in this field.
• TOS Mask The bit positions that are used for comparison against the IP TOS field in a packet.
The name of the time range that will impose a time limit on the ACL rule. If a time range with the
specified name does not exist, and the ACL containing this rule is associated with an interface, the ACL
rule is applied immediately. If a time range with specified name exists, and the ACL containing this ACL
rule is associated with an interface, the ACL rule is applied when the time-range with specified name
becomes active. The ACL rule is removed when the time-range with specified name becomes inactive.
The allowed transmission rate for packets on the interface (Committed Rate), and the number of bytes
allowed in a temporary traffic burst (Burst Rate).
When this option is selected, all packets will match the rule and will be either permitted or denied.
This option is exclusive to all other match criteria – if Every is selected, no other match criteria can be
configured. To configure specific match criteria, this option must be cleared.
The IANA-assigned protocol number to match within the IP packet. You can also specify one of the
following keywords: ICMP, IGMP, TCP, UDP, ICMPv6, or IP.
IPv6 ACL rule to match on fragmented IP packets.
The IPv6 prefix combined with IPv6 prefix length of the network or host sending the packet.
The TCP/UDP source port to match in the packet header. Select one of the following options:
Equal, Not Equal, Less Than, Greater Than, or Range, and specify the port number or keyword.
TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3.
UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO.
The IPv6 prefix combined with the IPv6 prefix length to be compared to a packet's destination IPv6
address as a match criteria for the IPv6 ACL rule. To indicate a destination host, specify an IPv6 prefix
length of 128.
The TCP/UDP destination port to match in the packet header. Select one of the following options:
Equal, Not Equal, Less Than, Greater Than, or Range, and specify the port number or keyword.
TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3.
UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO.
IPv6 ACL rule to match on the specified ICMP message type. This option is available only if the protocol
is ICMPv6.
IPv6 ACL rule to match on the specified ICMP message code. This option is available only if the
protocol is ICMPv6.
IPv6 ACL rule to match on the ICMP message type and code. Specify one of the following supported
ICMPv6 messages: Destination-Unreachable, Echo-Request, Echo-Reply, Header, Hop-Limit, MLD-Query,
MLD-Reduction, MLD-Report, ND-NA, ND-NS, Next-Header, No-Admin, No-Route, Packet-Too-Big, Port-
Unreachable, Router-Solicitation, Router-Advertisement, Router-Renumbering, Time-Exceeded, and
Unreachable. This option is available only if the protocol is ICMPv6.
IPv6 ACL rule to match on the TCP flags. When a + flag is specified, a match occurs if the flag is set in
the TCP header. When a - flag is specified, a match occurs if the flag is not set in the TCP header. When
Established is specified, a match occurs if either RST or ACK bits are set in the TCP header. This option is
available only if the protocol is TCP.
A 20-bit number that is unique to an IPv6 packet, used by end stations to signify quality-of-service
handling in routers.
Configuring Quality of Service
234