The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of the command removes any description string from the context.
The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.
no ipv6-filter ipv6-filter-id
The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.
The no form of the command deletes the mac-filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.
[no
] redirect-policy
redirect-policy-name
The no form of the command removes the redirect policy from the filter configuration only if the policy is not referenced in a filter and the filter is not in use (applied to a service or network interface).
The no form of the command deletes the filter log ID. The log cannot be deleted if there are filter entries configured to write to the log. All filter entry logging associations need to be removed before the log can be deleted.
The no form of the command reverts to the default wherein the host creation proceeds as normal
option dhcp-option-number {present
| absent
}
option dhcp-option-number match
hex
hex-string [exact
] [invert-match
]
option dhcp-option-number match
string
ascii-string [exact
] [invert-match
]
The no form of the command reverts to the default.
Filter logs can be sent to either memory (memory) or to an existing Syslog server definition (
syslog).
If the filter log destination is memory, the maximum number of entries in the log must be specified.
The no form of the command deletes the filter log association.
The shutdown command administratively downs an entity. Administratively downing an entity changes the operational state of the entity to down.
The no form of the command puts an entity into the administratively enabled state.
The no form of the command reverts to the default parameter.
Specifying wrap-around configures the memory filter log to store the most recent filter log entries (circular buffer). When the log is full, the oldest filter log entries are overwritten with new entries.
The no form of the command configures the memory filter log to accept filter log entries until full. When the memory filter log is full, filter logging for the log filter ID ceases.
drop – default action is to drop a packet.
forward – default action is to forward a packet.
The no form of the command detaches this filter from the system filter.
The no form of the command deactivates the system filter policy.
The no form of the command deactivates the system filter policy.
embed-filter filter-id [offset
offset] [{active
| inactive
}]
embed-filter open-flow ofs-name [{system | service {service-id | service-name} | sap sap-id}] [offset
offset] [{active | inactive}]
The embed-filter open-flow ofs-name form of this command enables OpenFlow (OF) in GRT either by embedding the specified OpenFlow switch (OFS) instance with
switch-defined-cookie disabled, or by embedding rules with sros-cookie:type “grt-cookie”, value 0 from the specified OFS instance with
switch-defined-cookie enabled. The embedding filter can only be deployed in GRT context or be unassigned.
The embed-filter open-flow ofs-name system form of this command enables OF in system filters by embedding rules with sros-cookie:type “system-cookie”, value 0 from the specified OFS instance with
switch-defined-cookie enabled. The embedding filter can only be of scope system.
The embed-filter open-flow ofs-name service {
service-id |
service-name} form of this command enables OF in VPRN/VPLS filters by embedding rules with sros-cookie:type “service-cookie”, value
service-id from the specified OFS instance with
switch-defined-cookie enabled – per service rules. The embedding filter can only be deployed in the specified VPRN/VPLS service. Note that a single VPLS service can only support OF rules per SAP or per service.
The embed-filter open-flow ofs-name sap sap-id form of this command enables OF in VPLS SAP filters by embedding rules with sros-cookie:type “service-cookie”, value
service-id and flow match conditions specifying the sap-id from the specified OFS instance with
switch-defined-cookie enabled – per SAP OF rules. The embedding filter must be of type exclusive and can only be deployed on the specified SAP in the context of the specified VPLS service. Note that a single VPLS service can only support OF rules per SAP or per service.
The no embed-filter filter-id form of this command removes the embedding from this filter policy.
The no embed-filter open-flow ofs-name form of this command removes the OF embedding for the GRT context.
Not including the system,
service or
sap parameters will specify OF in a GRT instance context by default. This allows embedding of OF rules into filters deployed in GRT instances from OFS with
switch-defined-cookie disabled, or embedding rules from OFS with
switch-defined-cookie enabled, when the FlowTable cookie encodes sros-cookie:type “grt-cookie”.
service {service-id
| service-name
}
scope {exclusive
| template
| embedded
| system
}
the scope is template and the policy is applied to one or more services or network interfaces
the scope is embedded and the policy is embedded by another policy
The no form of the command sets the scope of the policy to the default of
template.
The no form of the command reverts to the default.
The no form of the command reverts to the default.
The no form of the command reverts to the default.
Values
|
normal — Regular match criteria are allowed; ISID or VID filter match criteria not allowed. isid — Only ISID match criteria are allowed. vid — On.y VID match criteria are allowed on ethernet_II frame types.
|
entry entry-id [time-range
time-range-name] [create
]
This command creates or edits an IP (v4), IPv6, or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. Entries must be sequenced from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the
action keyword will be considered incomplete and hence will be rendered inactive.
The no form of the command removes the specified entry from the filter. Entries removed from the filter are immidately removed from all services or network ports where that filter is applied.
The no form of this command removes the specific action configured in the context of action command.
The no form of the command disables logging for the filter entry.
The no form of the command preserves default behavior when PBR/PBF target is down.
drop packet-length {{lt | eq | gt
} packet-length-value | range
packet-length-value packet-length-value}
drop ttl {{lt | eq | gt
} ttl-value | range
ttl-value ttl-value}
forward esi esi sf-ip
ip-address vas-interface
interface-name router
{router-instance | service-name
service-name}
forward next-hop [indirect
] ip-address router
{router-instance | service-name
service-name}
nat [nat-policy
nat-policy-name]
The action command (under the config>filter>ip-filter context) sets the context for specific action commands to be performed (under the config>filter>ip-filter>action context) on packets matching this filter entry.
drop – A packet matching the entry will be dropped.
drop packet-length – A packet matching the entry will be dropped only if “Total Length” field in the packet’s IPv4 header meets the configured condition.
drop ttl – A packet matching the entry will be dropped only if “Time-to-live” field in the packet’s IPv4 header meets the configured condition.
forward – A packet matching the entry will be forwarded using regular routing.
forward esi service-id - A packet matching the entry will be forwarded to ESI identified first appliance in Nuage service chain using EVPN-resolved VXLAN tunnel in the specified VPLS service.
forward esi sf-ip vas-interface router - A packet matching the entry will be forwarded to ESI/SF-IP identified first appliance in Nuage service chain using EVPN-resolved VXLAN tunnel over the configured VAS interface in the specified VPRN service.
forward lsp – A packet matching the entry will be forwarded using the specified lsp.
forward next-hop – A packet matching the entry will be forwarded in the routing context of the incoming interface using direct or indirect IP address in the routing lookup.
forward next-hop router – A packet matching the entry will be forwarded in the configured routing context using direct or indirect IP address in the routing lookup.
forward next-hop interface – A packet matching the entry will be forwarded using the configured local interface.
forward redirect-policy – A packet matching the entry will be forwarded using
forward next-hop or
forward next-hop router and the IP address of destination selected by the configured redirect policy. If no destination is selected, packets are subject to
action forward.
forward router – A packet matching the entry will be routed in the configured routing instance and not in the incoming interface routing instance.
forward sap – A packet matching the entry will be forwarded using the configured sap.
forward sdp – A packet matching the entry will be forwarded using the configured SDP.
gtp-local-breakout – A packet matching the entry will be forwarded to NAT instead of being GTP tunneled to mobile operator’s PGW or GGSN.
http-redirect – An HTTP GET packet matching an entry is forwarded to CPM for HTTP captive portal processing
nat – A packet matching the entry will be forwarded to NAT
reassemble – A packets matching the entry will be forwarded to the reassembly function
drop packet-length
{{lt
| eq
| gt
} packet-length-value | range
packet-length-value packet-length-value}
forward next-hop [indirect
] ipv6-address router
{router-instance | service-name service-name}
nat [nat-policy
nat-policy-name] nat-type
nat-type
drop – A packet matching the entry will be dropped.
drop packet-length – A packet matching the entry will be dropped only if “Total Length” field in the packet’s IPv4 header meets the configured condition.
forward – A packet matching the entry will be forwarded using regular routing.
forward lsp – A packet matching the entry will be forwarded using the specified lsp.
forward next-hop – A packet matching the entry will be forwarded in the routing context of the incoming interface using direct or indirect IP address in the routing lookup.
forward next-hop router – A packet matching the entry will be forwarded in the configured routing context using direct or indirect IP address in the routing lookup.
forward redirect-policy – A packet matching the entry will be forwarded using
forward next-hop or
forward next-hop router and the IP address of destination selected by the configured redirect policy. If no destination is selected, packets are subject to
action forward.
forward router – A packet matching the entry will be routed in the configured routing instance and not in the incoming interface routing instance.
forward sap – A packet matching the entry will be forwarded using the configured sap.
forward sdp – A packet matching the entry will be forwarded using the configured SDP.
gtp-local-breakout – A packet matching the entry will be forwarded to NAT instead of being GTP tunneled to mobile operator’s PGW or GGSN.
http-redirect – An HTTP GET packet matching an entry is forwarded to CPM for HTTP captive portal processing
nat – A packet matching the entry will be forwarded to NAT
reassemble – A packets matching the entry will be forwarded to the reassembly function.
egress-pbr {default-load-balancing
| l4-load-balancing
}
The no form of this command removes the
egress-pbr designation of the filter entry's action.
This command enabled cflowd sampling for packets matching this filter entry.
If the cflowd is either not enabled or set to cflowd interface mode, this command is ignored.
The no form disables the cflowd sampling using this filter entry.
[no] interface-disable-sample
This command disables cflowd sampling for packets matching this filter entry for the IP interface is set to cflowd interface mode. This allows the option to not sample specific types of traffic when interface sampling is enabled.
The no form of this command enables sampling.
match [protocol
protocol-id]
A match context may consist of multiple match criteria, but multiple
match statements cannot be entered per entry.
The no form of the command removes the match criteria for the
entry-id.
The protocol keyword configures an IP protocol to be used as an IP filter match criterion. The protocol type such as TCP or UDP is identified by its respective protocol number.
Values
|
0 — 255 (values can be expressed in decimal, hexidecimal, or binary - DHB) keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp * — udp/tcp wildcard
|
match [next-header next-header]
IA match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of the command removes the match criteria for the entry-id.
Values
|
[0 — 42 | 45 — 49 | 52 — 59 | 61— 255] — protocol numbers accepted in decimal, hexidecimal, or binary - DHB keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp * — udp/tcp wildcard
|
The no form of the command removes the DSCP match criterion.
Values
|
be, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23
|
dst-ip {
ip-address/mask |
ip-address ipv4-address-mask |
ip-prefix-list prefix-list-name]}
dst-ip {
ipv6-address/prefix-length |
ipv6-address ipv6-address-mask }
The no form of this command removes the destination IPv4 or IPv6 address match criterion.
The no form of the command removes the destination port match criterion.
lt specifies all port numbers less than
dst-port-number match.
gt specifies all port numbers greater than
dst-port-number match.
eq specifies that
dst-port-number must be an exact match.
range dst-port-number dst-port-number
The no form of the command reverts to the default.
fragment {true
|false|first-only|non-first-only
}
The no form of the command removes the match criterion.
The no form of this command ignores AH Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
The no form of this command ignores ESP Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
The no form of this command ignores Hop-by-Hop Options Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
Configures matching on ICMP/ICMPv6 code field in the ICMP/ICMPv6 header of an IP
or IPv6 packet as a filter match criterion. Note that an entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.
The no form of the command removes the criterion from the match entry.
The ICMP/ICMPv6 code values that must be present to match.
This command configures matching on the ICMP/ICMPv6 type field in the ICMP/ICMPv6 header of an IP or
IPv6 packet as a filter match criterion. Note that an entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.
The no form of the command removes the criterion from the match entry.
The ICMP/ICMPv6 type values that must be present to match.
The no form of the command removes the match criterion.
The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
The no form of the command removes the checking of the option field in the IP header as a match criterion.
port {lt
|gt
|eq
} port-number
range port-number port-number
The no form of this command ignores Routing Type Extension Header type 0 presence/absence in a packet when evaluating match criteria of a given filter policy entry.
src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list
prefix-list-name}
src-ip {ipv6-address/prefix-length | ipv6-address ipv6-address-mask | ipv6-prefix-list
prefix-list-name}
The no form of the command removes the source IP address match criterion.
This command configures a source TCP, UDP, or SCTP port number,
port range, or port match list for an IP filter match criterion. Note that an entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.
The no form of the command removes the source port match criterion.
lt specifies all port numbers less than src-port-number match.
gt specifies all port numbers greater than src-port-number match.
eq specifies that src-port-number must be an exact match.
range src-port-number src-port-number
The no form of the command removes the criterion from the match entry.
The no form of the command removes the criterion from the match entry.
The no form of this command deletes the specified list.
An ip-prefix-list must contain only IPv4 address prefixes.
The no form of this command deletes the specified list.
An ipv6-prefix-list must contain only IPv6 address prefixes.
The no form of this command removes all auto-generation configuration under the apply-path context.
bgp-peers index group
reg-exp neighbor
reg-exp
The no form of this command removes the bgp-peers configuration for auto-generation of address prefixes for the specified index value.
The no form of this command deletes the specified list.
The no form of this command deletes the specified port match criterion.
prefix ipv6-prefix/prefix-length
The no form of this command deletes the specified prefix from the list.
prefix ip-prefix/prefix-length
The no form of this command deletes the specified prefix from the list.
drop – A packet matching the entry will be dropped.
forward – A packet matching the entry will be forwarded using regular routing.
forward esi service-id– A packet matching the entry will be forwarded to an ESI identified first appliance in Nuage service chain using EVPN-resolved VXLAN tunnel in the specified VPLS service.
forward sap – A packet matching the entry will be forwarded using the configured sap.
forward sdp – A packet matching the entry will be forwarded using the configured SDP.
http-redirect – Unsupported
match [frame-type 802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II]
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of the command removes the match criteria for the entry-id.
The frame-type keyword configures an Ethernet frame type to be used for the MAC filter match criteria.
The no form of the command removes the criterion from the match entry.
Egress dot1p value matching will only match if the customer payload contains the 802.1p bits. For example, if a packet ingresses on a null encapsulated SAP and the customer packet is IEEE 802.1Q or 802.1p tagged, the 802.1p bits will be present for a match evaluation. On the other hand, if a customer tagged frame is received on a dot1p encapsulated SAP, the tag will be stripped on ingress and there will be no 802.1p bits for a MAC filter match evaluation; in this case, any filter entry with a dot1p match criterion specified will fail.
Use the no form of the command to remove the dsap value as the match criterion.
The no form of the command removes the destination mac address as the match criterion.
The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.
The no form of the command removes the previously entered etype field as the match criteria.
isid value [to
higher-value]
The no form of this command removes the ISID match criterion.
The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.
The no form of the command removes the criterion from the match criteria.
The no form of the command removes the snap-pid value as the match criteria.
src-mac ieee-address [ieee-address-mask]
The no form of the command removes the source mac as the match criteria.
ssap ssap-value [ssap-mask]
The no form of the command removes the ssap match criterion.
copy ip-filter
src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite]
copy ipv6-filter src-filter-id [src-entry
src-entry-id] to
dst-filter-id [dst-entry dst-entry-id] [overwrite
]
copy mac-filter src-filter-id [src-entry
src-entry-id] to
dst-filter-id [dst-entry dst-entry-id] [overwrite
]
This command copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the
overwrite keyword.
If
overwrite is not specified, an error will occur if the destination policy ID exists.
This keyword indicates that the source-filter-id and the
dest-filter-id are IPv6 filter IDs.
The source-filter-id identifies the source filter policy from which the copy command will attempt to copy. The filter policy must exist within the context of the preceding keyword (
ip-filter, ipv6-filter or
mac-filter).
The dest-filter-id identifies the destination filter policy to which the copy command will attempt to copy. If the
overwrite keyword does not follow, the filter policy ID cannot already exist within the system for the filter type the copy command is issued for. If the
overwrite keyword is present, the destination policy ID may or may not exist.
The overwrite keyword specifies that the destination filter ID may exist. If it does, everything in the existing destination filter ID will be completely overwritten with the contents of the source filter ID. If the destination filter ID exists, either
overwrite must be specified or an error message will be returned. If
overwrite is specified, the function of copying from source to destination occurs in a ‘break before make’ manner and therefore should be handled with care.
renum old-entry-id new-entry-id
This command renumbers existing MAC or IP filter entries to properly sequence filter entries.
This may be required in some cases since the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.
•
the PBR action is executed in the specified router instance.
Note – If no destination is active or if the hardware does not support the PBR action
next-hop router, action
forward will be executed (i.e. routing will be performed in the context of the incoming interface routing instance).
The no form of the command preserves backward-compatibility. Any test is always run in the "Base" routing instance context. The PBR action is executed in the routing context of the ingress interface the filter using this redirect policy is deployed on.
An optional hold-time-up allows the operator to delay programming of the PBR to the most-preferred destination for a specified amount of time when the first destination comes up (action forward remains in place). When the first destination comes up, the timer is started and upon the expiry, the current most-preferred destination is selected (which may differ from the one that triggered the timer to start) and programmed as a sticky PBR destination. Changing the value of the timer, while the timer is running takes immediate effect.
The no form of the command disables sticky destination behavior.
drop-count consecutive-failures [hold-down
seconds]
oid oid-string community
community-string
return-value return-value type
return-type [disable
| lower-priority
priority | raise-priority
priority]
The test cannot be configured if no router is configured for this redirect policy.
The no form of the command disables the test.
return-code return-code-1 [return-code-2] [disable
| lower-priority
priority | raise-priority
priority]
url url-string [http-version
version-string]
The no form of the command preserves backward-compatibility. Tests always run in the “Base” routing instance context, and the PBR action executes in the routing context of the ingress interface that the filter using this redirect policy is deployed on.
Values
|
router-name — “Base” service-id — an existing Layer 3 service [1..2147483647]
|
The shutdown command administratively downs an entity. Administratively downing an entity changes the operational state of the entity to down.
The no form of the command puts an entity into the administratively enabled state.