Filter policies
This chapter provides information about filter policies and management.
Filter policy configuration overview
Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or access uplink ports to control network traffic into (ingress) or out of (egress) a service access port (SAP) or access uplink based on IP and MAC matching criteria. Filters are applied to services to look at packets entering or leaving a SAP. Filters can be used on several interfaces. The same filter can be applied to ingress traffic, egress traffic, or both. Ingress filters affect only inbound traffic destined for the routing complex, and egress filters affect only outbound traffic sent from the routing complex.
Configuring an entity with a filter policy is optional. If an entity such as a service is not configured with filter policies, then all traffic is allowed on the ingress and egress interfaces. By default, there are no filters associated with services or interfaces. They must be explicitly created and associated. When you create a new filter, default values are provided although you must specify a unique filter ID value to each new filter policy as well as each new filter entry and associated actions. The filter entries specify the filter matching criteria and also an action to be taken upon a match.
In 7210 SAS platforms, the available ingress and egress (egress CAM resources allocation is supported only on 7210 SAS-D and 7210 SAS-Dxp) CAM hardware resources can be allocated as per user needs for use with different filter criteria. By default on the 7210 SAS-D, the system allocates resources to maintain backward compatibility with release 4.0.
Users can modify the resource allocation based on their need to scale the number of entries or number of associations (that is, number of SAP/IP interfaces using a filter policy that defines particular match criteria). If no CAM resources are allocated to particular match criteria defined in a filter policy, then the association of that filter policy to a SAP will fail. This is true for both ingress and egress filter policy. Please read the following configuration notes section for more information.
Only one ingress IP or MAC filter policy and one egress IP or MAC filter policy can be applied to a Layer 2 SAP. For the 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, both IPv4 and IPv6 ingress and egress filter policy can be used simultaneously with a Layer 2 SAP. For the 7210 SAS-D and 7210 SAS-Dxp, both IPv4 and IPv6 filter policies can be used simultaneously on ingress only; either IPv4 or IPv6 filter policies can be used on egress.
Only one ingress IP filter policy and one egress IP filter policy can be applied to a network IP interface. Both IPv4 and IPv6 ingress and egress filter policy can be used simultaneously with an IP interface (For example: IES IP interface in access-uplink mode on the 7210 SAS-D) for which IPv6 addressing is supported. Network filter policies control the forwarding and dropping of packets based on IP match criteria.
Non-IP packets are not hitting the IP filter policy, so the default action in the filter policy will not apply to these packets.
Service-based filtering
IP and MAC filter policies specify either a forward or a drop action for packets based on information specified in the match criteria.
Filter entry matching criteria can be as general or specific as you require, but all conditions in the entry must be met in order for the packet to be considered a match and the specified entry action performed. The process stops when the first complete match is found and executes the action defined in the entry, either to drop or forward packets that match the criteria.
Filter policy entities
A filter policy compares the match criteria specified within a filter entry to packets coming through the system, in the order the entries are numbered in the policy. When a packet matches all the parameters specified in the entry, the system takes the specified action to either drop or forward the packet. If a packet does not match the entry parameters, the packet continues through the filter process and is compared to the next filter entry, and so on. If the packet does not match any of the entries, then system executes the default action specified in the filter policy. Each filter policy is assigned a unique filter ID. Each filter policy is defined with the following:
scope
default action
description
Each filter entry contains the following:
match criteria
an action
Applying filter policies
Filter policies can be applied to specific service types:
Epipe
Both MAC and IP filters are supported on an Epipe SAP.
IES
Only IP filters are supported on IES SAP
VPLS
Both MAC and IP filters are supported on a VPLS SAP.
VPRN
Only IP filters are supported on VPRN SAP.
The following tables describe the support of filter policies on 7210 SAS platforms.
Service |
IPv4 filter |
IPv6 filter |
MAC filter |
---|---|---|---|
Epipe |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
VPLS |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
RVPLS (VPLS SAPs) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
Not supported |
Not supported |
RVPLS (RVPLS IES IP Interface) |
Ingress Override filters (ingress) |
Not supported |
Not supported |
IES |
IES access SAP (ingress and egress), IES access-uplink SAP (ingress and egress) |
IES access-uplink SAP (ingress and egress) |
Not supported |
Service |
IPv4 filter |
IPv6 filter |
MAC filter |
---|---|---|---|
Epipe |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress) |
VPLS |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
RVPLS (VPLS SAPs) |
VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress) |
Not supported |
Not supported |
RVPLS (RVPLS IES IP Interface) |
Ingress Override filters (ingress) |
Not supported |
Not supported |
IES |
IES access SAP (ingress and egress), IES access-uplink SAP (ingress and egress) |
Not supported |
Not supported |
VPRN |
VPRN interface SAP (ingress and egress) |
Not supported |
Not supported |
Network port IP interface |
Network port IP interface (ingress and egress) |
Not supported |
Not supported |
ACL on range SAPs
The ACLs on VLAN range SAPs are supported only on ingress (for Epipe and VPLS services). The following table lists ACL support on Epipe and VPLAS services.
Types of filters |
Epipe |
VPLS |
---|---|---|
Ingress IP or IPv6 |
Yes |
Yes |
Ingress MAC |
Yes |
Yes |
Egress IP |
Yes |
Yes |
Egress MAC |
Yes |
Yes |
Filter policies are applied to the following service entities:
SAP ingress
IP and MAC filter policies applied on the SAP ingress define the Service Level Agreement (SLA) enforcement of service packets as they ingress a SAP according to the filter policy match criteria. SAP ingress policies can be applied on SAP created on access ports or access uplink ports.
SAP egress
Filter policies applied on SAP egress define the Service Level Agreement (SLA) enforcement for service packets as they egress on the SAP according to the filter policy match criteria. SAP egress policies can be applied on both access ports and access uplink ports.
IES IP interfaces
IP filter policies are applied to IES SAPs.
network ingress
IP filter policies are applied to network ingress IP interfaces. This is supported only on 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.
network egress
IP filter policies are applied to network egress IP interfaces. This is supported only on 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.
The following table lists the Packet Fields available for match in QoS classification policy and ACL policy for different SAPs.
Ingress SAP type |
Packet contents (only Ethernet–II frames) |
MAC address match |
Inner VLAN ID and Dot1p match1 |
Outer VLAN ID and Dot1p match1 |
Etype match |
IPv4/IPv6 criteria match |
---|---|---|---|---|---|---|
NULL SAP |
Null tag |
Yes |
No |
No |
Yes |
Yes |
Priority tag (both VID and Dot1p) |
Yes |
No |
Yes |
Yes |
Yes |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
Dot1q SAP (includes Dot1q explicit null SAP and Dot1q Default SAP) |
Null tag |
Yes |
No |
No |
Yes |
Yes |
Priority tag (both VID and Dot1p) |
Yes |
No |
Yes |
Yes |
Yes |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
Dot1q SAP (includes Dot1q SAP, Dot1q range SAP) |
Null tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
Priority tag (both VID and Dot1p) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
QinQ SAP - 0.* SAP (matches only null and priority tag packets) |
Null tag |
Yes |
No |
No |
Yes |
Yes |
Priority tag (both VID and Dot1p) |
Yes |
No |
Yes |
Yes |
Yes |
|
Single tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Two tags |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Three or more tags |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
QinQ SAP (*.* Default QinQ SAP) |
Null tag |
Yes |
No |
No |
Yes |
Yes |
Priority tag (both VID and Dot1p) |
Yes |
No |
Yes |
Yes |
Yes |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
QinQ SAP (includes Q1.* SAP) |
Null tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
Priority tag (both VID and Dot1p) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
QinQ SAP (includes Q1.0 SAP) |
Null tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
Priority tag (both VID and Dot1p) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Single tag |
Yes |
No |
Yes |
Yes |
Yes |
|
Two tags (inner tag is a priority tag) |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Two tags (inner tag is not a priority tag) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
|
QinQ SAP (includes Q1.Q2 SAP) |
Null tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
Priority tag (both VID and Dot1p) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Single tag |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Two tags (inner tag is a priority tag) |
Invalid |
Invalid |
Invalid |
Invalid |
Invalid |
|
Two tags (inner tag is not a priority tag) |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Three or more tags |
Yes |
Yes |
Yes |
No |
No |
Creating and applying filter policies
The following figure shows the steps for creating and applying filter policies.
Packet matching criteria
As few or as many match parameters can be specified as required, but all conditions must be met in order for the packet to be considered a match and the specified action performed. The process stops when the first complete match is found and then executes the action defined in the entry, either to drop or forward packets that match the criteria.
IP filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward IP traffic include:
Source IP address and mask
Source IP address and mask values can be entered as search criteria. The IPv4 addressing scheme consists of 32 bits expressed in dotted-decimal notation (X.X.X.X).
Address ranges are configured by specifying mask values, the 32-bit combination used to describe the address portion which refers to the subnet and which portion refers to the host. The mask length is expressed as an integer (range 1 to 32).
The IPv6 addressing scheme consists of 128 bits expressed in compressed representation of IPv6 addresses (RFC 1924, A Compact Representation of IPv6 Addresses).
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, 7210 SAS-D, and 7210 SAS-Dxp support the use of either IPv6 64-bit address match or IPv6 128-bit address match. Use of IPv6 64-bit address in the match criteria provides better scale but provides lesser IPv6 header fields for match criteria. Use of a IPv6 128-bit address in the match criteria provides lesser scale but more IPv6 header fields for match criteria.
Destination IP address and mask
Destination IP address and mask values can be entered as search criteria. A choice similar to that available for source IPv6 addresses is also available for destination IPv6 addresses.
Protocol
Entering a protocol ID (such as TCP, UDP, and so on) allows the filter to search for the protocol specified in this field.
Protocol
For IPv6: entering a next header allows the filter to match the first next header following the IPv6 header.
Source port
Entering the source port number allows the filter to search for matching TCP or UDP port values.
Destination port
Entering the destination port number allows the filter to search for matching TCP or UDP.
DSCP marking
Entering a DSCP marking enables the filter to search for the DSCP marking specified in this field. See DSCP name to DSCP value table .
ICMP code
Entering an ICMP code allows the filter to search for matching ICMP codes in the ICMP header.
ICMP type
Entering an ICMP type allows the filter to search for matching ICMP types in the ICMP header.
Extension header present
Enabling this match criterion allows matching of IPv6 packets that have any of the well-known extension headers in the IPv6 header. This match criterion is not supported for IPv6 filters on 7210 SAS-Dxp.
IPv4 filters created in the mode to use IPv6 resources cannot be applied at the egress SAP. Similarly, IPv4 filters created in the mode to use IPv6 resources will fail to match fragment options.
Fragmentation
Enabling fragmentation allows matches to occurs if packets have either the more fragment (MF) bit set or have the Fragment Offset field of the IP header set to a non-zero value.
Option present
Enabling the option presence allows the filter to search for presence or absence of IP options in the packet. Padding and EOOL are also considered as IP options.
TCP-ACK/SYN flags
Entering a TCP-SYN/TCP-ACK flag allows the filter to search for the TCP flags specified in these fields.
MAC filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward MAC traffic include:
Source MAC address and mask
Entering the source MAC address range allows the filter to search for matching a source MAC address and/or range. Enter the source MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 00:dc:98:1d:00:00.
Destination MAC address and mask
Entering the destination MAC address range allows the filter to search for matching a destination MAC address and/or range. Enter the destination MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 02:dc:98:1d:00:01.
Dot1p and mask
Entering an IEEE 802.1p value or range allows the filter to search for matching 802.1p frame. The Dot1p and mask accepts decimal, hex, or binary in the range of 0 to 7. This is not supported on 7210 SAS-K devices.
Ethertype
Entering an Ethernet type II Ethertype value to be used as a filter match criterion. The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. The Ethertype accepts decimal, hex, or binary in the range of 1536 to 65535.
Outer Dot1p (Only on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C)
Entering the Outer Dot1p value or range (using the mask) allows the filter to search for frames whose outermost Dot1p (that is, the Dot1p in the outermost VLAN tag of the packet) matches the Dot1p value configured. The Dot1p value and mask accepts decimal values in the range 0 to 7.
Inner Outer Dot1p (Only on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C)
Entering the Inner Dot1p value or range (using the mask) allows the filter to search for frames whose inner Dot1p (thats is, the Dot1p in the VLAN tag immediately following the outermost VLAN tag of the packet) matches the Dot1p value configured. The Dot1p value and mask accepts decimal values in the range 0 to 7.
DSCP values
The following table describes DSCP names and associated DSCP values.
DSCP name |
Decimal DSCP value |
Hexadecimal DSCP value |
Binary DSCP value |
---|---|---|---|
default |
0 |
* |
|
cp1 |
1 |
||
cp2 |
2 |
||
cp3 |
3 |
||
cp4 |
4 |
||
cp5 |
5 |
||
cp6 |
6 |
||
cp7 |
7 |
* |
|
cs1 |
8 |
||
cp9 |
9 |
||
af11 |
11 |
* |
|
af12 |
12 |
* |
|
cp13 |
13 |
||
cp15 |
15 |
||
cs2 |
16 |
* |
|
cp17 |
17 |
||
af21 |
18 |
* |
|
cp19 |
19 |
||
af22 |
20 |
* |
|
cp21 |
21 |
||
af23 |
22 |
* |
|
cp23 |
23 |
||
cs3 |
24 |
* |
|
cp25 |
25 |
||
af31 |
26 |
* |
|
cp27 |
27 |
||
af32 |
28 |
* |
|
cp29 |
29 |
||
af33 |
30 |
* |
|
cp21 |
31 |
||
cs4 |
32 |
* |
|
cp33 |
33 |
||
af41 |
34 |
* |
|
cp35 |
35 |
||
af42 |
36 |
* |
|
cp37 |
37 |
||
af43 |
38 |
* |
|
cp39 |
39 |
||
cs5 |
40 |
* |
|
cp41 |
41 |
||
cp42 |
42 |
||
cp43 |
43 |
||
cp44 |
44 |
||
cp45 |
45 |
||
ef |
46 |
* |
|
cp47 |
47 |
||
nc1 |
48 |
* |
(cs6) |
cp49 |
49 |
||
cp50 |
50 |
||
cp51 |
51 |
||
cp52 |
52 |
||
cp53 |
53 |
||
cp54 |
54 |
||
cp55 |
55 |
||
cp56 |
56 |
||
cp57 |
57 |
||
nc2 |
58 |
* |
(cs7) |
cp60 |
60 |
||
cp61 |
61 |
||
cp62 |
62 |
Ordering filter entries
When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet. 7210 SAS supports either drop or forward action. To be considered a match, the packet must meet all the conditions defined in the entry.
Packets are compared to entries in a filter policy in an ascending entry ID order. To reorder entries in a filter policy, edit the entry ID value; for example, to reposition entry ID 6 to a more explicit location, change the entry ID "6" value to entry ID "2".
When a filter consists of a single entry, the filter executes actions as follows:
If a packet matches all the entry criteria, the entry’s specified action is performed (drop or forward).
If a packet does not match all of the entry criteria, the policy’s default action is performed.
If a filter policy contains two or more entries, packets are compared in ascending entry ID order (1, 2, 3 or 10, 20, 30, and so on):
Packets are compared with the criteria in the first entry ID.
If a packet matches all the properties defined in the entry, the entry’s specified action is executed.
If a packet does not completely match, the packet continues to the next entry, and then subsequent entries.
If a packet does not completely match any subsequent entries, then the default action is performed.
The following figure shows an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped.
Applying filters
This section provides information about applying filters.
Applying a filter to a SAP
During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters. When ingress filters are applied to a SAP, packets received at the SAP are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops and an entry action is performed. If permitted, the traffic is forwarded according to the specification of the action. If the packets do not match, the default filter action is applied. If permitted, the traffic is forwarded.
When egress filters are applied to a SAP, packets received at the egress SAP are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is transmitted. If denied, the traffic is dropped. If the packets do not match, the default filter action is applied.
Filters can be added or changed to an existing SAP configuration by modifying the SAP parameters. Filter policies are not operational until they are applied to a SAP and the service enabled.
Applying a filter to an IES interface
An IP filter can be applied to an IES SAP. Packets received on the interface are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is forwarded. If the packets do not match, they are discarded or forwarded based on the default action specified in the policy.
Applying a filter to a network IP interface
An IP filter can be applied to a network port IP interface. Packets received on the interface are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is forwarded. If the packets do not match, they are discarded or forwarded based on the default action specified in the policy.
Configuration notes
See the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Services Guide for service specific ACL support and restrictions.
The following information describes filter implementation caveats:
Creating a filter policy is optional.
Associating a service with a filter policy is optional.
When a filter policy is configured, it should be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs.
A specific filter must be explicitly associated with a specific service in order for packets to be matched.
A filter policy can consist of zero or more filter entry. Each entry represents a collection of filter match criteria. When packets enter the ingress or egress ports, packets are compared to the criteria specified within the entry or entries.
When a large (complex) filter is configured, it may take a few seconds to load the filter policy configuration and be instantiated.
On the 7210 SAS-D, 7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, IP filters applied on an IES SAP cannot match against IP packets containing IP options.
The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and be inactive.
On the 7210 SAS-D and 7210 SAS-Dxp, ingress filter CAM resources used to match packet fields are shared with other features such as SAP ingress QoS, CFM UP MEP, and G8032. By default software assigns a fixed amount of resources for use by ingress ACLs. User has an option to either increase this by taking away resources from other features or decrease by taking away resources from ingress ACLs. The number of ACLs that can be supported is directly dependent on the amount of resources allocated toward ingress ACLs.
On the 7210 7210 SAS-D and 7210 SAS-Dxp when a filter policy is created with the option ipv6-64bit-address, the entries can only use only the IPv6 src-ip and IPv6 dst-ip fields in the match criteria.
On the 7210 SAS-D and 7210 SAS-Dxp when a filter policy is created with the option ipv6-128bit-address, the entries can use the IPv6 src-ip, IPv6 dst-ip, IPv6 DSCP, TCP/UDP port numbers (source and destination port), ICMP code and type, and TCP flags fields in the match criteria.
On the 7210 SAS-D and 7210 SAS-Dxp the resources must be allocated for use by ingress IPv6 filters, before associating an IPv6 filter policy to a SAP. By default, the software does not enable the use of IPv6 resources. Until resources are allocated for use by IPv6 filters, software fails all attempts to associate a IPv6 filter policy with a SAP.
On the 7210 SAS-D and 7210 SAS-Dxp, the available ingress CAM hardware resources can be allocated as per user needs for use with different filter criteria using the commands under the configure> system> resource-profile> ingress-internal-tcam> acl-sap-ingress context. By default, the system allocates resources to maintain backward compatibility with Release 4.0. Users can modify the resource allocation based on their need to scale the number of entries or number of associations (that is, number of SAP/IP interfaces using a filter policy that defines a particular match criterion).
On the 7210 SAS-D and 7210 SAS-Dxp, the available egress CAM hardware resources can be allocated as per user needs for use with different filter criteria using the commands under the configure> system>resource-profile> egress-internal-tcam> acl-sap-egress context. By default, the system allocates resources to maintain backward compatibility with Release 4.0. Users can modify the resource allocation based on their needs to scale the number of entries or the number of associations (that is, number of SAP/IP interfaces using a filter policy that defines a particular match criterion).
On the 7210 SAS-D and 7210 SAS-Dxp IPv6 ACLs and MAC QoS policies cannot coexist on the SAP.
On the 7210 SAS-D and 7210 SAS-Dxp if no CAM resources are allocated to a particular match criterion defined in a filter policy, then the association of that filter policy to a SAP will fail. This is true for both ingress and egress filter policy.
Only the 7210 SAS-K allows for use of outer VLAN ID and inner VLAN ID for match in MAC criteria with both ingress and egress ACLs. Other 7210 SAS platforms do not support use of outer and inner VLAN ID field for match in the MAC criteria.
MAC filters
The following are configuration notes for MAC filters:
If a MAC filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.
MAC filters cannot be applied to network interfaces, routable VPLS or IES services.
Some of the MAC match criteria fields are exclusive to each other, based on the type of Ethernet frame. Use the following table to determine the exclusivity of fields.In the 7210 SAS, the default frame-format is ‟Ethernet-II”
Frame format |
Etype |
---|---|
Ethernet – II |
Yes |
802.3 |
No |
802.3 – snap |
No |
802.3-llc |
No |
IP filters
The following are configuration notes for IP filters:
Define filter entry packet matching criteria
If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.
Action
An action parameter must be specified for the entry to be active. Any filter entry without an action parameter specified will be considered incomplete and be inactive.
IPv6 filters
The following are configuration notes for IPv6 filters:
Define filter entry packet matching criteria
If a filter policy is created with an entry and entry action specified, but the packet matching criteria is not defined, then all packets processed through this filter policy entry passes and takes the action specified. There are no default parameters defined for matching criteria.
Action
An action parameter must be specified for the entry to be active. Any filter entry without an action parameter specified is considered incomplete and inactive.
Resource usage for ingress filter policies for 7210 SAS-D and 7210 SAS-Dxp
When the user allocates resources from the ingress CAM resource pool for use by filter policies using the configure>system>resource-profile CLI commands, the system allocates resources in chunks of fixed-size entries (for example, 256 entries per chunk on 7210 SAS-D).
The number of entries for each chunk or slice is different for both ingress-internal-tcam resource pool and egress-internal-tcam resource pool for different platforms.
The usage of these entries by different type of match criteria follows. In the following examples, it is assumed that a chunk/slice has 256 entries considering 7210 SAS-D. The example and the computation needs to be modified suitably for other platforms with different number of entries per chunk/slice.
mac-criteria
User needs to allocate resources for mac-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable before using ingress ACLs with mac-criteria. Every entry configured in the filter policy using the mac-criteria uses one (1) entry from the chunks allocated for use by mac-criteria in the hardware.
For example: Assume a filter policy is configured with 50 entries and uses configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable 1, the user configures one chunk for use by mac-criteria (allowing a total of 256 entries. one reserved for internal use entries for use by SAPs using filter policies that use mac-criteria). In this case, the user can have 5 SAPs using mac-criteria filter policy and consumes 250 entries.
ipv4-criteria
User needs to allocate resources for ip(v4)-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-match-enable before using ingress ACLs with ipv4-criteria. The resource usage per IPv4 match entry is same as the mac-criteria. Please check the preceding example. When created with use-ipv6-resource the resource usage is the same as IPv6 filters using ipv6-128-bit-addresses.
ipv6-criteria using ipv6-64-bit addresses
User needs to allocate resources for ipv6-criteria with 64-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv6-64only-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 64-bit address for source and destination IPv6 addresses.
The IPv6 headers fields available for match is limited. Please see the following CLI description for filter for more information. The usage is same as the ipv4 and mac-criteria. An IPv6 128 bit address uses 2 entries from the chunk for every match entry configured in filter policy, whereas, an IP filter uses only one entry from the chunk for every entry configured.
ipv6-criteria using ipv6-128-bit addresses
User needs to allocate resources for ipv6-criteria with 128-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 128-bit address for source and destination IPv6 addresses. These resources can be shared by a policy that uses only IPv4 criteria entries. Every entry configured in the filter policy using the ipv6-criteria with 128-bit addresses uses two (2) entries from the chunks allocated for use by ipv6-criteria (128-bit) in the hardware.
For example: Assume a filter policy is configured with 50 entries and using configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable 1, the user configures one chunk for use by ipv6-criteria with 128-bit addresses (allowing for a total of 128 entries for use by SAPs using filter policies that use this criteria). In this case, user can have five (5) SAPs using this filter policy and consumes 125 entries. When a chunk is allocated to IPv6 criteria, the software automatically adjusts the number of available entries in that chunk to 128, instead of 256, because 2 entries are needed to match IPv6 fields.
The users can use tools>dump>system-resources command to know the current usage and availability. For example: Though chunks are allocated in 256 entries, only 128 entries show up against filters using those of IPv6 128-bit addresses. One or more entries are reserved for system use and is not available for user.
Resource usage for egress filter policies (supported only for 7210 SAS-D and 7210 SAS-Dxp)
When the user allocates resources for use by filter policies using the configure system resource-profile egress-internal-tcam CLI commands, the system allocates resources in chunks of 128 entries from the egress internal tcam pool in hardware. The usage of these entries by different type of match criteria is as follows:
mac-criteria
The user needs to allocate resources for using mac-criteria using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-match-enable 2 or configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv4-match-enable 2 command or the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv6-64bit-match-enable 2 command. In the last two cases, the resources can be shared with SAPs that use IPv4 or IPv6 64-bit filter policies. The first case allocates resources for exclusive use by MAC filter policies. The resource usage varies based how resources have been allocated:
If resources are allocated for use by mac-criteria only (using mac-match-enable), then every entry configured in the filter policy uses one (1) entry from the chunks allocated for use by mac-criteria in the hardware.
For example: Assume a filter policy is configured with 25 mac-criteria entries and uses the configure system resource-profile egress-internal-tcam acl-sap-egress mac-match-enable 2 command, the user configures two chunks for use by mac-criteria, allowing a total of 256 entries for use by SAPs using filter policies that use mac-criteria. Therefore, the user can have about 10 SAPs using mac-criteria filter policy and consumes 250 entries. With this, SAPs using ipv4 criteria or ipv6 criteria cannot share the resources along with SAPs using mac-criteria.
If the resources are allocated for sharing between mac-criteria and ipv4-criteria, every entry configured in the filter policy uses 2 (two) entries from the chunks allocated in hardware.
For example: Assume a filter policy is configured with 25 mac-criteria entries and another filter policy configured with 25 IPv4 criteria entries and, with mac-ipv4-match-enable set to 2, that is, user configures two chunks for sharing between MAC and IPv4, allowing for a total of 128 entries for use by SAPs that use filter policies using ipv4-criteria or mac-criteria. Therefore, the user can have about 4 SAPs using filter policies, such that 2 SAPs uses mac-criteria and the other 2 SAPs use ipv4-criteria or any combination thereof.
If the resources are allocated for sharing between mac-criteria and ipv6-64bit-criteria, then every entry configured in the filter policy uses 2 (two) entries from the chunks allocated in hardware.
For example: Assume a filter policy is configured with 50 mac-criteria entries and another filter policy configured with 50 IPv6 64-bit criteria entries and, with mac-ipv6-64bit-match-enable set to 2, that is, user configures two chunks for sharing between MAC and IPv6-64bit, allowing for a total of 128 entries for use by SAPs that use filter policies using ipv6-64bit-criteria or mac-criteria. Therefore, the user can have about 2 SAPs using filter policies, such that one SAP uses mac-criteria and the other one SAP uses ipv6-64bit-criteria or any combination thereof.
ipv4-criteria
The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv4-match-enable command. The resource usage explanation precedes.
ipv6-criteria using ipv6-64-bit addresses
The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv6-64bit-match-enable command. The resource usage explanation precedes.
ipv6-criteria using ipv6-128-bit addresses
The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress ipv6-128bit-match-enable command. This command allocates resources for exclusive by IPv6-128bit criteria filter policies and cannot be shared by SAPs using any another criteria. If resources are allocated for use by ipv6-128bit-criteria only, then every entry configured in the filter policy uses two (2) entries from the chunks allocated for use in hardware.
For example: Assume a filter policy is configured with 50 ipv6-128bit-criteria entries and user uses the configure system resource-profile egress-internal-tcam acl-sap-egress ipv6-128bit-match-enable 2 command, to configure two chunks for use by ipv6-128bit-criteria. This allows for a total of 128 for use by SAPs using filter policies that use ipv6-128bit-criteria. Therefore the user can have about 2 SAPs using ipv6-128bit-criteria filter policy and consumes 100 entries.
The user can use tools dump system-resources command to know the current usage and availability.
Ingress filter policy resource usage: 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
When the user allocates resources from the ingress CAM resource pool for use by filter policies using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command, the system allocates resources in chunks of fixed-size entries (512 entries per chunk on 7210 SAS-K). Resources must be allocated using these commands before associating a filter policy with the SAP, otherwise the command returns an error. The usage of these entries by different types of match criteria follow:
mac-criteria, ipv4-criteria and ipv6-criteria with 64-bit-address
User needs to allocate resources, in terms of number of slices, for filter policies that use mac criteria, ipv4 criteria and ipv6 64-bit criteria from the ingress internal tcam resource pool using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command. The entries allocated are shared by filter policies that use any of these criteria. Each filter entry configured in the policy takes away a single resource from the pool allocated for filter policies.
-
ipv6-criteria with 128-bit address
User needs to allocate resources, in terms of number of slices, for filter policies that use ipv6 128-bit criteria from the ingress internal tcam resource pool using the configure system resource-profile ingress-internal-tcam acl-sap-ingress mac-ipv4-ipv6-128-match-enable command. User can allocate all the slices allocated for the filter policies (using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command) for use by ipv6 criteria with 128-bit addresses or allocation only a portion of it. The entries allocated are used by filter policies that use ipv6 criteria with 128-bit addresses. Each filter entry configured in the policy takes away two (2) resources from the pool. Software uses these resources also for mac criteria, ipv4 criteria, and ipv6 criteria with 64-bit address. Irrespective of the criteria, two (2) resources are taken for each entry configured on the filter policy.
Use the tools dump system-resources command to know the current usage and availability.
Configuring filter policies with CLI
This section provides information to configure filter policies using the CLI.
Basic configuration
The most basic IP and MAC filter policies must have the following:
a filter ID
template scope, either exclusive or template
default action, either drop or forward
at least one filter entry
specified action, either drop or forward
specified matching criteria
allocates the required amount of resources for ingress and egress filter policies
Configuration output for ingress policy
The following is a sample configuration output of allocation of ingress internal CAM resources for ingress policy for 7210 SAS-D.
*A:SASD>config>system>res-prof>ing-internal-tcam# info detail
----------------------------------------------
acl-sap-ingress 2
ipv4-match-enable max
no ipv6-64-only-match-enable
no ipv4-ipv6-128-match-enable
mac-match-enable 2
exit
no eth-cfm
----------------------------------------------
*A:SASD>config>system>res-prof>ing-internal-tcam# acl-sap-ingress
Configuration output for egress policy
The following is a sample configuration output of allocation of egress internal CAM resources for egress policy for 7210 SAS-D.
A:SASD>config>system>res-prof>egr-internal-tcam# info detail
----------------------------------------------
acl-sap-egress 2
mac-ipv4-match-enable 2
ipv6-128bit-match-enable 0
mac-ipv6-64bit-match-enable 0
mac-match-enable 0
exit
----------------------------------------------
*A:SASD>config>system>res-prof>egr-internal-tcam# acl-sap-egress
Configuration output of an IP filter policy
The following is a sample configuration output of an IP filter policy. The configuration blocks all incoming TCP session except Telnet and allows all outgoing TCP sessions from IP net 10.67.132.0/24. CAM resources must be allocated to IPv4 criteria before associating the filter with a SAP.
A:ALA-1>config>filter# info
----------------------------------------------
ip-filter 3 create
entry 10 create
match protocol 6
dst-port eq 23
src-ip 10.67.132.0/24
exit
action
forward
exit
entry 20 create
match protocol 6
tcp-syn true
tcp-ack false
exit
action
drop
exit
exit
----------------------------------------------
A:ALA-1>config>filter#
The following figure shows the IP filter applied to an ingress interface.
Common configuration tasks
This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands.
Allocating resources for filter policies (ingress and egress)
The following provides an example of allocation of CAM hardware resources for use with filter policies that use IPv4 and MAC criteria:
Creating an IP filter policy
Configuring and applying filter policies is optional. Each filter policy must have the following:
the filter type specified (IP)
a filter policy ID
a default action
filter policy scope specified, either exclusive or template
at least one filter entry with matching criteria specified
configure CAM hardware resource for use by the filter policy match-criteria
IP filter policy
Exclusive filter policy configuration output
A:ALA-7>config>filter# info
----------------------------------------------
...
ip-filter 12 create
description "IP-filter"
scope exclusive
exit
...
----------------------------------------------
A:ALA-7>config>filter#
IP filter entry
Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:
Enter a filter entry ID. The system does not dynamically assign a value.
Assign an action, either drop or forward.
Specify matching criteria.
Use the following syntax to create an IP filter entry.
config>filter# ip-filter filter-id [create]
entry entry-id[time-range time-range-name][create]
description description-string
IP filter entry configuration output
A:ALA-7>config>filter>ip-filter# info
----------------------------------------------
description "filter-main"
scope exclusive
entry 10 create
description "no-91"
match
exit
no action
exit
exit
----------------------------------------------
A:ALA-7>config>filter>ip-filter#
IP entry matching criteria
Use the following syntax to configure IP filter matching criteria:
IP filter matching configuration output
*A:ALA-48>config>filter>ip-filter# info
----------------------------------------------
description "filter-mail"
scope exclusive
entry 10 create
description "no-91"
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.103/24
exit
action
forward
exit
----------------------------------------------
*A:ALA-48>config>filter>ip-filter#
Creating an IPv6 filter policy (applicable only for 7210 SAS-D and 7210 SAS-Dxp)
Configuring and applying IPv6 filter policies is optional. Each filter policy must have the following:
the IPv6 filter type specified
an IPv6 filter policy ID
a default action, either drop or forward
template scope specified, either exclusive or template
at least one filter entry with matching criteria specified
IPv6 filter entry
Within an IPv6 filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:
Enter an IPv6 filter entry ID. The system does not dynamically assign a value.
Assign an action, either drop or forward.
Specify matching criteria.
IPv6 filter entry configuration output
*A:7210SAS>config>filter>ipv6-filter# info detail
----------------------------------------------
default-action drop
no description
scope template
entry 1 create
no description
match next-header none
no dscp
no dst-ip
no dst-port
src-ip 1::1/128
no src-port
no tcp-syn
no tcp-ack
no icmp-type
no icmp-code
exit
action
forward
exit
*A:7210SAS>config>filter>ipv6-filter#
Creating a MAC filter policy
Configuring and applying filter policies is optional. Each filter policy must have the following:
the filter type specified (MAC)
a filter policy ID
a default action, either drop or forward
filter policy scope, either exclusive or template
at least one filter entry
matching criteria specified
MAC filter policy
MAC filter policy configuration output
A:ALA-7>config>filter# info
----------------------------------------------
...
mac-filter 90 create
description ‟filter-west"
scope exclusive
exit
----------------------------------------------
A:ALA-7>config>filter#
MAC filter entry
Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:
Enter a filter entry ID. The system does not dynamically assign a value.
Assign an action, either drop or forward.
Specify matching criteria.
AC filter entry configuration output
A:sim1>config>filter# info
----------------------------------------------
mac-filter 90 create
entry 1 create
description "allow-104"
match
exit
action
drop
exit
exit
----------------------------------------------
A:sim1>config>filter#
MAC entry matching criteria
Filter matching configuration output
A;ALA-7>config>filter>mac-filter# info
----------------------------------------------
description "filter-west"
scope exclusive
entry 1 create
description "allow-104"
match
src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
exit
action
drop
exit
----------------------------------------------
Apply IP and MAC filter policies
The following example shows an example of applying an IP and a MAC filter policy to an Epipe service:
config>service# epipe service-id
sap sap-id
egress
filter {ip ip-filter-id | mac mac-filter-id}
ingress
filter {ip ip-filter-id | mac mac-filter-id}
The following is a sample output for IP and MAC filters assigned to an ingress and egress SAP.
A:ALA-48>config>service>epipe# info
----------------------------------------------
sap 1/1/1.1.1 create
ingress
filter ip 10
exit
egress
filter mac 92
exit
exit
no shutdown
----------------------------------------------
A:ALA-48>config>service>epipe#
Apply filter policies to an IES interface
IP filter policies can be applied to an IP interface created in an IES service. These filter policies apply to the routed management traffic.
config>service>ies# interface ip-int-name
address ip-address
sap sap-id
ingress
filter ip ip-filter-id
The following is a sample output for an IP filter applied to an IES sap at ingress.
A:ALA-48>config>service>ies# info
----------------------------------------------
interface "to-104" create
address 10.1.2.1/24
sap lag-2:0.* create
ingress
filter ip 10
exit
exit
...
----------------------------------------------
A:ALA-48>config>service>ies#
Filter management tasks
This section discusses the filter policy management tasks.
Renumbering filter policy entries
The system exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence can be rearranged. Entries should be numbered from the most explicit to the least explicit.
Use the following syntax to renumber existing MAC or IP filter entries to re-sequence filter entries.
config>filter
ip-filter filter-id
renum old-entry-number new-entry-number
mac-filter filter-id
renum old-entry-number new-entry-number
Command usage to renumber filter entries
config>filter>ip-filter# renum 10 15
config>filter>ip-filter# renum 20 10
config>filter>ip-filter# renum 40 1
Reordered filter entries
The following is a sample original filter entry order on the left side and the reordered filter entries on the right side.
A:ALA-7>config>filter# info ---------------------------------------------- ... ip-filter 11 create description "filter-main" scope exclusive entry 10 create description "no-91" match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward exit entry 20 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.100/24 exit action drop exit entry 30 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.200/24 exit action forward exit entry 40 create match dst-ip 10.10.10.91/24 src-ip 10.10.10.106/24 exit action drop exit exit ... ---------------------------------------------- A:ALA-7>config>filter# |
A:ALA-7>config>filter# info ---------------------------------------------- ... ip-filter 11 create description "filter-main" scope exclusive entry 1 create match dst-ip 10.10.10.91/24 src-ip 10.10.10.106/24 exit action drop exit entry 10 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.100/24 exit action drop exit entry 15 create description "no-91" match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward exit entry 30 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.200/24 exit action forward exit exit ... ---------------------------------------------- A:ALA-7>config>filter# |
Modifying an IP filter policy
To access a specific IP filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.
Command usage to modify an IP filter policy
config>filter>ip-filter# description "New IP filter info"
config>filter>ip-filter# entry 2 create
config>filter>ip-filter>entry$ description "new entry"
config>filter>ip-filter>entry# action drop
config>filter>ip-filter>entry# match dst-ip 10.10.10.104/32
config>filter>ip-filter>entry# exit
config>filter>ip-filter#
Modified IP filter output
A:ALA-7>config>filter# info
----------------------------------------------
...
ip-filter 11 create
description "New IP filter info"
scope exclusive
entry 1 create
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.106/24
exit
action
drop
exit
entry 2 create
description "new entry"
match
dst-ip 10.10.10.104/32
exit
action
drop
exit
entry 10 create
match
dst-ip 10.10.10.91/24
src-ip 10.10.0.100/24
exit
action
drop
exit
entry 15 create
description "no-91"
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.103/24
exit
action
forward
exit
entry 30 create
match
dst-ip 10.10.10.91/24
src-ip 10.10.0.200/24
exit
action
forward
exit
exit
..
----------------------------------------------
A:ALA-7>config>filter#
Modifying a MAC filter policy
To access a specific MAC filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.
Command usage to modify a MAC filter policy
config>filter# mac-filter 90
config>filter>mac-filter# description "New filter info"
config>filter>mac-filter# entry 1
config>filter>mac-filter>entry# description "New entry info"
config>filter>mac-filter>entry# action forward
config>filter>mac-filter>entry# exit
config>filter>mac-filter# entry 2 create
config>filter>mac-filter>entry$ action drop
config>filter>mac-filter>entry# match
config>filter>mac-filter>entry>match# dot1p 7 7
Modified MAC filter output
A:ALA-7>config>filter# info
----------------------------------------------
...
mac-filter 90 create
description "New filter info"
scope exclusive
entry 1 create
description "New entry info"
match
src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
exit
action
forward
exit
entry 2 create
match
dot1p 7 7
exit
action
drop
exit
exit
...
----------------------------------------------
A:ALA-7>config>filter#
Deleting a filter policy
Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs and network interfaces.
From an ingress SAP
Use the following syntax to remove a filter from an ingress SAP.
config>service# [epipe | ies | vpls] service-id
sap port-id[:encap-val]
ingress
no filter
config>service# epipe 5
config>service>epipe# sap 1/1/2:3
config>service>epipe>sap# ingress
config>service>epipe>sap>ingress# no filter
From an egress SAP
Use the following syntax to remove a filter from an egress SAP.
config>service# [epipe | ies | vpls] service-id
sap port-id[:encap-val]
egress
no filter
config>service# epipe 5
config>service>epipe# sap 1/1/2:3
config>service>epipe>sap# egress
config>service>epipe>sap>egress# no filter
From the filter configuration
Use the following syntax to delete the filter after you have removed the filter from the SAP.
config>filter# no ip-filter filter-id
config>filter# no mac-filter filter-id
config>filter# no ip-filter 11
config>filter# no mac-filter 13
Copying filter policies
When changes are made to an existing filter policy, they are applied immediately to all services where the policy is applied. If numerous changes are required, the policy can be copied so you can edit the ‟work in progress” version without affecting the filtering process. When the changes are completed, you can overwrite the work in progress version with the original version.
New filter policies can also be created by copying an existing policy and renaming the new filter.
config>filter# copy filter-type src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id][overwrite]
Command usage
The following shows command usage to copy an existing IP filter ("11") to create a new filter policy ("12").
config>filter# copy ip-filter 11 to 12
Configuration output
A:ALA-7>config>filter# info
----------------------------------------------
...
ip-filter 11 create
description "This is new"
scope exclusive
entry 1 create
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.106/24
exit
action
drop
exit
entry 2 create
...
ip-filter 12 create
description "This is new"
scope exclusive
entry 1 create
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.106/24
exit
action
drop
exit
entry 2 create
...
----------------------------------------------
A:ALA-7>config>filter#
Filter command reference
Command hierarchies
Configuration commands
IP filter policy commands
config
- filter
- ip-filter filter-id [use-ipv6-resource] [create]
- no ip-filter filter-id
- default-action {drop | forward}
- description description-string
- no description
- filter-name filter-name
- no filter-name
- renum old-entry-id new-entry-id
- scope {exclusive | template}
- no scope
- entry entry-id time-range [time-range-name] [create]
- no entry entry-id
- action[drop]
- action forward
- no action
- description description-string
- no description
- match [protocol protocol-id]
- no match
- dscp dscp-name
- no dscp
- dst-ip {ip-address/mask | ip-address ipv4-address-mask}
- no dst-ip
- dst-port {eq} dst-port-number
- no dst-port
- fragment {true | false}
- no fragment
- icmp-code icmp-code
- no icmp-code
- icmp-type icmp-type
- no icmp-type
- option-present {true | false}
- no option-present
- src-ip {ip-address/mask | ip-address ipv4-address-mask}
- no src-ip
- src-port {{eq} src-port-number
- no src-port
- tcp-ack {true | false}
- no tcp-ack
- tcp-syn {true | false}
- no tcp-syn
IPv6 filter policy commands for 7210 SAS-D and 7210 SAS-Dxp
config
- filter
- ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]
- no ipv6-filter ipv6-filter-id
- default-action {drop | forward}
- description description-string
- no description
- filter-name filter-name
- no filter-name
- entry entry-id [time-range time-range-name] [create]
- no entry entry-id
- action [drop]
- action forward
- no action
- description description-string
- no description
- match [next-header next-header]
- no match
- dscp dscp-name
- no dscp
- dst-ip [ipv6-address/prefix-length]
- no dst-ip
- dst-port {eq} dst-port-number
- no dst-port
- icmp-code icmp-code
- no icmp-code
- icmp-type icmp-type
- no icmp-type
- dst-ip {ipv6-address/prefix-length}
- no dst-ip
- src-port {eq} src-port-number
- src-port range start end}
- no src-port
- src-ip {ipv6-address/prefix-length}
- no src-ip
- tcp-ack {true | false}
- no tcp-ack
- tcp-syn {true | false}
- no tcp-syn
- renum old-entry-id new-entry-id
- scope {exclusive | template}
- no scope
IPv6 filter policy commands for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
config
- filter
- ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]
- no ipv6-filter ipv6-filter-id
- default-action {drop | forward}
- description description-string
- no description
- filter-name filter-name
- no filter-name
- entry entry-id [time-range time-range-name] [create]
- no entry entry-id
- action [drop]
- action forward
- no action
- description description-string
- no description
- match [next-header next-header]
- no match
- dscp dscp-name
- no dscp
- dst-ip [ipv6-address/prefix-length]
- no dst-ip
- dst-port {eq} dst-port-number
- no dst-port
- fragment {true | false | first-only | non-first-only}
- no fragment
- eh-present {true | false}
- no eh-present
- icmp-code icmp-code
- no icmp-code
- icmp-type icmp-type
- no icmp-type
- dst-ip {ipv6-address/prefix-length}
- no dst-ip
- src-port {eq} src-port-number
- src-port range start end}
- no src-port
- src-ip {ipv6-address/prefix-length}
- no src-ip
- tcp-ack {true | false}
- no tcp-ack
- tcp-syn {true | false}
- no tcp-syn
- renum old-entry-id new-entry-id
- scope {exclusive | template}
- no scope
MAC filter policy commands for 7210 SAS-D and 7210 SAS-Dxp
config
- filter
- mac-filter filter-id [create]
- no mac-filter filter-id
- default-action {drop | forward}
- description description-string
- no description
- entry entry-id [time-range time-range-name]
- no entry entry-id
- description description-string
- no description
- action [drop]
- action forward
- no action
- match
- no match
- dot1p dot1p-value [dot1p-mask]
- no dot1p
- dst-mac ieee-address [ieee-address-mask]
- no dst-mac
- etype 0x0600..0xffff
- no etype
- src-mac ieee-address [ieee-address-mask]
- no src-mac
- filter-name filter-name
- no filter-name
- renum old-entry-id new-entry-id
- scope {exclusive | template}
- no scope
MAC filter policy commands for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
config
- filter
- mac-filter filter-id [create]
- no mac-filter filter-id
- default-action {drop | forward}
- description description-string
- no description
- entry entry-id [time-range time-range-name]
- no entry entry-id
- description description-string
- no description
- action [drop]
- action forward
- no action
- match
- no match
- dst-mac ieee-address [ieee-address-mask]
- no dst-mac
- etype 0x0600..0xffff
- no etype
- inner-dot1p dot1p-value [dot1p-mask]
- no inner-dot1p
- inner-tag value [vid-mask]
- no inner-tag
- outer-dot1p dot1p-value [dot1p-mask]
- no outer-dot1p
- no outer-tag
- outer-tag value [vid-mask]
- src-mac ieee-address [ieee-address-mask]
- no src-mac
- filter-name filter-name
- no filter-name
- renum old-entry-id new-entry-id
- scope {exclusive | template}
- no scope
Generic filter commands
config
- filter
- copy ip-filter | mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite]
Show commands
Clear commands
Monitor commands
Command descriptions
Configuration commands
Generic commands
description
Syntax
description string
no description
Context
config>filter>ip-filter
config>filter>ip-filter>entry
config>filter>ipv6-filter
config>filter>ipv6-filter>entry
config>filter>mac-filter
config>filter>mac-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates a text description stored in the configuration file for a configuration context.
The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of this command removes any description string from the context.
Parameters
- string
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
Global filter commands
ip-filter
Syntax
[no] ip-filter filter-id [use-ipv6-resource] [create]
Context
config>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures an IP filter policy.
IP-filter policies specify either a forward or a drop action for packets based on the specified match criteria.
The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services as long as the scope of the policy is template.
Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on an ip-filter policy,Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.
By default, when an IPv4 filter policy is associated with a service entity (For example: SAP), the software attempts to allocate resources for the filter policy entries from the IPv4 resource pool. If resources unavailable in the pool, then the software fails to associate and display an error. If the user knows that resources are free in the IPv6 resource pool, then the use-ipv6-resource parameter is used to allow the user to share the entries in the resource chunks allocated for use by IPv6 128-bit resource pool, if available. If this parameter is specified then the resource for this filter policy is always allocated from the IPv6 128-bit filter resource pool.
By default, IPv4 filters are created using IPv4 resources, assuming an unspecified use-ipv6-resource. If such filters are to be created using IPv6 resources, the use-ipv6-resource option needs to be specified. Ahead of the application of such a filter, the user should ensure the number of policies in the newly created policy is within the limit of available resources in the IPv6 128-bit resource pool, by considering the dump of the tools dump system-resources command.
The no form of this command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all SAPs where it is applied.
Parameters
- filter-id
Specifies the IP filter policy ID number.
- create
Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.
- use-ipv6-resource
Specifies that the hardware resources for the entries in this filter policy must be allocated from the IPv6 filter resource pool, if available.
ipv6-filter
Syntax
[no] ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]
Context
config>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates an IPv6 filter policy. During IPv6 filter creation, the user must specify if IPv6 addresses, both source and destination IPv6 addresses, specified in the match criteria uses complete 128-bits or uses only the upper 64 bits of the IPv6 addresses.
The no form of this command deletes the IPv6 filter policy. A filter policy cannot be deleted until it is removed from all SAPs or network ports where it is applied
Default
128-bit addresses
Parameters
- ipv6-filter-id
Specifies the IPv6 filter policy ID number.
- ipv6-128bit-address
Specifies that if the user intends to use complete 128-bit addresses, then the user requires the ipv6-128bit-address CLI parameter with the create command. When this policy is associated with a SAP, the software allocates resources for the filter entries from the IPv6 128-bit resource pool for the SAP.
- ipv6-64bit-address
Specifies that if the user intends to use upper most significant bit (MSB) 64-bit addresses, then the user requires the ipv6-64bit-address CLI parameter with the create command. When this policy is associated with a SAP, software allocates resources for the filter entries from the IPv6 64-bit resource pool for the SAP. All the IP packet fields are not available for match are when using 64-bit addresses. For more information, see Configuration notes, to know the packet header fields available for matching when using this option.
- create
Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.
mac-filter
Syntax
[no] mac-filter filter-id [create]
Context
config>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the context for a MAC filter policy.
The mac-filter policy specifies either a forward or a drop action for packets based on the specified match criteria.
The mac-filter policy, sometimes referred to as an access control list, is a template that can be applied to multiple services as long as the scope of the policy is template.
A MAC filter policy cannot be applied to network ports on the 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.
Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on a mac-filter policy, Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.
The no form of this command deletes the mac-filter policy. A filter policy cannot be deleted until it is removed from all SAP where it is applied.
Parameters
- filter-id
Specifies the MAC filter policy ID number.
- create
Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.
Filter policy commands
default-action
Syntax
default-action {drop | forward}
Context
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter.
When multiple default-action commands are entered, the last command will overwrite the previous command.
Default
drop
Parameters
- drop
Specifies all packets will be dropped unless there is a specific filter entry which causes the packet to be forwarded.
- forward
Specifies all packets will be forwarded unless there is a specific filter entry which causes the packet to be dropped.
scope
Syntax
scope {exclusive | template}
no scope
Context
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the filter policy scope as exclusive or template. If the scope of the policy is template and is applied to one or more services or network interfaces, the scope cannot be changed.
The no form of this command reverts the scope of the policy to the default.
Default
template
Parameters
- exclusive
Specifies that the policy can only be applied to a single entity (SAP). Attempting to assign the policy to a second entity will result in an error message. If the policy is removed from the entity, it will become available for assignment to another entity.
- template
Specifies that the policy can be applied to multiple SAPs.
General filter entry commands
entry
Syntax
entry entry-id [time-range time-range-name] [create]
no entry entry-id
Context
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables creation or editing of an IP or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have the action command for it to be considered complete. Entries without the action command will be considered incomplete and therefore will be rendered inactive.
The no form of this command removes the specified entry from the IP or MAC filter. Entries removed from the IP or MAC filter are immediately removed from all services or network ports where that filter is applied.
Parameters
- entry-id
Specifies a match criteria and the corresponding action. Nokia recommends that multiple entries be given entry IDs in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.
- time-range time-range-name
Specifies the time range name to be associated with this filter entry, up to 32 characters. The time-range name must already exist in the config>cron context.
- create
Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.
IP filter entry commands
action
Syntax
action [drop]
action forward
no action
Context
config>filter>ip-filter>entry
config>filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies to match packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion. The action keyword must be entered and a keyword specified in order for the entry to be active.
Multiple action statements entered will overwrite previous actions parameters when defined.
The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.
Parameters
- drop
Specifies packets matching the entry criteria will be dropped.
- forward
Specifies packets matching the entry criteria will be forwarded.
match
Syntax
match [protocol protocol-id]
no match
Context
config>filter>ip-filter>entry
config>filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enters match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.
If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of this command removes the match criteria for the entry-id.
Parameters
- protocol
Specifies an IP protocol to be used as an IP filter match criterion. The protocol type, such as TCP or UDP, is identified by its respective protocol number.
- protocol-id
Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17) (see the following table). The value can be expressed in decimal, hexadecimal, or binary.
MAC filter entry commands
action
Syntax
action drop
action forward
no action
Context
config>filter>mac-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the action for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive.
If neither drop nor forward is specified, this is considered a No-Op filter entry used to explicitly set a filter entry inactive without modifying match criteria or removing the entry.
Multiple action statements entered will overwrite previous actions parameters when defined. To remove a parameter, use the no form of the action command with the specified parameter.
The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.
Parameters
- drop
Specifies packets matching the entry criteria will be dropped.
- forward
Specifies packets matching the entry criteria will be forwarded.
match
Syntax
match
no match
Context
config>filter>mac-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the context for entering or editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.
If more than one match criteria (within one match statement) are configured, then all criteria must be satisfied (AND function) before the action associated with the match will be executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of this command removes the match criteria for the entry-id.
Parameters
- frame-type keyword
Specifies an Ethernet frame type to be used for the MAC filter match criteria.
- ethernet_II
Specifies the frame type is Ethernet Type II.
IP filter match criteria commands
dscp
Syntax
dscp dscp-name
no dscp
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
The no form of this command removes the DSCP match criterion.
Default
no dscp
Parameters
- dscp-name
Specifies a dscp name that has been previously mapped to a value using the dscp-name command. The DiffServ code point may only be specified by its name.
dst-ip
Syntax
dst-ip {ip-address/mask | ip-address ipv4-address-mask}
no dst-ip
Context
config>filter>ip-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a destination IP address range to be used as an IP filter match criterion.
To match on the destination IP address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of this command removes the destination IPv4 address match criterion.
Default
none
Parameters
- ip-address
Specifies the IP prefix for the IP match criterion in dotted-decimal notation.
- mask
Specifies the subnet mask length expressed as a decimal integer.
- ipv4-address-mask
Specifies any mask expressed in dotted quad notation.
dst-ip
Syntax
dst-ip {ipv6-address/prefix-length}
no dst-ip
Context
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a destination IPv6 address range to be used as an IP filter match criterion.
To match on the destination IPv6 address, specify the address and its associated mask.
The no form of this command removes the destination IPv6 address match criterion.
Default
none
Parameters
- ipv6-address
Specifies the IPv6 prefix for the IP match criterion in hex digits.
- prefix-length
Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.
dst-port
Syntax
dst-port {eq} dst-port-number
no dst-port
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a destination TCP or UDP port number for an IP filter match criterion.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the destination port match criterion.
Default
none
Parameters
- dst-port-number
Specifies the destination port number to be used as a match criteria expressed as a decimal integer.
eh-present
Syntax
eh-present {true | false}
no eh-present
Context
config>filter>ipv6-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command allows the user to specify if the presence of the IPv6 extension header should be used to match an IPv6 packet.
The no form of this command removes the match criterion.
Default
no eh-present
Parameters
- true
Specifies to match an IPv6 packet with an extension header.
- false
Specifies to match an IPv6 packet without an extension header.
fragment
Syntax
fragment {true | false}
no fragment
Context
config>filter>ip-filter>entry>match
Platforms
7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command configures fragmented or non-fragmented IPv4 packets as IP filter match criteria.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the match criterion.
Default
no fragment
Parameters
- true
Specifies to match on all fragmented IPv4 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv4 header set to a non-zero value.
- false
Specifies to match on all non-fragmented IPv4 packets. Non-fragmented IPv4 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.
fragment
Syntax
fragment {true | false | first-only | non-first-only}
no fragment
Context
config>filter>ipv6-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command configures fragmented or non-fragmented IPv6 packets as IP filter match criteria.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the match criterion.
Default
no fragment
Parameters
- true
Specifies to match on all fragmented IPv6 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv6 header set to a non-zero value.
- false
Specifies to match on all non-fragmented IPv6 packets. Non-fragmented IPv6 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.
- first-only
Specifies to match if a packet is an initial fragment of a fragmented IPv6 packet.
- non-first-only
Specifies to match if a packet is a non-initial fragment of a fragmented IPv6 packet.
icmp-code
Syntax
icmp-code icmp-code
no icmp-code
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures matching on the ICMP code field in the ICMP header of an IP packet as a filter match criterion.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).
For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).
The no form of this command removes the criterion from the match entry.
Default
no icmp-code
Parameters
- icmp-code
Specifies the ICMP code values that must be present to match.
- icmp-code-number
Specifies the ICMP code number in decimal, hexidecimal, or binary, to be used as a match criterion.
- icmp-code-keyword
Specifies the ICMP code keyword to be used as a match criterion.
icmp-type
Syntax
icmp-type icmp-type
no icmp-type
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures matching on the ICMP type field in the ICMP header of an IP packet as a filter match criterion.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).
For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).
The no form of this command removes the criterion from the match entry.
Default
no icmp-type
Parameters
- icmp-type
Specifies the ICMP type values that must be present to match.
- icmp-type-number
Specifies the ICMP type number in decimal, hexidecimal, or binary, to be used as a match criterion.
- icmp-type-keyword
Specifies the ICMP type keyword to be used as a match criterion.
option-present
Syntax
option-present {true | false}
no option-present
Context
config>filter>ip-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document.
Description
This command configures matching packets that contain the option field in the IP header as an IP filter match criterion.
The no form of this command removes the checking of the option field in the IP header as a match criterion.
Parameters
- true
Specifies matching on all IP packets that contain the option field in the header. A match will occur for all packets that have the option field present.
- false
Specifies matching on IP packets that do not have any option field present in the IP header.
src-ip
Syntax
src-ip {ip-address/mask | ip-address ipv4-address-mask}
no src-ip
Context
config>filter>ip-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a source IPv4 address range to be used as an IP filter match criterion.
To match on the source IPv4 address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of this command removes the source IPv4 address match criterion.
Default
no src-ip
Parameters
- ip-address
Specifies the IPv4 prefix for the IP match criterion in dotted-decimal notation.
- mask
Specifies the subnet mask length, expressed as a decimal integer.
- ipv4-address-mask
Specifies any mask, expressed in dotted quad notation.
src-ip
Syntax
src-ip {ipv6-address/prefix-length}
no src-ip
Context
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a source IPv6 address range to be used as an IP filter match criterion.
To match on the source IPv6 address, specify the address and its associated mask.
If the filter is created to match 64-bit address, the IPv6 address specified for the match must contain only the first 64-bits (that is, the first four 16-bit groups of the IPv6 address).
The no form of this command removes the source IPv6 address match criterion.
Default
no src-ip
Parameters
- ipv6-address
Specifies the IPv6 prefix for the IP match criterion in hex digits.
- prefix-length
Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.
src-port
Syntax
src-port {eq} src-port-number
no src-port
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a source TCP or UDP port number for an IP filter match criterion.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the source port match criterion.
Default
no src-port
Parameters
- src-port-number
Specifies the source port number to be used as a match criteria, expressed as a decimal integer.
tcp-ack
Syntax
tcp-ack {true | false}
no tcp-ack
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the criterion from the match entry.
Default
no tcp-ack
Parameters
- true
Specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet.
- false
Specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet.
tcp-syn
Syntax
tcp-syn {true | false}
no tcp-syn
Context
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.
The SYN bit is normally set when the source of the packet needs to initiate a TCP session with the specified destination IP address.
An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the criterion from the match entry.
Default
no tcp-syn
Parameters
- true
Specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header.
- false
Specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header.
MAC filter match criteria commands
dot1p
Syntax
dot1p ip-value [mask]
no dot1p
Context
config>filter>mac-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures an IEEE 802.1p value or range to be used as a MAC filter match criterion.
When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.
The no form of this command removes the criterion from the match entry.
Egress Dot1p values used for matching will correspond to the Dot1p values used for remarking.
Default
no dot1p
Parameters
- ip-value
Specifies the IEEE 802.1p value in decimal.
- mask
Specifies a 3-bit mask that can be configured using the following formats:
Table 8. 3-bit mask format Format style
Format syntax
Example
Decimal
D
4
Hexadecimal
0xH
0x4
Binary
0bBBB
0b100
To select a range from 4 up to 7 specify p-value of 4 and a mask of 0b100 for value and mask.
dst-mac
Syntax
dst-mac ieee-address [mask]
no dst-mac
Context
config>filter>mac-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a destination MAC address or range to be used as a MAC filter match criterion.
The no form of this command removes the destination mac address as the match criterion.
Default
no dst-mac
Parameters
- ieee-address
Specifies the MAC address to be used as a match criterion.
- mask
Specifies a 48-bit mask to match a range of MAC address values.
This 48-bit mask can be configured using the following formats:
Table 9. 48-bit mask format Format style
Format syntax
Example
Decimal
DDDDDDDDDDDDDD
281474959933440
Hexadecimal
0xHHHHHHHHHHHH
0xFFFFFF000000
Binary
0bBBBBBBB...B
0b11110000...B
To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 0003FA000000 0xFFFFFF000000
etype
Syntax
etype ethernet-type
no etype
Context
config>filter>mac-filter>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures an Ethernet type II Ethertype value for use as a MAC filter match criterion.
The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.
The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field.
For the 7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C platforms, the dataplane processes a maximum of two VLAN tags in a received packet. The Ethertype used in the MAC matching criteria for ACLs is the Ethertype that is found in the packet after processing single-tagged frames, double-tagged frames, and no-tag frames
The packet is considered to have no tags if at least one of the following criteria is true:
the packet is a null-tagged frame
the packet is a priority-tagged frame
the outermost Ethertype does not match the default Ethertype (0x8100)
the outermost Ethertype does not match the configured dot1q-etype on Dot1q encapsulated ports
the outermost Ethertype does not match the configured qinq-etype on QinQ encapsulated ports
The packet is considered to have a single tag if at least one of the following criteria is true:
the outermost Ethertype matches the default Ethertype (0x8100)
the outermost Ethertype matches the configured dot1q-etype on Dot1q encapsulated ports
the outermost Ethertype matches the configured qinq-etype on QinQ encapsulated ports
The packet is considered to have double tags if at least one of the following criteria is true:
the outermost Ethertype matches the default Ethernet type (0x8100)
the configured dot1q-etype on Dot1q encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)
the configured qinq-etype on QinQ encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)
The no form of this command removes the previously entered etype field as the match criteria.
Default
no etype
Parameters
- ethernet-type
Specifies the Ethernet type II frame Ethertype value to be used as a match criterion, expressed in hexadecimal.
inner-dot1p
Syntax
inner-dot1p value [vid-mask]
no inner-dot1p
Context
config>filter>mac-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command configures the Dot1p value to be used to match against the Dot1p value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.
The no form of this command removes the previously entered Dot1p value as the match criteria.
Default
no inner-dot1p
Parameters
- dot1p-value
Specifies the Dot1p value to match.
- dot1p-mask
Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or binary.
inner-tag
Syntax
inner-tag value [vid-mask]
no inner-tag
Context
config>filter>mac-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.
The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.
The no form of this command removes the previously entered VLAN tag value as the match criteria.
Default
no inner-tag
Parameters
- value
Specifies the VLAN value to use for the match
- vid-mask
Specifies the mask value to match a range of VLAN values.
outer-dot1p
Syntax
outer-tag value [vid-mask]
no outer-tag
Context
config>filter>mac-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
The command configures the Dot1p value to be used to match against the Dot1p value in the outermost tag of the received packet.
The no form of this command removes the previously entered Dot1p value as the match criteria.
Default
no outer-dot1p
Parameters
- dot1p-value
Specifies the Dot1p value to match.
- dot1p-mask
Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or hexadecimal.
outer-tag
Syntax
outer-tag value [vid-mask]
no outer-tag
Context
config>filter>mac-filter>entry>match
Platforms
7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
Description
This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.
The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.
The no form of this command removes the previously entered VLAN tag value as the match criteria.
Default
no outer-tag
Parameters
- value
Specifies the VLAN value to use for the match
- vid-mask
Specifies the mask value to match a range of VLAN values.
src-mac
Syntax
src-mac ieee-address [ieee-address-mask]
no src-mac
Context
config>filter>mac-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a source MAC address or range to be used as a MAC filter match criterion.
The no form of this command removes the source mac as the match criteria.
Default
no src-mac
Parameters
- ieee-address
Specifies the 48-bit IEEE mac address to be used as a match criterion.
- ieee-address-mask
Specifies a 48-bit mask that can be configured using:
Table 10. 48-bit mask format Format style
Format syntax
Example
Decimal
DDDDDDDDDDDDDD
281474959933440
Hexadecimal
0xHHHHHHHHHHHH
0xFFFFFF000000
Binary
0bBBBBBBB...B
0b11110000...B
To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000
Policy and entry maintenance commands
copy
Syntax
copy {ip-filter | mac-filter} source-filter-id dest-filter-id dest-filter-id [overwrite]
Context
config>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.
If overwrite is not specified, an error will occur if the destination policy ID exists.
Parameters
- ip-filter
Specifies that the source-filter-id and the dest-filter-id are IP filter IDs.
- mac-filter
Specifies that the source-filter-id and the dest-filter-id are MAC filter IDs.
- source-filter-id
Specifies the source filter policy from which the copy command will attempt to copy. The filter policy must exist within the context of the preceding keyword (ip-filter or mac-filter).
- dest-filter-id
Specifies the destination filter policy to which the copy command will attempt to copy. If the overwrite keyword does not follow, the filter policy ID cannot already exist within the system for the filter type the copy command is issued for. If the overwrite keyword is present, the destination policy ID may or may not exist.
- overwrite
Specifies that the destination filter ID may exist. If it does, everything in the existing destination filter ID will be completely overwritten with the contents of the source filter ID. If the destination filter ID exists, either overwrite must be specified or an error message will be returned. If overwrite is specified, the function of copying from source to destination occurs in a ‛break before make’ manner and therefore should be handled with care.
filter-name
Syntax
filter-name filter-name
Context
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the filter-name attribute of a specific filter. When configured, filter-name can be used instead of filter ID to reference the specific policy in the CLI.
Default
no filter-name
Parameters
- filter-name
Specifies a string of up to 64 characters uniquely identifying this filter policy.
renum
Syntax
renum old-entry-id new-entry-id
Context
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command renumbers existing MAC or IP filter entries to properly sequence filter entries. This may be required in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.
Parameters
- old-entry-id
Specifies the entry number of an existing entry.
- new-entry-id
Specifies the new entry-number to be assigned to the old entry.
Show commands
ip
Syntax
ip ip-filter-id [association | counters]
ip ip-filter-id entry entry-id [counters]
Context
show>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays IP filter information.
Parameters
- ip-filter-id
Displays detailed information for the specified filter ID and its filter entries.
- entry entry-id
Displays information about the specified filter entry ID for the specified filter ID only.
- associations
Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.
- counters
Displays counter information for the specified filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.
- type entry-type
Displays information about the specified filter ID for the specified entry-type only
Output
The following outputs are examples of IP filter information, and the associated tables describe the output fields.
Sample output with IP filter ID specified, Output fields: filter IP with filter ID specified
Sample output: associations, Output fields: filter IP associations
Sample output for IP filter counters, Output fields: filter IP counters
A:ALA-49# show filter ip
===============================================================================
IP Filters
===============================================================================
Filter-Id Scope Applied Description
-------------------------------------------------------------------------------
1 Template Yes
3 Template Yes
6 Template Yes
10 Template No
11 Template No
-------------------------------------------------------------------------------
Num IP filters: 5
===============================================================================
A:ALA-49#
*A:Dut-C>config>filter# show filter ip
===============================================================================
IP Filters Total: 2
===============================================================================
Filter-Id Scope Applied Description
-------------------------------------------------------------------------------
10001 Template Yes
fSpec-1 Template Yes BGP FlowSpec filter for the Base router
-------------------------------------------------------------------------------
Num IP filters: 2
===============================================================================
*A:Dut-C>config>filter#
Label |
Description |
---|---|
Filter Id |
The IP filter ID. |
Scope |
Template — The filter policy is of type template. |
Exclusive — The filter policy is of type exclusive. |
|
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Description |
The IP filter policy description. |
A:ALA-49>config>filter# show filter ip 3
===============================================================================
IP Filter
===============================================================================
Filter Id : 3 Applied : Yes
Scope : Template Def. Action : Drop
Entries : 1
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 10
Src. IP : 10.1.1.1/24 Src. Port : None
Dest. IP : 0.0.0.0/0 Dest. Port : None
Protocol : 2 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
TCP-syn : Off TCP-ack : Off
Match action : Drop
Ing. Matches : 0 Egr. Matches : 0
===============================================================================
A:ALA-49>config>filter#
*A:Dut-C>config>filter# show filter ip fSpec-1 associations
===============================================================================
IP Filter
===============================================================================
Filter Id : fSpec-1 Applied : Yes
Scope : Template Def. Action : Forward
Radius Ins Pt: n/a
CrCtl. Ins Pt: n/a
Entries : 2 (insert By Bgp)
Description : BGP FlowSpec filter for the Base router
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Service Id : 1 Type : IES
- SAP 1/1/3:1.1 (merged in ip-fltr 10001)
===============================================================================
*A:Dut-C>config>filter#
*A:Dut-C>config>filter# show filter ip 10001
===============================================================================
IP Filter
===============================================================================
Filter Id : 10001 Applied : Yes
Scope : Template Def. Action : Drop
Radius Ins Pt: n/a
CrCtl. Ins Pt: n/a
Entries : 1
BGP Entries : 2
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Log Id : n/a
Src. IP : 0.0.0.0/0 Src. Port : None
Dest. IP : 0.0.0.0/0 Dest. Port : None
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Match action : Forward
Next Hop : Not Specified
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
Entry : fSpec-1-32767 - inserted by BGP FLowSpec
Description : (Not Specified)
Log Id : n/a
Src. IP : 0.0.0.0/0 Src. Port : None
Dest. IP : 0.0.0.0/0 Dest. Port : None
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Match action : Drop
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
Entry : fSpec-1-49151 - inserted by BGP FLowSpec
Description : (Not Specified)
Log Id : n/a
Src. IP : 0.0.0.0/0 Src. Port : None
Dest. IP : 0.0.0.0/0 Dest. Port : None
Protocol : 17 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Match action : Drop
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
===============================================================================
*A:Dut-C>config>filter#
Label |
Description |
---|---|
Filter Id |
The IP filter policy ID. |
Scope |
Template — The filter policy is of type template. |
Exclusive — The filter policy is of type exclusive. |
|
Entries |
The number of entries configured in this filter ID. |
Description |
The IP filter policy description. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Filter Match Criteria |
IP — Indicates the filter is an IP filter policy. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
ICMP Type |
The ICMP type match criterion. Undefined indicates no ICMP type specified. |
Fragment |
False — Configures a match on all non-fragmented IP packets. |
True — Configures a match on all fragmented IP packets. |
|
Off — Fragments are not a matching criteria. All fragments and non-fragments implicitly match. |
|
TCP-syn |
False — Configures a match on packets with the SYN flag set to false. |
True — Configured a match on packets with the SYN flag set to true. |
|
Off — The state of the TCP SYN flag is not considered as part of the match criteria. |
|
Match action |
Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified. |
Drop — Drop packets matching the filter entry. |
|
Forward — The explicit action to perform is forwarding of the packet. |
|
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Src. Port |
The source TCP or UDP port number. |
Dest. Port |
The destination TCP or UDP port number. |
Dscp |
The DiffServ Code Point (DSCP) name. |
ICMP Code |
The ICMP code field in the ICMP header of an IP packet. |
Option-present |
Off — Specifies not to search for packets that contain the option field or have an option field of zero. |
On — Matches packets that contain the option field or have an option field of zero be used as IP filter match criteria. |
|
TCP-ack |
False — Configures a match on packets with the ACK flag set to false. |
True — Configures a match on packets with the ACK flag set to true. |
|
Off — The state of the TCP ACK flag is not considered as part of the match criteria. as part of the match criteria. |
|
Egr. Matches |
The number of egress filter matches or hits for the filter entry. |
A:ALA-49# show filter ip 10
===============================================================================
IP Filter
===============================================================================
Filter Id : 10 Applied : No
Scope : Template Def. Action : Drop
Entries : 2
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 1010
time-range : day Cur. Status : Inactive
Src. IP : 0.0.0.0/0 Src. Port : None
Dest. IP : 10.10.100.1/24 Dest. Port : None
Protocol : Undefined Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
TCP-syn : Off TCP-ack : Off
Match action : Forward
Ing. Matches : 0 Egr. Matches : 0
Entry : 1020
time-range : night Cur. Status : Active
Src. IP : 0.0.0.0/0 Src. Port : None
Dest. IP : 10.10.1.1/16 Dest. Port : None
Protocol : Undefined Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
TCP-syn : Off TCP-ack : Off
Match action : Forward
Ing. Matches : 0 Egr. Matches : 0
===============================================================================
A:ALA-49#
Sample output: associations
A:ALA-49# show filter ip 1 associations
===============================================================================
IP Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Drop
Entries : 1
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Service Id : 1001 Type : VPLS
- SAP 1/1/1:1001 (Ingress)
Service Id : 2000 Type :
- SAP 1/1/1:2000 (Ingress)
===============================================================================
A:ALA-49#
A:ALA-49# show filter ip 160 associations
===============================================================================
IP Filter
===============================================================================
Filter Id : 160 Applied : No
Scope : Template Def. Action : Drop
Entries : 0
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Tod-suite "english_suite"
- ingress, time-range "day" (priority 5)
===============================================================================
A:ALA-49#
Label |
Description |
---|---|
Filter Id |
The IP filter policy ID. |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Entries |
The number of entries configured in this filter ID. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Service Id |
The service ID on which the filter policy ID is applied. |
SAP |
The Service Access Point on which the filter policy ID is applied. |
(Ingress) |
The filter policy ID is applied as an ingress filter policy on the interface. |
(Egress) |
The filter policy ID is applied as an egress filter policy on the interface. |
Type |
The type of service of the service ID. |
Label |
Description |
---|---|
IP Filter Filter Id |
The IP filter policy ID. |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Filter Match Criteria |
IP — Indicates the filter is an IP filter policy. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. The ingress counters count the packets with Layer 2 encapsulation. |
Egr. Matches |
The number of egress filter matches or hits for the filter entry. The egress counters count the packets without Layer 2 encapsulation. |
ipv6
Syntax
ipv6 {ipv6-filter-id [entry entry-id] [association | counters]}
Context
show>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays IPv6 filter information.
Parameters
- ipv6-filter-id
Displays detailed information for the specified IPv6 filter ID and filter entries.
- entry entry-id
Displays information about the specified IPv6 filter entry ID for the specified filter ID.
- associations
Displays information as to where the IPv6 filter policy ID is applied to the detailed filter policy ID output.
- counters
Displays counter information for the specified IPv6 filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.
Output
The following output are examples of IPv6 filter information, and the associated tables describe the output fields.
Sample output for IPv6 with a filter ID specified, Output fields: filter IPv6 with filter ID specified
Sample output for IPv6 filter associations, Output fields: filter IPv6 associations
Sample output for IPv6 filter counters, Output fields: filter IPv6 counters
*A:7210SAS>show>filter# ipv6
===============================================================================
IPv6 Filters Total: 1
===============================================================================
Filter-Id Scope Applied Description
-------------------------------------------------------------------------------
1 Template Yes
-------------------------------------------------------------------------------
Num IPv6 filters: 1
===============================================================================
*A:7210SAS>show>filter#
Label |
Description |
---|---|
Filter Id |
The IP filter ID. |
Scope Template |
The filter policy is of type template. |
Exclusive |
The filter policy is of type exclusive. |
Applied |
No - The filter policy ID has not been applied. Yes - The filter policy ID has been applied. |
Description |
The IP filter policy description. |
*A:7210SAS>show>filter# ipv6 1
===============================================================================
IPv6 Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Drop
Entries : 2
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry : 1
Description : Test
Src. IP : 1::1/128 Src. Port : None
Dest. IP : ::/0 Dest. Port : None
Next Header : Undefined Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
TCP-syn : Off TCP-ack : Off
Match action : Forward
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
Entry : 2
Description : (Not Specified)
Src. IP : ::/0 Src. Port : None
Dest. IP : 1:2::1AFC/128 Dest. Port : None
Next Header : Undefined Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
TCP-syn : Off TCP-ack : Off
Match action : Drop
Ing. Matches : 819 pkts
Egr. Matches : 0 pkts
===============================================================================
*A:7210SAS>show>filter#
Label |
Description |
---|---|
Filter Id |
The IP filter policy ID. |
Scope |
Template — The filter policy is of type template. |
Exclusive — The filter policy is of type exclusive. |
|
Entries |
The number of entries configured in this filter ID. |
Description |
The IP filter policy description. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Filter Match Criteria |
IP — Indicates the filter is an IP filter policy. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Src. IP |
The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry. |
Dest. IP |
The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry. |
ICMP Type |
The ICMP type match criterion. Undefined indicates no ICMP type specified. |
IP-Option |
Specifies matching packets with a specific IP option or a range of IP options in the IP header for IP filter match criteria. |
TCP-syn |
False — Configures a match on packets with the SYN flag set to false. |
True — Configured a match on packets with the SYN flag set to true. |
|
Off — The state of the TCP SYN flag is not considered as part of the match criteria. |
|
Match action |
Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Drop — Drop packets matching the filter entry. |
|
Forward — The explicit action to perform is forwarding of the packet. If the action is Forward, then if configured, the next-hop information should be displayed, including Nexthop: <IP address>, Indirect: <IP address> or Interface: <IP interface name>. |
|
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Src. Port |
The source TCP or UDP port number or port range. |
Dest. Port |
The destination TCP or UDP port number or port range. |
Dscp |
The DiffServ Code Point (DSCP) name. |
ICMP Code |
The ICMP code field in the ICMP header of an IP packet. |
TCP-ack |
False — Configures a match on packets with the ACK flag set to false. |
True — Configured a match on packets with the ACK flag set to true. |
|
Off — The state of the TCP ACK flag is not considered as part of the match criteria. |
|
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Egr. Matches |
The number of egress filter matches or hits for the filter entry. |
*A:7210SAS>show>filter# ipv6 1 associations
===============================================================================
IPv6 Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Drop
Entries : 2
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Association : IPv6
-------------------------------------------------------------------------------
Service Id : 1 Type : Epipe
- SAP 1/1/1:1 (Ingress)
Service Id : 2 Type : VPLS
- SAP 1/1/1:2 (Ingress)
- SAP 1/1/1:3 (Ingress)
===============================================================================
*A:7210SAS>show>filter#
Label |
Description |
---|---|
Filter Id |
The IPv6 filter policy ID. |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Entries |
The number of entries configured in this filter ID. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Description |
The IP filter policy description. |
Service Id |
The service ID on which the filter policy ID is applied. |
SAP |
The Service Access Point on which the filter policy ID is applied. (Ingress) The filter policy ID is applied as an ingress filter policy on the interface. (Egress) The filter policy ID is applied as an egress filter policy on the interface. |
Type |
The type of service of the service ID. |
*A:7210SAS>show>filter# ipv6 1 counters
===============================================================================
IPv6 Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Drop
Entries : 2
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry : 1
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
Entry : 2
Ing. Matches : 819 pkts
Egr. Matches : 0 pkts
===============================================================================
*A:7210SAS>show>filter#
Label |
Description |
---|---|
Filter Id |
The IPv6 filter policy ID. |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Entries |
The number of entries configured in this filter ID. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Description |
The IP filter policy description. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Egr. Matches |
The number of egress filter matches or hits for the filter entry. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation. |
mac
Syntax
mac [mac-filter-id [associations | counters] [entry entry-id]]
Context
show>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays MAC filter information. When no parameters are specified, a bried listing of IP filters is produced.
Parameters
- mac-filter-id
Displays detailed information for the specified filter ID and its filter entries.
- associations
Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.
- counters
Displays counter information for the specified filter ID.
- entry entry-id
Displays information about the specified filter entry ID for the specified filter ID only.
Output
The following outputs are examples of MAC filter information. The associated tables describe the output fields.
Sample Detailed Output, Sample output for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, Output fields: MAC filter
Sample output for MAC filter counters, Output fields: filter MAC counters
Sample output for MAC filter associations, Output fields: filter MAC associations
===============================================================================
Mac Filter : 200
===============================================================================
Filter Id : 200 Applied : No
Scope : Exclusive D. Action : Drop
Description : Forward SERVER sourced packets
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry : 200FrameType : 802.2SNAP
Description : Not Available
Src Mac : 00:00:5a:00:00:00 ff:ff:ff:00:00:00
Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dot1p : Undefined Ethertype : 802.2SNAP
Match action: Forward
Ing. Matches: 0Egr. Matches : 0
Entry : 300 (Inactive) FrameType : Ethernet
Description : Not Available
Src Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dot1p : Undefined Ethertype : Ethernet
Match action: Default
Ing. Matches: 0 Egr. Matches : 0
===============================================================================
Sample output for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
===============================================================================
Mac Filter
===============================================================================
Filter Id : 1 Applied : No
Scope : Template Def. Action : Drop
Entries : 1 Type : unknown
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry : 1 (Inactive)
Description : (Not Specified)
Src Mac :
Dest Mac :
Outer Dot1p*: none Outer Dot1p Mask: none
Inner Dot1p*: none Inner Dot1p Mask: none
Outer TagVal: none Outer TagMask : none
Inner TagVal: none Inner TagMask : none
Ethertype : Undefined
Match action: Drop
Ing. Matches: 0 pkts
Egr. Matches: 0 pkts
===============================================================================
Label |
Description |
---|---|
MAC Filter Filter Id |
The MAC filter policy ID |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Description |
The IP filter policy description. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Filter Match Criteria |
MAC — Indicates the filter is an MAC filter policy. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Description |
The filter entry description. |
FrameType |
Ethernet — The entry ID match frame type is Ethernet IEEE 802.3. |
Ethernet II — The entry ID match frame type is Ethernet Type II. |
|
Src MAC |
The source MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry. |
Dest MAC |
The destination MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry. |
Dot1p |
The IEEE 802.1p value for the match criteria. Undefined indicates no value is specified. |
Outer Dot1p |
The IEEE 802.1p value for the match criteria used to match the Dot1p in the outermost VLAN tag. Undefined indicates no value is specified. |
Inner Dot1p |
The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified. |
Outer TagVal |
The VLAN ID value for the match criteria used to match the VLAN ID in the outermost VLAN tag. Undefined indicates no value is specified. |
Inner TagVal |
The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified. |
Ethertype |
The Ethertype value match criterion. |
Match action |
Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified. |
Drop — Packets matching the filter entry criteria will be dropped. |
|
Forward — Packets matching the filter entry criteria is forwarded. |
|
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Egr. Matches |
The number of egress filter matches or hits for the filter entry. |
A:ALA-49# show filter mac 8 counters
===============================================================================
Mac Filter
===============================================================================
Filter Id : 8 Applied : Yes
Scope : Template Def. Action : Forward
Entries : 2
Description : Description for Mac Filter Policy id # 8
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry : 8 FrameType : Ethernet
Ing. Matches: 80 pkts
Egr. Matches: 62 pkts
Entry : 10 FrameType : Ethernet
Ing. Matches: 80 pkts
Egr. Matches: 80 pkts
Label |
Description |
---|---|
Mac Filter Filter Id |
The MAC filter policy ID. |
Scope |
Template — The filter policy is of type Template. |
Exclusive — The filter policy is of type Exclusive. |
|
Description |
The MAC filter policy description. |
Applied |
No — The filter policy ID has not been applied. |
Yes — The filter policy ID has been applied. |
|
Def. Action |
Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. |
Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. |
|
Filter Match Criteria |
Mac — Indicates the filter is an MAC filter policy. |
Entry |
The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. |
Ing. Matches |
The number of ingress filter matches or hits for the filter entry. |
Egr. Matches |
The number of egress filter matches or hits for the filter entry. |
A:ALA-49# show filter mac 3 associations
===============================================================================
Mac Filter
===============================================================================
Filter ID: 3Applied: Yes
Scope: TemplateDef. Action: Drop
Entries: 1
-------------------------------------------------------------------------------
Filter Association : Mac
-------------------------------------------------------------------------------
Service Id: 1001Type: VPLS
- SAP 1/1/1:1001(Egress)
===============================================================================
A:ALA-49#
Label |
Description |
---|---|
Filter Association |
Mac — The filter associations displayed are for a MAC filter policy ID. |
Service Id |
The service ID on which the filter policy ID is applied. |
SAP |
The Service Access Point on which the filter policy ID is applied. |
Type |
The type of service of the Service ID. |
(Ingress) |
The filter policy ID is applied as an ingress filter policy on the interface. |
(Egress) |
The filter policy ID is applied as an egress filter policy on the interface. |
Clear commands
ip
Syntax
ip ip-filter-id [entry entry-id] [ingress | egress]
Context
clear>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command clears the counters associated with the IP filter policy.
By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
Parameters
- ip-filter-id
Specifies the IP filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be cleared.
- ingress
Specifies to only clear the ingress counters.
- egress
Specifies to only clear the egress counters.
ipv6
Syntax
ipv6 ip-filter-id [entry entry-id] [ingress | egress]
Context
clear>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command clears the counters associated with the IPv6 filter policy.
By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
Parameters
- ip-filter-id
Specifies the IP filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be cleared.
- ingress
Specifies to only clear the ingress counters.
- egress
Specifies to only clear the egress counters.
mac
Syntax
mac mac-filter-id [entry entry-id] [ingress | egress]
Context
clear>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command clears the counters associated with the MAC filter policy.
By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
Parameters
- mac-filter-id
Specifies the MAC filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be cleared.
- ingress
Specifies to only clear the ingress counters.
- egress
Specifies to only clear the egress counters.
Monitor commands
ip
Syntax
ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context
monitor>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command monitors the counters associated with the IP filter policy.
Parameters
- ip-filter-id
Specifies the IP filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be monitored.
- interval
Specifies the interval for each display in seconds.
- repeat repeat
Specifies how many times the command is repeated.
- absolute
Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.
- rate
Displays the rate-per-second for each statistic instead of the delta.
ipv6
Syntax
ipv6 ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context
monitor>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command monitors the counters associated with the IPv6 filter policy.
Parameters
- ip-filter-id
Specifies the IP filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be monitored.
- interval
Specifies the interval for each display in seconds.
- repeat repeat
Specifies how many times the command is repeated.
- absolute
Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.
- rate
Displays the rate-per-second for each statistic instead of the delta.
mac
Syntax
mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context
monitor>filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command monitors the counters associated with the MAC filter policy.
Parameters
- mac-filter-id
Specifies MAC filter policy ID.
- entry-id
Specifies that only the counters associated with the specified filter policy entry will be cleared.
- interval
Specifies the interval for each display in seconds.
- repeat repeat
Specifies how many times the command is repeated.
- absolute
Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.
- rate
Displays the rate-per-second for each statistic instead of the delta.