Filter policies

This chapter provides information about filter policies and management.

Filter policy configuration overview

Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or access uplink ports to control network traffic into (ingress) or out of (egress) a service access port (SAP) or access uplink based on IP and MAC matching criteria. Filters are applied to services to look at packets entering or leaving a SAP. Filters can be used on several interfaces. The same filter can be applied to ingress traffic, egress traffic, or both. Ingress filters affect only inbound traffic destined for the routing complex, and egress filters affect only outbound traffic sent from the routing complex.

Configuring an entity with a filter policy is optional. If an entity such as a service is not configured with filter policies, then all traffic is allowed on the ingress and egress interfaces. By default, there are no filters associated with services or interfaces. They must be explicitly created and associated. When you create a new filter, default values are provided although you must specify a unique filter ID value to each new filter policy as well as each new filter entry and associated actions. The filter entries specify the filter matching criteria and also an action to be taken upon a match.

In 7210 SAS platforms, the available ingress and egress (egress CAM resources allocation is supported only on 7210 SAS-D and 7210 SAS-Dxp) CAM hardware resources can be allocated as per user needs for use with different filter criteria. By default on the 7210 SAS-D, the system allocates resources to maintain backward compatibility with release 4.0.

Users can modify the resource allocation based on their need to scale the number of entries or number of associations (that is, number of SAP/IP interfaces using a filter policy that defines particular match criteria). If no CAM resources are allocated to particular match criteria defined in a filter policy, then the association of that filter policy to a SAP will fail. This is true for both ingress and egress filter policy. Please read the following configuration notes section for more information.

Only one ingress IP or MAC filter policy and one egress IP or MAC filter policy can be applied to a Layer 2 SAP. For the 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, both IPv4 and IPv6 ingress and egress filter policy can be used simultaneously with a Layer 2 SAP. For the 7210 SAS-D and 7210 SAS-Dxp, both IPv4 and IPv6 filter policies can be used simultaneously on ingress only; either IPv4 or IPv6 filter policies can be used on egress.

Only one ingress IP filter policy and one egress IP filter policy can be applied to a network IP interface. Both IPv4 and IPv6 ingress and egress filter policy can be used simultaneously with an IP interface (For example: IES IP interface in access-uplink mode on the 7210 SAS-D) for which IPv6 addressing is supported. Network filter policies control the forwarding and dropping of packets based on IP match criteria.

Note:

Non-IP packets are not hitting the IP filter policy, so the default action in the filter policy will not apply to these packets.

Service-based filtering

IP and MAC filter policies specify either a forward or a drop action for packets based on information specified in the match criteria.

Filter entry matching criteria can be as general or specific as you require, but all conditions in the entry must be met in order for the packet to be considered a match and the specified entry action performed. The process stops when the first complete match is found and executes the action defined in the entry, either to drop or forward packets that match the criteria.

Filter policy entities

A filter policy compares the match criteria specified within a filter entry to packets coming through the system, in the order the entries are numbered in the policy. When a packet matches all the parameters specified in the entry, the system takes the specified action to either drop or forward the packet. If a packet does not match the entry parameters, the packet continues through the filter process and is compared to the next filter entry, and so on. If the packet does not match any of the entries, then system executes the default action specified in the filter policy. Each filter policy is assigned a unique filter ID. Each filter policy is defined with the following:

  • scope

  • default action

  • description

Each filter entry contains the following:

  • match criteria

  • an action

Applying filter policies

Filter policies can be applied to specific service types:

  • Epipe

    Both MAC and IP filters are supported on an Epipe SAP.

  • IES

    Only IP filters are supported on IES SAP

  • VPLS

    Both MAC and IP filters are supported on a VPLS SAP.

  • VPRN

    Only IP filters are supported on VPRN SAP.

The following tables describe the support of filter policies on 7210 SAS platforms.

Table 1. Applying filter policies for 7210 SAS-D, 7210 SAS-Dxp, and 7210 SAS-K 2F1C2T

Service

IPv4 filter

IPv6 filter

MAC filter

Epipe

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

VPLS

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

RVPLS (VPLS SAPs)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

Not supported

Not supported

RVPLS (RVPLS IES IP Interface)

Ingress Override filters (ingress)

Not supported

Not supported

IES

IES access SAP (ingress and egress), IES access-uplink SAP (ingress and egress)

IES access-uplink SAP (ingress and egress)

Not supported

Table 2. Applying filter policies for 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Service

IPv4 filter

IPv6 filter

MAC filter

Epipe

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

Epipe access SAP (ingress and egress), Epipe access-uplink SAP (ingress and egress)

VPLS

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

RVPLS (VPLS SAPs)

VPLS access SAP (ingress and egress), VPLS access-uplink SAP (ingress and egress)

Not supported

Not supported

RVPLS (RVPLS IES IP Interface)

Ingress Override filters (ingress)

Not supported

Not supported

IES

IES access SAP (ingress and egress), IES access-uplink SAP (ingress and egress)

Not supported

Not supported

VPRN

VPRN interface SAP (ingress and egress)

Not supported

Not supported

Network port IP interface

Network port IP interface (ingress and egress)

Not supported

Not supported

ACL on range SAPs

The ACLs on VLAN range SAPs are supported only on ingress (for Epipe and VPLS services). The following table lists ACL support on Epipe and VPLAS services.

Table 3. Applying ACLs support on Epipe and VPLS services on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C variants when using range SAPs

Types of filters

Epipe

VPLS

Ingress IP or IPv6

Yes

Yes

Ingress MAC

Yes

Yes

Egress IP

Yes

Yes

Egress MAC

Yes

Yes

Filter policies are applied to the following service entities:

  • SAP ingress

    IP and MAC filter policies applied on the SAP ingress define the Service Level Agreement (SLA) enforcement of service packets as they ingress a SAP according to the filter policy match criteria. SAP ingress policies can be applied on SAP created on access ports or access uplink ports.

  • SAP egress

    Filter policies applied on SAP egress define the Service Level Agreement (SLA) enforcement for service packets as they egress on the SAP according to the filter policy match criteria. SAP egress policies can be applied on both access ports and access uplink ports.

  • IES IP interfaces

    IP filter policies are applied to IES SAPs.

  • network ingress

    IP filter policies are applied to network ingress IP interfaces. This is supported only on 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.

  • network egress

    IP filter policies are applied to network egress IP interfaces. This is supported only on 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.

The following table lists the Packet Fields available for match in QoS classification policy and ACL policy for different SAPs.

Table 4. Packet fields for match in QoS classification policy and ACL policy

Ingress SAP type

Packet contents

(only Ethernet–II frames)

MAC address match

Inner VLAN ID and Dot1p match1

Outer VLAN ID and Dot1p match1

Etype match

IPv4/IPv6 criteria match

NULL SAP

Null tag

Yes

No

No

Yes

Yes

Priority tag (both VID and Dot1p)

Yes

No

Yes

Yes

Yes

Single tag

Yes

No

Yes

Yes

Yes

Two tags

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

Dot1q SAP (includes Dot1q explicit null SAP and Dot1q Default SAP)

Null tag

Yes

No

No

Yes

Yes

Priority tag (both VID and Dot1p)

Yes

No

Yes

Yes

Yes

Single tag

Yes

No

Yes

Yes

Yes

Two tags

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

Dot1q SAP (includes Dot1q SAP, Dot1q range SAP)

Null tag

Invalid

Invalid

Invalid

Invalid

Invalid

Priority tag (both VID and Dot1p)

Invalid

Invalid

Invalid

Invalid

Invalid

Single tag

Yes

No

Yes

Yes

Yes

Two tags

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

QinQ SAP - 0.* SAP (matches only null and priority tag packets)

Null tag

Yes

No

No

Yes

Yes

Priority tag (both VID and Dot1p)

Yes

No

Yes

Yes

Yes

Single tag

Invalid

Invalid

Invalid

Invalid

Invalid

Two tags

Invalid

Invalid

Invalid

Invalid

Invalid

Three or more tags

Invalid

Invalid

Invalid

Invalid

Invalid

QinQ SAP (*.* Default QinQ SAP)

Null tag

Yes

No

No

Yes

Yes

Priority tag (both VID and Dot1p)

Yes

No

Yes

Yes

Yes

Single tag

Yes

No

Yes

Yes

Yes

Two tags

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

QinQ SAP (includes Q1.* SAP)

Null tag

Invalid

Invalid

Invalid

Invalid

Invalid

Priority tag (both VID and Dot1p)

Invalid

Invalid

Invalid

Invalid

Invalid

Single tag

Yes

No

Yes

Yes

Yes

Two tags

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

QinQ SAP (includes Q1.0 SAP)

Null tag

Invalid

Invalid

Invalid

Invalid

Invalid

Priority tag (both VID and Dot1p)

Invalid

Invalid

Invalid

Invalid

Invalid

Single tag

Yes

No

Yes

Yes

Yes

Two tags (inner tag is a priority tag)

Yes

Yes

Yes

Yes

Yes

Two tags (inner tag is not a priority tag)

Invalid

Invalid

Invalid

Invalid

Invalid

Three or more tags

Yes

Yes

Yes

No

No

QinQ SAP (includes Q1.Q2 SAP)

Null tag

Invalid

Invalid

Invalid

Invalid

Invalid

Priority tag (both VID and Dot1p)

Invalid

Invalid

Invalid

Invalid

Invalid

Single tag

Invalid

Invalid

Invalid

Invalid

Invalid

Two tags (inner tag is a priority tag)

Invalid

Invalid

Invalid

Invalid

Invalid

Two tags (inner tag is not a priority tag)

Yes

Yes

Yes

Yes

Yes

Three or more tags

Yes

Yes

Yes

No

No

Creating and applying filter policies

The following figure shows the steps for creating and applying filter policies.

Figure 1. Creating and applying filter policies

Packet matching criteria

As few or as many match parameters can be specified as required, but all conditions must be met in order for the packet to be considered a match and the specified action performed. The process stops when the first complete match is found and then executes the action defined in the entry, either to drop or forward packets that match the criteria.

IP filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward IP traffic include:

  • Source IP address and mask

    Source IP address and mask values can be entered as search criteria. The IPv4 addressing scheme consists of 32 bits expressed in dotted-decimal notation (X.X.X.X).

    Address ranges are configured by specifying mask values, the 32-bit combination used to describe the address portion which refers to the subnet and which portion refers to the host. The mask length is expressed as an integer (range 1 to 32).

    The IPv6 addressing scheme consists of 128 bits expressed in compressed representation of IPv6 addresses (RFC 1924, A Compact Representation of IPv6 Addresses).

  • 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C, 7210 SAS-D, and 7210 SAS-Dxp support the use of either IPv6 64-bit address match or IPv6 128-bit address match. Use of IPv6 64-bit address in the match criteria provides better scale but provides lesser IPv6 header fields for match criteria. Use of a IPv6 128-bit address in the match criteria provides lesser scale but more IPv6 header fields for match criteria.

  • Destination IP address and mask

    Destination IP address and mask values can be entered as search criteria. A choice similar to that available for source IPv6 addresses is also available for destination IPv6 addresses.

  • Protocol

    Entering a protocol ID (such as TCP, UDP, and so on) allows the filter to search for the protocol specified in this field.

  • Protocol

    For IPv6: entering a next header allows the filter to match the first next header following the IPv6 header.

  • Source port

    Entering the source port number allows the filter to search for matching TCP or UDP port values.

  • Destination port

    Entering the destination port number allows the filter to search for matching TCP or UDP.

  • DSCP marking

    Entering a DSCP marking enables the filter to search for the DSCP marking specified in this field. See DSCP name to DSCP value table .

  • ICMP code

    Entering an ICMP code allows the filter to search for matching ICMP codes in the ICMP header.

  • ICMP type

    Entering an ICMP type allows the filter to search for matching ICMP types in the ICMP header.

  • Extension header present

    Enabling this match criterion allows matching of IPv6 packets that have any of the well-known extension headers in the IPv6 header. This match criterion is not supported for IPv6 filters on 7210 SAS-Dxp.

  • IPv4 filters created in the mode to use IPv6 resources cannot be applied at the egress SAP. Similarly, IPv4 filters created in the mode to use IPv6 resources will fail to match fragment options.

  • Fragmentation

    Enabling fragmentation allows matches to occurs if packets have either the more fragment (MF) bit set or have the Fragment Offset field of the IP header set to a non-zero value.

  • Option present

    Enabling the option presence allows the filter to search for presence or absence of IP options in the packet. Padding and EOOL are also considered as IP options.

  • TCP-ACK/SYN flags

    Entering a TCP-SYN/TCP-ACK flag allows the filter to search for the TCP flags specified in these fields.

MAC filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward MAC traffic include:

  • Source MAC address and mask

    Entering the source MAC address range allows the filter to search for matching a source MAC address and/or range. Enter the source MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 00:dc:98:1d:00:00.

  • Destination MAC address and mask

    Entering the destination MAC address range allows the filter to search for matching a destination MAC address and/or range. Enter the destination MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 02:dc:98:1d:00:01.

  • Dot1p and mask

    Entering an IEEE 802.1p value or range allows the filter to search for matching 802.1p frame. The Dot1p and mask accepts decimal, hex, or binary in the range of 0 to 7. This is not supported on 7210 SAS-K devices.

  • Ethertype

    Entering an Ethernet type II Ethertype value to be used as a filter match criterion. The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. The Ethertype accepts decimal, hex, or binary in the range of 1536 to 65535.

  • Outer Dot1p (Only on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C)

    Entering the Outer Dot1p value or range (using the mask) allows the filter to search for frames whose outermost Dot1p (that is, the Dot1p in the outermost VLAN tag of the packet) matches the Dot1p value configured. The Dot1p value and mask accepts decimal values in the range 0 to 7.

  • Inner Outer Dot1p (Only on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C)

    Entering the Inner Dot1p value or range (using the mask) allows the filter to search for frames whose inner Dot1p (thats is, the Dot1p in the VLAN tag immediately following the outermost VLAN tag of the packet) matches the Dot1p value configured. The Dot1p value and mask accepts decimal values in the range 0 to 7.

DSCP values

The following table describes DSCP names and associated DSCP values.

Table 5. DSCP name to DSCP value table

DSCP name

Decimal DSCP value

Hexadecimal DSCP value

Binary DSCP value

default

0

*

cp1

1

cp2

2

cp3

3

cp4

4

cp5

5

cp6

6

cp7

7

*

cs1

8

cp9

9

af11

11

*

af12

12

*

cp13

13

cp15

15

cs2

16

*

cp17

17

af21

18

*

cp19

19

af22

20

*

cp21

21

af23

22

*

cp23

23

cs3

24

*

cp25

25

af31

26

*

cp27

27

af32

28

*

cp29

29

af33

30

*

cp21

31

cs4

32

*

cp33

33

af41

34

*

cp35

35

af42

36

*

cp37

37

af43

38

*

cp39

39

cs5

40

*

cp41

41

cp42

42

cp43

43

cp44

44

cp45

45

ef

46

*

cp47

47

nc1

48

*

(cs6)

cp49

49

cp50

50

cp51

51

cp52

52

cp53

53

cp54

54

cp55

55

cp56

56

cp57

57

nc2

58

*

(cs7)

cp60

60

cp61

61

cp62

62

Ordering filter entries

When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet. 7210 SAS supports either drop or forward action. To be considered a match, the packet must meet all the conditions defined in the entry.

Packets are compared to entries in a filter policy in an ascending entry ID order. To reorder entries in a filter policy, edit the entry ID value; for example, to reposition entry ID 6 to a more explicit location, change the entry ID "6" value to entry ID "2".

When a filter consists of a single entry, the filter executes actions as follows:

  • If a packet matches all the entry criteria, the entry’s specified action is performed (drop or forward).

  • If a packet does not match all of the entry criteria, the policy’s default action is performed.

If a filter policy contains two or more entries, packets are compared in ascending entry ID order (1, 2, 3 or 10, 20, 30, and so on):

  • Packets are compared with the criteria in the first entry ID.

  • If a packet matches all the properties defined in the entry, the entry’s specified action is executed.

  • If a packet does not completely match, the packet continues to the next entry, and then subsequent entries.

  • If a packet does not completely match any subsequent entries, then the default action is performed.

The following figure shows an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped.

Figure 2. Filtering process example

Applying filters

This section provides information about applying filters.

Applying a filter to a SAP

During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters. When ingress filters are applied to a SAP, packets received at the SAP are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops and an entry action is performed. If permitted, the traffic is forwarded according to the specification of the action. If the packets do not match, the default filter action is applied. If permitted, the traffic is forwarded.

When egress filters are applied to a SAP, packets received at the egress SAP are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is transmitted. If denied, the traffic is dropped. If the packets do not match, the default filter action is applied.

Filters can be added or changed to an existing SAP configuration by modifying the SAP parameters. Filter policies are not operational until they are applied to a SAP and the service enabled.

Applying a filter to an IES interface

An IP filter can be applied to an IES SAP. Packets received on the interface are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is forwarded. If the packets do not match, they are discarded or forwarded based on the default action specified in the policy.

Applying a filter to a network IP interface

An IP filter can be applied to a network port IP interface. Packets received on the interface are checked against the matching criteria in the filter entries. If the packet completely matches all criteria in an entry, the checking stops. If permitted, the traffic is forwarded. If the packets do not match, they are discarded or forwarded based on the default action specified in the policy.

Configuration notes

Note:

See the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Services Guide for service specific ACL support and restrictions.

The following information describes filter implementation caveats:

  • Creating a filter policy is optional.

  • Associating a service with a filter policy is optional.

  • When a filter policy is configured, it should be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs.

  • A specific filter must be explicitly associated with a specific service in order for packets to be matched.

  • A filter policy can consist of zero or more filter entry. Each entry represents a collection of filter match criteria. When packets enter the ingress or egress ports, packets are compared to the criteria specified within the entry or entries.

  • When a large (complex) filter is configured, it may take a few seconds to load the filter policy configuration and be instantiated.

  • On the 7210 SAS-D, 7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, IP filters applied on an IES SAP cannot match against IP packets containing IP options.

  • The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and be inactive.

  • On the 7210 SAS-D and 7210 SAS-Dxp, ingress filter CAM resources used to match packet fields are shared with other features such as SAP ingress QoS, CFM UP MEP, and G8032. By default software assigns a fixed amount of resources for use by ingress ACLs. User has an option to either increase this by taking away resources from other features or decrease by taking away resources from ingress ACLs. The number of ACLs that can be supported is directly dependent on the amount of resources allocated toward ingress ACLs.

  • On the 7210 7210 SAS-D and 7210 SAS-Dxp when a filter policy is created with the option ipv6-64bit-address, the entries can only use only the IPv6 src-ip and IPv6 dst-ip fields in the match criteria.

  • On the 7210 SAS-D and 7210 SAS-Dxp when a filter policy is created with the option ipv6-128bit-address, the entries can use the IPv6 src-ip, IPv6 dst-ip, IPv6 DSCP, TCP/UDP port numbers (source and destination port), ICMP code and type, and TCP flags fields in the match criteria.

  • On the 7210 SAS-D and 7210 SAS-Dxp the resources must be allocated for use by ingress IPv6 filters, before associating an IPv6 filter policy to a SAP. By default, the software does not enable the use of IPv6 resources. Until resources are allocated for use by IPv6 filters, software fails all attempts to associate a IPv6 filter policy with a SAP.

  • On the 7210 SAS-D and 7210 SAS-Dxp, the available ingress CAM hardware resources can be allocated as per user needs for use with different filter criteria using the commands under the configure> system> resource-profile> ingress-internal-tcam> acl-sap-ingress context. By default, the system allocates resources to maintain backward compatibility with Release 4.0. Users can modify the resource allocation based on their need to scale the number of entries or number of associations (that is, number of SAP/IP interfaces using a filter policy that defines a particular match criterion).

  • On the 7210 SAS-D and 7210 SAS-Dxp, the available egress CAM hardware resources can be allocated as per user needs for use with different filter criteria using the commands under the configure> system>resource-profile> egress-internal-tcam> acl-sap-egress context. By default, the system allocates resources to maintain backward compatibility with Release 4.0. Users can modify the resource allocation based on their needs to scale the number of entries or the number of associations (that is, number of SAP/IP interfaces using a filter policy that defines a particular match criterion).

  • On the 7210 SAS-D and 7210 SAS-Dxp IPv6 ACLs and MAC QoS policies cannot coexist on the SAP.

  • On the 7210 SAS-D and 7210 SAS-Dxp if no CAM resources are allocated to a particular match criterion defined in a filter policy, then the association of that filter policy to a SAP will fail. This is true for both ingress and egress filter policy.

  • Only the 7210 SAS-K allows for use of outer VLAN ID and inner VLAN ID for match in MAC criteria with both ingress and egress ACLs. Other 7210 SAS platforms do not support use of outer and inner VLAN ID field for match in the MAC criteria.

MAC filters

The following are configuration notes for MAC filters:

  • If a MAC filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.

  • MAC filters cannot be applied to network interfaces, routable VPLS or IES services.

  • Some of the MAC match criteria fields are exclusive to each other, based on the type of Ethernet frame. Use the following table to determine the exclusivity of fields.In the 7210 SAS, the default frame-format is ‟Ethernet-II”

Table 6. MAC match criteria exclusivity rules

Frame format

Etype

Ethernet – II

Yes

802.3

No

802.3 – snap

No

802.3-llc

No

IP filters

The following are configuration notes for IP filters:

  • Define filter entry packet matching criteria

    If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.

  • Action

    An action parameter must be specified for the entry to be active. Any filter entry without an action parameter specified will be considered incomplete and be inactive.

IPv6 filters

The following are configuration notes for IPv6 filters:

  • Define filter entry packet matching criteria

    If a filter policy is created with an entry and entry action specified, but the packet matching criteria is not defined, then all packets processed through this filter policy entry passes and takes the action specified. There are no default parameters defined for matching criteria.

  • Action

    An action parameter must be specified for the entry to be active. Any filter entry without an action parameter specified is considered incomplete and inactive.

Resource usage for ingress filter policies for 7210 SAS-D and 7210 SAS-Dxp

When the user allocates resources from the ingress CAM resource pool for use by filter policies using the configure>system>resource-profile CLI commands, the system allocates resources in chunks of fixed-size entries (for example, 256 entries per chunk on 7210 SAS-D).

Note:

The number of entries for each chunk or slice is different for both ingress-internal-tcam resource pool and egress-internal-tcam resource pool for different platforms.

The usage of these entries by different type of match criteria follows. In the following examples, it is assumed that a chunk/slice has 256 entries considering 7210 SAS-D. The example and the computation needs to be modified suitably for other platforms with different number of entries per chunk/slice.

  • mac-criteria

    User needs to allocate resources for mac-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable before using ingress ACLs with mac-criteria. Every entry configured in the filter policy using the mac-criteria uses one (1) entry from the chunks allocated for use by mac-criteria in the hardware.

    For example: Assume a filter policy is configured with 50 entries and uses configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable 1, the user configures one chunk for use by mac-criteria (allowing a total of 256 entries. one reserved for internal use entries for use by SAPs using filter policies that use mac-criteria). In this case, the user can have 5 SAPs using mac-criteria filter policy and consumes 250 entries.

  • ipv4-criteria

    User needs to allocate resources for ip(v4)-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-match-enable before using ingress ACLs with ipv4-criteria. The resource usage per IPv4 match entry is same as the mac-criteria. Please check the preceding example. When created with use-ipv6-resource the resource usage is the same as IPv6 filters using ipv6-128-bit-addresses.

  • ipv6-criteria using ipv6-64-bit addresses

    User needs to allocate resources for ipv6-criteria with 64-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv6-64only-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 64-bit address for source and destination IPv6 addresses.

    The IPv6 headers fields available for match is limited. Please see the following CLI description for filter for more information. The usage is same as the ipv4 and mac-criteria. An IPv6 128 bit address uses 2 entries from the chunk for every match entry configured in filter policy, whereas, an IP filter uses only one entry from the chunk for every entry configured.

  • ipv6-criteria using ipv6-128-bit addresses

    User needs to allocate resources for ipv6-criteria with 128-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 128-bit address for source and destination IPv6 addresses. These resources can be shared by a policy that uses only IPv4 criteria entries. Every entry configured in the filter policy using the ipv6-criteria with 128-bit addresses uses two (2) entries from the chunks allocated for use by ipv6-criteria (128-bit) in the hardware.

    For example: Assume a filter policy is configured with 50 entries and using configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable 1, the user configures one chunk for use by ipv6-criteria with 128-bit addresses (allowing for a total of 128 entries for use by SAPs using filter policies that use this criteria). In this case, user can have five (5) SAPs using this filter policy and consumes 125 entries. When a chunk is allocated to IPv6 criteria, the software automatically adjusts the number of available entries in that chunk to 128, instead of 256, because 2 entries are needed to match IPv6 fields.

The users can use tools>dump>system-resources command to know the current usage and availability. For example: Though chunks are allocated in 256 entries, only 128 entries show up against filters using those of IPv6 128-bit addresses. One or more entries are reserved for system use and is not available for user.

Resource usage for egress filter policies (supported only for 7210 SAS-D and 7210 SAS-Dxp)

When the user allocates resources for use by filter policies using the configure system resource-profile egress-internal-tcam CLI commands, the system allocates resources in chunks of 128 entries from the egress internal tcam pool in hardware. The usage of these entries by different type of match criteria is as follows:

  • mac-criteria

    The user needs to allocate resources for using mac-criteria using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-match-enable 2 or configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv4-match-enable 2 command or the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv6-64bit-match-enable 2 command. In the last two cases, the resources can be shared with SAPs that use IPv4 or IPv6 64-bit filter policies. The first case allocates resources for exclusive use by MAC filter policies. The resource usage varies based how resources have been allocated:

    • If resources are allocated for use by mac-criteria only (using mac-match-enable), then every entry configured in the filter policy uses one (1) entry from the chunks allocated for use by mac-criteria in the hardware.

      For example: Assume a filter policy is configured with 25 mac-criteria entries and uses the configure system resource-profile egress-internal-tcam acl-sap-egress mac-match-enable 2 command, the user configures two chunks for use by mac-criteria, allowing a total of 256 entries for use by SAPs using filter policies that use mac-criteria. Therefore, the user can have about 10 SAPs using mac-criteria filter policy and consumes 250 entries. With this, SAPs using ipv4 criteria or ipv6 criteria cannot share the resources along with SAPs using mac-criteria.

    • If the resources are allocated for sharing between mac-criteria and ipv4-criteria, every entry configured in the filter policy uses 2 (two) entries from the chunks allocated in hardware.

      For example: Assume a filter policy is configured with 25 mac-criteria entries and another filter policy configured with 25 IPv4 criteria entries and, with mac-ipv4-match-enable set to 2, that is, user configures two chunks for sharing between MAC and IPv4, allowing for a total of 128 entries for use by SAPs that use filter policies using ipv4-criteria or mac-criteria. Therefore, the user can have about 4 SAPs using filter policies, such that 2 SAPs uses mac-criteria and the other 2 SAPs use ipv4-criteria or any combination thereof.

    • If the resources are allocated for sharing between mac-criteria and ipv6-64bit-criteria, then every entry configured in the filter policy uses 2 (two) entries from the chunks allocated in hardware.

      For example: Assume a filter policy is configured with 50 mac-criteria entries and another filter policy configured with 50 IPv6 64-bit criteria entries and, with mac-ipv6-64bit-match-enable set to 2, that is, user configures two chunks for sharing between MAC and IPv6-64bit, allowing for a total of 128 entries for use by SAPs that use filter policies using ipv6-64bit-criteria or mac-criteria. Therefore, the user can have about 2 SAPs using filter policies, such that one SAP uses mac-criteria and the other one SAP uses ipv6-64bit-criteria or any combination thereof.

  • ipv4-criteria

    The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv4-match-enable command. The resource usage explanation precedes.

  • ipv6-criteria using ipv6-64-bit addresses

    The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress mac-ipv6-64bit-match-enable command. The resource usage explanation precedes.

  • ipv6-criteria using ipv6-128-bit addresses

    The user need to allocate resources using the configure system resource-profile egress-internal-tcam acl-sap-egress ipv6-128bit-match-enable command. This command allocates resources for exclusive by IPv6-128bit criteria filter policies and cannot be shared by SAPs using any another criteria. If resources are allocated for use by ipv6-128bit-criteria only, then every entry configured in the filter policy uses two (2) entries from the chunks allocated for use in hardware.

    For example: Assume a filter policy is configured with 50 ipv6-128bit-criteria entries and user uses the configure system resource-profile egress-internal-tcam acl-sap-egress ipv6-128bit-match-enable 2 command, to configure two chunks for use by ipv6-128bit-criteria. This allows for a total of 128 for use by SAPs using filter policies that use ipv6-128bit-criteria. Therefore the user can have about 2 SAPs using ipv6-128bit-criteria filter policy and consumes 100 entries.

The user can use tools dump system-resources command to know the current usage and availability.

Ingress filter policy resource usage: 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

When the user allocates resources from the ingress CAM resource pool for use by filter policies using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command, the system allocates resources in chunks of fixed-size entries (512 entries per chunk on 7210 SAS-K). Resources must be allocated using these commands before associating a filter policy with the SAP, otherwise the command returns an error. The usage of these entries by different types of match criteria follow:

  • mac-criteria, ipv4-criteria and ipv6-criteria with 64-bit-address

    User needs to allocate resources, in terms of number of slices, for filter policies that use mac criteria, ipv4 criteria and ipv6 64-bit criteria from the ingress internal tcam resource pool using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command. The entries allocated are shared by filter policies that use any of these criteria. Each filter entry configured in the policy takes away a single resource from the pool allocated for filter policies.

  • ipv6-criteria with 128-bit address

    User needs to allocate resources, in terms of number of slices, for filter policies that use ipv6 128-bit criteria from the ingress internal tcam resource pool using the configure system resource-profile ingress-internal-tcam acl-sap-ingress mac-ipv4-ipv6-128-match-enable command. User can allocate all the slices allocated for the filter policies (using the configure system resource-profile ingress-internal-tcam acl-sap-ingress command) for use by ipv6 criteria with 128-bit addresses or allocation only a portion of it. The entries allocated are used by filter policies that use ipv6 criteria with 128-bit addresses. Each filter entry configured in the policy takes away two (2) resources from the pool. Software uses these resources also for mac criteria, ipv4 criteria, and ipv6 criteria with 64-bit address. Irrespective of the criteria, two (2) resources are taken for each entry configured on the filter policy.

Use the tools dump system-resources command to know the current usage and availability.

Configuring filter policies with CLI

This section provides information to configure filter policies using the CLI.

Basic configuration

The most basic IP and MAC filter policies must have the following:

  • a filter ID

  • template scope, either exclusive or template

  • default action, either drop or forward

  • at least one filter entry

    • specified action, either drop or forward

    • specified matching criteria

  • allocates the required amount of resources for ingress and egress filter policies

Configuration output for ingress policy

The following is a sample configuration output of allocation of ingress internal CAM resources for ingress policy for 7210 SAS-D.

*A:SASD>config>system>res-prof>ing-internal-tcam# info detail 
----------------------------------------------
                acl-sap-ingress 2
                    ipv4-match-enable max
                    no ipv6-64-only-match-enable
                    no ipv4-ipv6-128-match-enable
                    mac-match-enable 2
                exit
                no eth-cfm
----------------------------------------------
*A:SASD>config>system>res-prof>ing-internal-tcam# acl-sap-ingress 

Configuration output for egress policy

The following is a sample configuration output of allocation of egress internal CAM resources for egress policy for 7210 SAS-D.

A:SASD>config>system>res-prof>egr-internal-tcam# info detail 
----------------------------------------------
                acl-sap-egress 2
                    mac-ipv4-match-enable 2
                    ipv6-128bit-match-enable 0
                    mac-ipv6-64bit-match-enable 0
                    mac-match-enable 0
                exit
----------------------------------------------
*A:SASD>config>system>res-prof>egr-internal-tcam# acl-sap-egress 

Configuration output of an IP filter policy

The following is a sample configuration output of an IP filter policy. The configuration blocks all incoming TCP session except Telnet and allows all outgoing TCP sessions from IP net 10.67.132.0/24. CAM resources must be allocated to IPv4 criteria before associating the filter with a SAP.

A:ALA-1>config>filter# info
----------------------------------------------
        ip-filter 3 create
            entry 10 create
                match protocol 6
                    dst-port eq 23
                    src-ip 10.67.132.0/24
                exit
                action
                    forward
            exit
            entry 20 create
                match protocol 6
                    tcp-syn true
                    tcp-ack false
                exit
                action
                    drop
            exit
        exit
----------------------------------------------
A:ALA-1>config>filter#

The following figure shows the IP filter applied to an ingress interface.

Figure 3. Applying an IP filter to an ingress interface

Common configuration tasks

This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands.

Allocating resources for filter policies (ingress and egress)

The following provides an example of allocation of CAM hardware resources for use with filter policies that use IPv4 and MAC criteria:

Creating an IP filter policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  • the filter type specified (IP)

  • a filter policy ID

  • a default action

  • filter policy scope specified, either exclusive or template

  • at least one filter entry with matching criteria specified

  • configure CAM hardware resource for use by the filter policy match-criteria

IP filter policy

Exclusive filter policy configuration output
A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 12 create
            description "IP-filter"
            scope exclusive
        exit
...
----------------------------------------------
A:ALA-7>config>filter#

IP filter entry

Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:

  • Enter a filter entry ID. The system does not dynamically assign a value.

  • Assign an action, either drop or forward.

  • Specify matching criteria.

Use the following syntax to create an IP filter entry.

config>filter# ip-filter filter-id [create]
    entry entry-id[time-range time-range-name][create]
    description description-string
IP filter entry configuration output
A:ALA-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                exit
                no action
            exit
        exit
----------------------------------------------
A:ALA-7>config>filter>ip-filter#

IP entry matching criteria

Use the following syntax to configure IP filter matching criteria:

IP filter matching configuration output
*A:ALA-48>config>filter>ip-filter# info
----------------------------------------------
            description "filter-mail"
            scope exclusive
            entry 10 create
                description "no-91"


                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.103/24
                exit
                action
                    forward 
            exit
----------------------------------------------
*A:ALA-48>config>filter>ip-filter#

Creating an IPv6 filter policy (applicable only for 7210 SAS-D and 7210 SAS-Dxp)

Configuring and applying IPv6 filter policies is optional. Each filter policy must have the following:

  • the IPv6 filter type specified

  • an IPv6 filter policy ID

  • a default action, either drop or forward

  • template scope specified, either exclusive or template

  • at least one filter entry with matching criteria specified

IPv6 filter entry

Within an IPv6 filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:

  • Enter an IPv6 filter entry ID. The system does not dynamically assign a value.

  • Assign an action, either drop or forward.

  • Specify matching criteria.

IPv6 filter entry configuration output
*A:7210SAS>config>filter>ipv6-filter# info detail
----------------------------------------------
            default-action drop
            no description
            scope template
            entry 1 create
                no description
                match next-header none
                    no dscp
                    no dst-ip
                    no dst-port
                    src-ip 1::1/128
                    no src-port
                    no tcp-syn
                    no tcp-ack
                    no icmp-type
                    no icmp-code
                exit
                action
                    forward
            exit
*A:7210SAS>config>filter>ipv6-filter#

Creating a MAC filter policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  • the filter type specified (MAC)

  • a filter policy ID

  • a default action, either drop or forward

  • filter policy scope, either exclusive or template

  • at least one filter entry

  • matching criteria specified

MAC filter policy

MAC filter policy configuration output
A:ALA-7>config>filter# info
----------------------------------------------
...
        mac-filter 90 create
            description ‟filter-west"
            scope exclusive
        exit
----------------------------------------------
A:ALA-7>config>filter#

MAC filter entry

Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded, as follows:

  • Enter a filter entry ID. The system does not dynamically assign a value.

  • Assign an action, either drop or forward.

  • Specify matching criteria.

AC filter entry configuration output
A:sim1>config>filter# info
----------------------------------------------
        mac-filter 90 create
            entry 1 create
                description "allow-104" 
                match 
                exit 
                action
                    drop
            exit 
        exit 
----------------------------------------------
A:sim1>config>filter# 

MAC entry matching criteria

Filter matching configuration output
A;ALA-7>config>filter>mac-filter# info
----------------------------------------------
            description "filter-west"
            scope exclusive
            entry 1 create
                description "allow-104"
                match
                    src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
                    dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
                exit
                action
                    drop
            exit
----------------------------------------------

Apply IP and MAC filter policies

The following example shows an example of applying an IP and a MAC filter policy to an Epipe service:

config>service# epipe service-id
    sap sap-id
    egress 
        filter {ip ip-filter-id | mac mac-filter-id}
    ingress 
        filter {ip ip-filter-id | mac mac-filter-id}

The following is a sample output for IP and MAC filters assigned to an ingress and egress SAP.

A:ALA-48>config>service>epipe# info
----------------------------------------------
            sap 1/1/1.1.1 create
                ingress
                    filter ip 10
                exit
                egress
                    filter mac 92
                exit
            exit
            no shutdown
----------------------------------------------
A:ALA-48>config>service>epipe#

Apply filter policies to an IES interface

IP filter policies can be applied to an IP interface created in an IES service. These filter policies apply to the routed management traffic.

config>service>ies# interface ip-int-name
    address ip-address
    sap sap-id
    ingress
        filter ip ip-filter-id

The following is a sample output for an IP filter applied to an IES sap at ingress.

A:ALA-48>config>service>ies# info
----------------------------------------------
            interface "to-104" create
                address 10.1.2.1/24
                sap lag-2:0.* create
                      ingress
                            filter ip 10
                exit
            exit
...
----------------------------------------------
A:ALA-48>config>service>ies#

Filter management tasks

This section discusses the filter policy management tasks.

Renumbering filter policy entries

The system exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence can be rearranged. Entries should be numbered from the most explicit to the least explicit.

Use the following syntax to renumber existing MAC or IP filter entries to re-sequence filter entries.

config>filter
    ip-filter filter-id
    renum old-entry-number new-entry-number
    mac-filter filter-id
    renum old-entry-number new-entry-number

Command usage to renumber filter entries

config>filter>ip-filter# renum 10 15
    config>filter>ip-filter# renum 20 10
    config>filter>ip-filter# renum 40 1

Reordered filter entries

The following is a sample original filter entry order on the left side and the reordered filter entries on the right side.

A:ALA-7>config>filter# info

----------------------------------------------

...

ip-filter 11 create

description "filter-main"

scope exclusive

entry 10 create

description "no-91"

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.103/24

exit

action forward

exit

entry 20 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.100/24

exit

action drop

exit

entry 30 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.200/24

exit

action forward

exit

entry 40 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.106/24

exit

action drop

exit

exit

...

----------------------------------------------

A:ALA-7>config>filter#

A:ALA-7>config>filter# info

----------------------------------------------

...

ip-filter 11 create

description "filter-main"

scope exclusive

entry 1 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.106/24

exit

action drop

exit

entry 10 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.100/24

exit

action drop

exit

entry 15 create

description "no-91"

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.103/24

exit

action forward

exit

entry 30 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.200/24

exit

action forward

exit

exit

...

----------------------------------------------

A:ALA-7>config>filter#

Modifying an IP filter policy

To access a specific IP filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.

Command usage to modify an IP filter policy

config>filter>ip-filter# description "New IP filter info"
    config>filter>ip-filter# entry 2 create
    config>filter>ip-filter>entry$ description "new entry"
    config>filter>ip-filter>entry# action drop
    config>filter>ip-filter>entry# match dst-ip 10.10.10.104/32
    config>filter>ip-filter>entry# exit
    config>filter>ip-filter#

Modified IP filter output


A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "New IP filter info"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
                description "new entry"
                match
                    dst-ip 10.10.10.104/32
                exit
                action
                    drop
            exit
            entry 10 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action
                    drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.103/24
                exit
                action
                    forward
            exit
            entry 30 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action
                    forward
            exit
        exit
..
----------------------------------------------
A:ALA-7>config>filter#

Modifying a MAC filter policy

To access a specific MAC filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.

Command usage to modify a MAC filter policy

config>filter# mac-filter 90 
    config>filter>mac-filter# description "New filter info"
    config>filter>mac-filter# entry 1
    config>filter>mac-filter>entry# description "New entry info"
    config>filter>mac-filter>entry# action forward
    config>filter>mac-filter>entry# exit
    config>filter>mac-filter# entry 2 create
    config>filter>mac-filter>entry$ action drop
    config>filter>mac-filter>entry# match
    config>filter>mac-filter>entry>match# dot1p 7 7

Modified MAC filter output


A:ALA-7>config>filter# info
----------------------------------------------
...
        mac-filter 90 create
            description "New filter info"
            scope exclusive
            entry 1 create
                description "New entry info"
                match
                    src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
                    dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
                exit
                action
                    forward
            exit
            entry 2 create
                match
                    dot1p 7 7
                exit
                action
                    drop
            exit
        exit
...
----------------------------------------------
A:ALA-7>config>filter#

Deleting a filter policy

Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs and network interfaces.

From an ingress SAP

Use the following syntax to remove a filter from an ingress SAP.

config>service# [epipe | ies | vpls] service-id
    sap port-id[:encap-val]
    ingress
    no filter 
config>service# epipe 5 
    config>service>epipe# sap 1/1/2:3 
    config>service>epipe>sap# ingress 
    config>service>epipe>sap>ingress# no filter 

From an egress SAP

Use the following syntax to remove a filter from an egress SAP.

config>service# [epipe | ies | vpls] service-id
    sap port-id[:encap-val]
    egress
    no filter 
config>service# epipe 5 
    config>service>epipe# sap 1/1/2:3 
    config>service>epipe>sap# egress 
    config>service>epipe>sap>egress# no filter 

From the filter configuration

Use the following syntax to delete the filter after you have removed the filter from the SAP.

config>filter# no ip-filter filter-id
config>filter# no mac-filter filter-id
config>filter# no ip-filter 11 
    config>filter# no mac-filter 13

Copying filter policies

When changes are made to an existing filter policy, they are applied immediately to all services where the policy is applied. If numerous changes are required, the policy can be copied so you can edit the ‟work in progress” version without affecting the filtering process. When the changes are completed, you can overwrite the work in progress version with the original version.

New filter policies can also be created by copying an existing policy and renaming the new filter.

config>filter# copy filter-type src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id][overwrite]

Command usage

The following shows command usage to copy an existing IP filter ("11") to create a new filter policy ("12").

config>filter# copy ip-filter 11 to 12

Configuration output

A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "This is new"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
...
        ip-filter 12 create
            description "This is new"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
...
----------------------------------------------
A:ALA-7>config>filter# 

Filter command reference

Command hierarchies

Configuration commands

IP filter policy commands
config
    - filter
        - ip-filter filter-id [use-ipv6-resource] [create]
        - no ip-filter filter-id
            - default-action {drop | forward}
            - description description-string
            - no description
            - filter-name filter-name
            - no filter-name
            - renum old-entry-id new-entry-id
            - scope {exclusive | template}
            - no scope
            - entry entry-id time-range [time-range-name] [create] 
            - no entry entry-id
                - action[drop]
                - action forward
                - no action
                - description description-string
                - no description
                - match [protocol protocol-id]
                - no match
                    - dscp dscp-name 
                    - no dscp
                    - dst-ip {ip-address/mask | ip-address ipv4-address-mask}
                    - no dst-ip
                    - dst-port {eq} dst-port-number 
                    - no dst-port
                    - fragment {true | false}
                    - no fragment
                    - icmp-code icmp-code 
                    - no icmp-code 
                    - icmp-type icmp-type 
                    - no icmp-type 
                    - option-present {true | false}
                    - no option-present
                    - src-ip {ip-address/mask | ip-address ipv4-address-mask}
                    - no src-ip
                    - src-port {{eq} src-port-number 
                    - no src-port
                    - tcp-ack {true | false}
                    - no tcp-ack
                    - tcp-syn {true | false}
                    - no tcp-syn
IPv6 filter policy commands for 7210 SAS-D and 7210 SAS-Dxp
config
    - filter
        - ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]
        - no ipv6-filter ipv6-filter-id
            - default-action {drop | forward}
            - description description-string
            - no description
            - filter-name filter-name
            - no filter-name
            - entry entry-id [time-range time-range-name] [create]
            - no entry entry-id 
                - action [drop]
                - action forward
                - no action
                - description description-string
                - no description
                - match [next-header next-header]
                - no match
                    - dscp dscp-name 
                    - no dscp
                    - dst-ip [ipv6-address/prefix-length]
                    - no dst-ip
                    - dst-port {eq} dst-port-number 
                    - no dst-port
                    - icmp-code icmp-code 
                    - no icmp-code 
                    - icmp-type icmp-type 
                    - no icmp-type 
                    - dst-ip {ipv6-address/prefix-length}
                    - no dst-ip
                    - src-port {eq} src-port-number
                    - src-port range start end}
                    - no src-port
                    - src-ip {ipv6-address/prefix-length}
                    - no src-ip
                    - tcp-ack {true | false}
                    - no tcp-ack
                    - tcp-syn {true | false}
                    - no tcp-syn
            - renum old-entry-id new-entry-id
            - scope {exclusive | template}
            - no scope
IPv6 filter policy commands for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
config
    - filter
        - ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]
        - no ipv6-filter ipv6-filter-id
            - default-action {drop | forward}
            - description description-string
            - no description
            - filter-name filter-name
            - no filter-name
            - entry entry-id [time-range time-range-name] [create]
            - no entry entry-id 
                - action [drop]
                - action forward
                - no action
                - description description-string
                - no description
                - match [next-header next-header]
                - no match
                    - dscp dscp-name 
                    - no dscp
                    - dst-ip [ipv6-address/prefix-length]
                    - no dst-ip
                    - dst-port {eq} dst-port-number 
                    - no dst-port
                    - fragment {true | false | first-only | non-first-only}
                    - no fragment
                    - eh-present {true | false}
                    - no eh-present
                    - icmp-code icmp-code 
                    - no icmp-code 
                    - icmp-type icmp-type 
                    - no icmp-type 
                    - dst-ip {ipv6-address/prefix-length}
                    - no dst-ip
                    - src-port {eq} src-port-number
                    - src-port range start end}
                    - no src-port
                    - src-ip {ipv6-address/prefix-length}
                    - no src-ip
                    - tcp-ack {true | false}
                    - no tcp-ack
                    - tcp-syn {true | false}
                    - no tcp-syn
            - renum old-entry-id new-entry-id
            - scope {exclusive | template}
            - no scope
MAC filter policy commands for 7210 SAS-D and 7210 SAS-Dxp
config 
    - filter
        - mac-filter filter-id [create]
        - no mac-filter filter-id
            - default-action {drop | forward}
            - description description-string
            - no description
            - entry entry-id [time-range time-range-name]
            - no entry entry-id 
                - description description-string
                - no description
                - action [drop]
                - action forward 
                - no action
                - match 
                - no match
                    - dot1p dot1p-value [dot1p-mask]
                    - no dot1p
                    - dst-mac ieee-address [ieee-address-mask]
                    - no dst-mac
                    - etype 0x0600..0xffff
                    - no etype
                    - src-mac ieee-address [ieee-address-mask]
                    - no src-mac
            - filter-name filter-name
            - no filter-name
            - renum old-entry-id new-entry-id
            - scope {exclusive | template}
            - no scope
MAC filter policy commands for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
config 
    - filter
        - mac-filter filter-id [create]
        - no mac-filter filter-id
            - default-action {drop | forward}
            - description description-string
            - no description
            - entry entry-id [time-range time-range-name]
            - no entry entry-id 
                - description description-string
                - no description
                - action [drop]
                - action forward 
                - no action
                - match 
                - no match
                    - dst-mac ieee-address [ieee-address-mask]
                    - no dst-mac
                    - etype 0x0600..0xffff
                    - no etype
                    - inner-dot1p dot1p-value [dot1p-mask]
                    - no inner-dot1p
                    - inner-tag value [vid-mask]
                    - no inner-tag
                    - outer-dot1p dot1p-value [dot1p-mask]
                    - no outer-dot1p
                    - no outer-tag
                    - outer-tag value [vid-mask]
                    - src-mac ieee-address [ieee-address-mask]
                    - no src-mac
            - filter-name filter-name
            - no filter-name
            - renum old-entry-id new-entry-id
            - scope {exclusive | template}
            - no scope
Generic filter commands
config 
    - filter
        - copy ip-filter | mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite]

Show commands

show
    - filter
        - ip [ip-filter-id  [entry entry-id] [association | counters]
        - ipv6 [ipv6-filter-id [entry entry-id] [association | counters]]
        - mac {mac-filter-id [entry entry-id] [association | counters]}

Clear commands

clear
    - filter
        - ip filter-id [entry entry-id] [ingress | egress]
        - ipv6 filter-id [entry entry-id] [ingress | egress]
        - mac filter-id [entry entry-id] [ingress | egress]

Monitor commands

monitor
    - filter
        - ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
        - ipv6 ipv6-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute|rate]
        - mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Command descriptions

Configuration commands

Generic commands
description
Syntax

description string

no description

Context

config>filter>ip-filter

config>filter>ip-filter>entry

config>filter>ipv6-filter

config>filter>ipv6-filter>entry

config>filter>mac-filter

config>filter>mac-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates a text description stored in the configuration file for a configuration context.

The description command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes any description string from the context.

Parameters
string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

Global filter commands
ip-filter
Syntax

[no] ip-filter filter-id [use-ipv6-resource] [create]

Context

config>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an IP filter policy.

IP-filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on an ip-filter policy,Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.

By default, when an IPv4 filter policy is associated with a service entity (For example: SAP), the software attempts to allocate resources for the filter policy entries from the IPv4 resource pool. If resources unavailable in the pool, then the software fails to associate and display an error. If the user knows that resources are free in the IPv6 resource pool, then the use-ipv6-resource parameter is used to allow the user to share the entries in the resource chunks allocated for use by IPv6 128-bit resource pool, if available. If this parameter is specified then the resource for this filter policy is always allocated from the IPv6 128-bit filter resource pool.

Note:

By default, IPv4 filters are created using IPv4 resources, assuming an unspecified use-ipv6-resource. If such filters are to be created using IPv6 resources, the use-ipv6-resource option needs to be specified. Ahead of the application of such a filter, the user should ensure the number of policies in the newly created policy is within the limit of available resources in the IPv6 128-bit resource pool, by considering the dump of the tools dump system-resources command.

The no form of this command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all SAPs where it is applied.

Parameters
filter-id

Specifies the IP filter policy ID number.

Values

1 to 65535

create

Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.

use-ipv6-resource

Specifies that the hardware resources for the entries in this filter policy must be allocated from the IPv6 filter resource pool, if available.

ipv6-filter
Syntax

[no] ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]

Context

config>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates an IPv6 filter policy. During IPv6 filter creation, the user must specify if IPv6 addresses, both source and destination IPv6 addresses, specified in the match criteria uses complete 128-bits or uses only the upper 64 bits of the IPv6 addresses.

The no form of this command deletes the IPv6 filter policy. A filter policy cannot be deleted until it is removed from all SAPs or network ports where it is applied

Default

128-bit addresses

Parameters
ipv6-filter-id

Specifies the IPv6 filter policy ID number.

Values

1 to 65535

ipv6-128bit-address

Specifies that if the user intends to use complete 128-bit addresses, then the user requires the ipv6-128bit-address CLI parameter with the create command. When this policy is associated with a SAP, the software allocates resources for the filter entries from the IPv6 128-bit resource pool for the SAP.

ipv6-64bit-address

Specifies that if the user intends to use upper most significant bit (MSB) 64-bit addresses, then the user requires the ipv6-64bit-address CLI parameter with the create command. When this policy is associated with a SAP, software allocates resources for the filter entries from the IPv6 64-bit resource pool for the SAP. All the IP packet fields are not available for match are when using 64-bit addresses. For more information, see Configuration notes, to know the packet header fields available for matching when using this option.

create

Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.

mac-filter
Syntax

[no] mac-filter filter-id [create]

Context

config>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context for a MAC filter policy.

The mac-filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The mac-filter policy, sometimes referred to as an access control list, is a template that can be applied to multiple services as long as the scope of the policy is template.

Note:

A MAC filter policy cannot be applied to network ports on the 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on a mac-filter policy, Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.

The no form of this command deletes the mac-filter policy. A filter policy cannot be deleted until it is removed from all SAP where it is applied.

Parameters
filter-id

Specifies the MAC filter policy ID number.

Values

1 to 65535

create

Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.

Filter policy commands
default-action
Syntax

default-action {drop | forward}

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter.

When multiple default-action commands are entered, the last command will overwrite the previous command.

Default

drop

Parameters
drop

Specifies all packets will be dropped unless there is a specific filter entry which causes the packet to be forwarded.

forward

Specifies all packets will be forwarded unless there is a specific filter entry which causes the packet to be dropped.

scope
Syntax

scope {exclusive | template}

no scope

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the filter policy scope as exclusive or template. If the scope of the policy is template and is applied to one or more services or network interfaces, the scope cannot be changed.

The no form of this command reverts the scope of the policy to the default.

Default

template

Parameters
exclusive

Specifies that the policy can only be applied to a single entity (SAP). Attempting to assign the policy to a second entity will result in an error message. If the policy is removed from the entity, it will become available for assignment to another entity.

template

Specifies that the policy can be applied to multiple SAPs.

General filter entry commands
entry
Syntax

entry entry-id [time-range time-range-name] [create]

no entry entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables creation or editing of an IP or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have the action command for it to be considered complete. Entries without the action command will be considered incomplete and therefore will be rendered inactive.

The no form of this command removes the specified entry from the IP or MAC filter. Entries removed from the IP or MAC filter are immediately removed from all services or network ports where that filter is applied.

Parameters
entry-id

Specifies a match criteria and the corresponding action. Nokia recommends that multiple entries be given entry IDs in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

Values

1 to 65535

time-range time-range-name

Specifies the time range name to be associated with this filter entry, up to 32 characters. The time-range name must already exist in the config>cron context.

create

Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.

IP filter entry commands
action
Syntax

action [drop]

action forward

no action

Context

config>filter>ip-filter>entry

config>filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies to match packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion. The action keyword must be entered and a keyword specified in order for the entry to be active.

Multiple action statements entered will overwrite previous actions parameters when defined.

The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.

Parameters
drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

match
Syntax

match [protocol protocol-id]

no match

Context

config>filter>ip-filter>entry

config>filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enters match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters
protocol

Specifies an IP protocol to be used as an IP filter match criterion. The protocol type, such as TCP or UDP, is identified by its respective protocol number.

protocol-id

Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17) (see the following table). The value can be expressed in decimal, hexadecimal, or binary.

Values

0 to 255

Table 7. IP protocol IDs and descriptions

Protocol ID

Protocol

Description

1

icmp

Internet Control Message

2

igmp

Internet Group Management

4

ip

IP in IP (encapsulation)

6

tcp

Transmission Control

8

egp

Exterior Gateway Protocol

9

igp

Any private interior gateway

17

udp

User Datagram

27

rdp

Reliable Data Protocol

45

idrp

Inter-Domain Routing Protocol

46

rsvp

Reservation Protocol

80

iso-ip

ISO Internet Protocol

88

eigrp

EIGRP

89

ospf-igp

OSPFIGP

97

ether-ip

Ethernet-within-IP Encapsulation

98

encap

Encapsulation Header

102

pnni

PNNI over IP

103

pim

Protocol Independent Multicast

112

vrrp

Virtual Router Redundancy Protocol

115

l2tp

Layer Two Tunneling Protocol

118

stp

Schedule Transfer Protocol

123

ptp

Performance Transparency Protocol

124

isis

ISIS over IPv4

126

crtp

Combat Radio Transport Protocol

127

crudp

Combat Radio User Datagram

MAC filter entry commands
action
Syntax

action drop

action forward

no action

Context

config>filter>mac-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the action for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive.

If neither drop nor forward is specified, this is considered a No-Op filter entry used to explicitly set a filter entry inactive without modifying match criteria or removing the entry.

Multiple action statements entered will overwrite previous actions parameters when defined. To remove a parameter, use the no form of the action command with the specified parameter.

The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.

Parameters
drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

match
Syntax

match

no match

Context

config>filter>mac-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context for entering or editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, then all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters
frame-type keyword

Specifies an Ethernet frame type to be used for the MAC filter match criteria.

ethernet_II

Specifies the frame type is Ethernet Type II.

IP filter match criteria commands
dscp
Syntax

dscp dscp-name

no dscp

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of this command removes the DSCP match criterion.

Default

no dscp

Parameters
dscp-name

Specifies a dscp name that has been previously mapped to a value using the dscp-name command. The DiffServ code point may only be specified by its name.

Values

be | cp1 | cp2 | cp3 | cp4 | cp5 | cp6 | cp7 | cs1 | cp9 | af11 | cp11 | af12 | cp13 | af13 | cp15 | cs2 | cp17 | af21 | cp19 | af22 | cp21 | af23 | cp23

dst-ip
Syntax

dst-ip {ip-address/mask | ip-address ipv4-address-mask}

no dst-ip

Context

config>filter>ip-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination IP address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of this command removes the destination IPv4 address match criterion.

Default

none

Parameters
ip-address

Specifies the IP prefix for the IP match criterion in dotted-decimal notation.

Values

a.b.c.d

mask

Specifies the subnet mask length expressed as a decimal integer.

Values

0 to 32

ipv4-address-mask

Specifies any mask expressed in dotted quad notation.

Values

0 to 255

dst-ip
Syntax

dst-ip {ipv6-address/prefix-length}

no dst-ip

Context

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination IPv6 address range to be used as an IP filter match criterion.

To match on the destination IPv6 address, specify the address and its associated mask.

The no form of this command removes the destination IPv6 address match criterion.

Default

none

Parameters
ipv6-address

Specifies the IPv6 prefix for the IP match criterion in hex digits.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - 0 to FFFF (hexadecimal)

d - 0 to 255 (decimal)

prefix-length

Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.

Values

1 to 128

dst-port
Syntax

dst-port {eq} dst-port-number

no dst-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination TCP or UDP port number for an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the destination port match criterion.

Default

none

Parameters
dst-port-number

Specifies the destination port number to be used as a match criteria expressed as a decimal integer.

Values

1 to 65535

eh-present
Syntax

eh-present {true | false}

no eh-present

Context

config>filter>ipv6-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command allows the user to specify if the presence of the IPv6 extension header should be used to match an IPv6 packet.

The no form of this command removes the match criterion.

Default

no eh-present

Parameters
true

Specifies to match an IPv6 packet with an extension header.

false

Specifies to match an IPv6 packet without an extension header.

fragment
Syntax

fragment {true | false}

no fragment

Context

config>filter>ip-filter>entry>match

Platforms

7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures fragmented or non-fragmented IPv4 packets as IP filter match criteria.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters
true

Specifies to match on all fragmented IPv4 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv4 header set to a non-zero value.

false

Specifies to match on all non-fragmented IPv4 packets. Non-fragmented IPv4 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

fragment
Syntax

fragment {true | false | first-only | non-first-only}

no fragment

Context

config>filter>ipv6-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures fragmented or non-fragmented IPv6 packets as IP filter match criteria.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters
true

Specifies to match on all fragmented IPv6 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv6 header set to a non-zero value.

false

Specifies to match on all non-fragmented IPv6 packets. Non-fragmented IPv6 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

first-only

Specifies to match if a packet is an initial fragment of a fragmented IPv6 packet.

non-first-only

Specifies to match if a packet is a non-initial fragment of a fragmented IPv6 packet.

icmp-code
Syntax

icmp-code icmp-code

no icmp-code

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ICMP code field in the ICMP header of an IP packet as a filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).

For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).

The no form of this command removes the criterion from the match entry.

Default

no icmp-code

Parameters
icmp-code

Specifies the ICMP code values that must be present to match.

Values

icmp-code-number or icmp-code-keyword

icmp-code-number

Specifies the ICMP code number in decimal, hexidecimal, or binary, to be used as a match criterion.

Values

0 to 255 (decimal)

0x0 to 0xFF (hexadecimal)

0b0 to 0b11111111 (binary)

icmp-code-keyword

Specifies the ICMP code keyword to be used as a match criterion.

Values

none | no-route-to-destination | comm-with-dest-admin-prohibited | beyond-scope-scr-addr | address-unreachable | port-unreachable

icmp-type
Syntax

icmp-type icmp-type

no icmp-type

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ICMP type field in the ICMP header of an IP packet as a filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).

For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).

The no form of this command removes the criterion from the match entry.

Default

no icmp-type

Parameters
icmp-type

Specifies the ICMP type values that must be present to match.

Values

icmp-type-number or icmp-type-keyword

icmp-type-number

Specifies the ICMP type number in decimal, hexidecimal, or binary, to be used as a match criterion.

Values

0 to 255 (decimal)

0x0 to 0xFF (hexadecimal)

0b0 to 0b11111111 (binary)

icmp-type-keyword

Specifies the ICMP type keyword to be used as a match criterion.

Values

none | dest-unreachable | packet-too-big | time-exceeded, parameter-problem | echo-request | echo-reply | multicast-listen-query | multicast-listen-report | multicast-listen-done | router-solicitation | router-advt | neighbor-solicitation | neighbor-advertisement | redirect-message | router-renumbering | icmp-node-info-query | icmp-node-info-resp | inv-nd-solicitation | inv-nd-adv-message

option-present
Syntax

option-present {true | false}

no option-present

Context

config>filter>ip-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document.

Description

This command configures matching packets that contain the option field in the IP header as an IP filter match criterion.

The no form of this command removes the checking of the option field in the IP header as a match criterion.

Parameters
true

Specifies matching on all IP packets that contain the option field in the header. A match will occur for all packets that have the option field present.

false

Specifies matching on IP packets that do not have any option field present in the IP header.

src-ip
Syntax

src-ip {ip-address/mask | ip-address ipv4-address-mask}

no src-ip

Context

config>filter>ip-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source IPv4 address range to be used as an IP filter match criterion.

To match on the source IPv4 address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of this command removes the source IPv4 address match criterion.

Default

no src-ip

Parameters
ip-address

Specifies the IPv4 prefix for the IP match criterion in dotted-decimal notation.

Values

a.b.c.d

mask

Specifies the subnet mask length, expressed as a decimal integer.

Values

0 to 32

ipv4-address-mask

Specifies any mask, expressed in dotted quad notation.

Values

0 to 255

src-ip
Syntax

src-ip {ipv6-address/prefix-length}

no src-ip

Context

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source IPv6 address range to be used as an IP filter match criterion.

To match on the source IPv6 address, specify the address and its associated mask.

If the filter is created to match 64-bit address, the IPv6 address specified for the match must contain only the first 64-bits (that is, the first four 16-bit groups of the IPv6 address).

The no form of this command removes the source IPv6 address match criterion.

Default

no src-ip

Parameters
ipv6-address

Specifies the IPv6 prefix for the IP match criterion in hex digits.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - 0 to FFFF (hexadecimal)

d - 0 to 255 (decimal)

prefix-length

Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.

Values

1 to 128

src-port
Syntax

src-port {eq} src-port-number

no src-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source TCP or UDP port number for an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the source port match criterion.

Default

no src-port

Parameters
src-port-number

Specifies the source port number to be used as a match criteria, expressed as a decimal integer.

Values

0 to 65535

tcp-ack
Syntax

tcp-ack {true | false}

no tcp-ack

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the criterion from the match entry.

Default

no tcp-ack

Parameters
true

Specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet.

false

Specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet.

tcp-syn
Syntax

tcp-syn {true | false}

no tcp-syn

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet needs to initiate a TCP session with the specified destination IP address.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the criterion from the match entry.

Default

no tcp-syn

Parameters
true

Specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header.

false

Specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header.

MAC filter match criteria commands
dot1p
Syntax

dot1p ip-value [mask]

no dot1p

Context

config>filter>mac-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an IEEE 802.1p value or range to be used as a MAC filter match criterion.

When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.

The no form of this command removes the criterion from the match entry.

Egress Dot1p values used for matching will correspond to the Dot1p values used for remarking.

Default

no dot1p

Parameters
ip-value

Specifies the IEEE 802.1p value in decimal.

Values

0 to 7

mask

Specifies a 3-bit mask that can be configured using the following formats:

Table 8. 3-bit mask format

Format style

Format syntax

Example

Decimal

D

4

Hexadecimal

0xH

0x4

Binary

0bBBB

0b100

To select a range from 4 up to 7 specify p-value of 4 and a mask of 0b100 for value and mask.

Values

1 to 7 (decimal)

Default

7

dst-mac
Syntax

dst-mac ieee-address [mask]

no dst-mac

Context

config>filter>mac-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination MAC address or range to be used as a MAC filter match criterion.

The no form of this command removes the destination mac address as the match criterion.

Default

no dst-mac

Parameters
ieee-address

Specifies the MAC address to be used as a match criterion.

Values

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

mask

Specifies a 48-bit mask to match a range of MAC address values.

This 48-bit mask can be configured using the following formats:

Table 9. 48-bit mask format

Format style

Format syntax

Example

Decimal

DDDDDDDDDDDDDD

281474959933440

Hexadecimal

0xHHHHHHHHHHHH

0xFFFFFF000000

Binary

0bBBBBBBB...B

0b11110000...B

To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 0003FA000000 0xFFFFFF000000

Values

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

Default

0xFFFFFFFFFFFF (exact match)

etype
Syntax

etype ethernet-type

no etype

Context

config>filter>mac-filter>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an Ethernet type II Ethertype value for use as a MAC filter match criterion.

The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field.

For the 7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C platforms, the dataplane processes a maximum of two VLAN tags in a received packet. The Ethertype used in the MAC matching criteria for ACLs is the Ethertype that is found in the packet after processing single-tagged frames, double-tagged frames, and no-tag frames

The packet is considered to have no tags if at least one of the following criteria is true:

  • the packet is a null-tagged frame

  • the packet is a priority-tagged frame

  • the outermost Ethertype does not match the default Ethertype (0x8100)

  • the outermost Ethertype does not match the configured dot1q-etype on Dot1q encapsulated ports

  • the outermost Ethertype does not match the configured qinq-etype on QinQ encapsulated ports

The packet is considered to have a single tag if at least one of the following criteria is true:

  • the outermost Ethertype matches the default Ethertype (0x8100)

  • the outermost Ethertype matches the configured dot1q-etype on Dot1q encapsulated ports

  • the outermost Ethertype matches the configured qinq-etype on QinQ encapsulated ports

The packet is considered to have double tags if at least one of the following criteria is true:

  • the outermost Ethertype matches the default Ethernet type (0x8100)

  • the configured dot1q-etype on Dot1q encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)

  • the configured qinq-etype on QinQ encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)

The no form of this command removes the previously entered etype field as the match criteria.

Default

no etype

Parameters
ethernet-type

Specifies the Ethernet type II frame Ethertype value to be used as a match criterion, expressed in hexadecimal.

Values

0x0600 to 0xFFFF

inner-dot1p
Syntax

inner-dot1p value [vid-mask]

no inner-dot1p

Context

config>filter>mac-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the Dot1p value to be used to match against the Dot1p value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The no form of this command removes the previously entered Dot1p value as the match criteria.

Default

no inner-dot1p

Parameters
dot1p-value

Specifies the Dot1p value to match.

Values

0 to 7

dot1p-mask

Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or binary.

Values

0 to 7

inner-tag
Syntax

inner-tag value [vid-mask]

no inner-tag

Context

config>filter>mac-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

The no form of this command removes the previously entered VLAN tag value as the match criteria.

Default

no inner-tag

Parameters
value

Specifies the VLAN value to use for the match

Values

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

vid-mask

Specifies the mask value to match a range of VLAN values.

Values

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

outer-dot1p
Syntax

outer-tag value [vid-mask]

no outer-tag

Context

config>filter>mac-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

The command configures the Dot1p value to be used to match against the Dot1p value in the outermost tag of the received packet.

The no form of this command removes the previously entered Dot1p value as the match criteria.

Default

no outer-dot1p

Parameters
dot1p-value

Specifies the Dot1p value to match.

Values

0 to 7

dot1p-mask

Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or hexadecimal.

Values

0 to 7

outer-tag
Syntax

outer-tag value [vid-mask]

no outer-tag

Context

config>filter>mac-filter>entry>match

Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

The no form of this command removes the previously entered VLAN tag value as the match criteria.

Default

no outer-tag

Parameters
value

Specifies the VLAN value to use for the match

Values

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

vid-mask

Specifies the mask value to match a range of VLAN values.

Values

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

src-mac
Syntax

src-mac ieee-address [ieee-address-mask]

no src-mac

Context

config>filter>mac-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source MAC address or range to be used as a MAC filter match criterion.

The no form of this command removes the source mac as the match criteria.

Default

no src-mac

Parameters
ieee-address

Specifies the 48-bit IEEE mac address to be used as a match criterion.

Values

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

ieee-address-mask

Specifies a 48-bit mask that can be configured using:

Table 10. 48-bit mask format

Format style

Format syntax

Example

Decimal

DDDDDDDDDDDDDD

281474959933440

Hexadecimal

0xHHHHHHHHHHHH

0xFFFFFF000000

Binary

0bBBBBBBB...B

0b11110000...B

To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000

Values

0x00000000000000 to 0xFFFFFFFFFFFF (hexadecimal)

Default

0xFFFFFFFFFFFF

Policy and entry maintenance commands
copy
Syntax

copy {ip-filter | mac-filter} source-filter-id dest-filter-id dest-filter-id [overwrite]

Context

config>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

If overwrite is not specified, an error will occur if the destination policy ID exists.

Parameters
ip-filter

Specifies that the source-filter-id and the dest-filter-id are IP filter IDs.

mac-filter

Specifies that the source-filter-id and the dest-filter-id are MAC filter IDs.

source-filter-id

Specifies the source filter policy from which the copy command will attempt to copy. The filter policy must exist within the context of the preceding keyword (ip-filter or mac-filter).

dest-filter-id

Specifies the destination filter policy to which the copy command will attempt to copy. If the overwrite keyword does not follow, the filter policy ID cannot already exist within the system for the filter type the copy command is issued for. If the overwrite keyword is present, the destination policy ID may or may not exist.

overwrite

Specifies that the destination filter ID may exist. If it does, everything in the existing destination filter ID will be completely overwritten with the contents of the source filter ID. If the destination filter ID exists, either overwrite must be specified or an error message will be returned. If overwrite is specified, the function of copying from source to destination occurs in a ‛break before make’ manner and therefore should be handled with care.

filter-name
Syntax

filter-name filter-name

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the filter-name attribute of a specific filter. When configured, filter-name can be used instead of filter ID to reference the specific policy in the CLI.

Default

no filter-name

Parameters
filter-name

Specifies a string of up to 64 characters uniquely identifying this filter policy.

renum
Syntax

renum old-entry-id new-entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command renumbers existing MAC or IP filter entries to properly sequence filter entries. This may be required in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Parameters
old-entry-id

Specifies the entry number of an existing entry.

Values

1 to 65535

new-entry-id

Specifies the new entry-number to be assigned to the old entry.

Values

1 to 65535

Show commands

ip
Syntax

ip ip-filter-id [association | counters]

ip ip-filter-id entry entry-id [counters]

Context

show>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays IP filter information.

Parameters
ip-filter-id

Displays detailed information for the specified filter ID and its filter entries.

Values

1 to 65535

entry entry-id

Displays information about the specified filter entry ID for the specified filter ID only.

Values

1 to 65535

associations

Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.

counters

Displays counter information for the specified filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

type entry-type

Displays information about the specified filter ID for the specified entry-type only

Output

The following outputs are examples of IP filter information, and the associated tables describe the output fields.

Sample output
A:ALA-49# show filter ip
===============================================================================
IP Filters
===============================================================================
Filter-Id Scope    Applied Description
-------------------------------------------------------------------------------
1         Template Yes
3         Template Yes
6         Template Yes
10        Template No
11        Template No
-------------------------------------------------------------------------------
Num IP filters: 5
===============================================================================
A:ALA-49#

*A:Dut-C>config>filter# show filter ip 
===============================================================================
IP Filters                                                       Total:     2
===============================================================================
Filter-Id   Scope    Applied Description
-------------------------------------------------------------------------------
10001       Template Yes     
fSpec-1     Template Yes     BGP FlowSpec filter for the Base router
-------------------------------------------------------------------------------
Num IP filters: 2
===============================================================================
*A:Dut-C>config>filter# 
Table 11. Output fields: filter IP

Label

Description

Filter Id

The IP filter ID.

Scope

Template — The filter policy is of type template.

Exclusive — The filter policy is of type exclusive.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Description

The IP filter policy description.

Sample output with IP filter ID specified
A:ALA-49>config>filter# show filter ip 3
===============================================================================
IP Filter
===============================================================================
Filter Id    : 3                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 1
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry        : 10
Src. IP      : 10.1.1.1/24                      Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : 2                                Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop
Ing. Matches : 0                                Egr. Matches   : 0
===============================================================================
A:ALA-49>config>filter# 

*A:Dut-C>config>filter# show filter ip fSpec-1 associations 
===============================================================================
IP Filter
===============================================================================
Filter Id    : fSpec-1                          Applied        : Yes
Scope        : Template                         Def. Action    : Forward
Radius Ins Pt: n/a                              
CrCtl. Ins Pt: n/a                              
Entries      : 2 (insert By Bgp)
Description  : BGP FlowSpec filter for the Base router
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Service Id   : 1                                Type           : IES
- SAP    1/1/3:1.1   (merged in ip-fltr 10001) 
===============================================================================
*A:Dut-C>config>filter# 


*A:Dut-C>config>filter# show filter ip 10001 
===============================================================================
IP Filter
===============================================================================
Filter Id    : 10001                            Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Radius Ins Pt: n/a                              
CrCtl. Ins Pt: n/a                              
Entries      : 1                                
BGP Entries  : 2                                
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry        : 1  
Description  : (Not Specified)
Log Id       : n/a                              
Src. IP      : 0.0.0.0/0                        Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : 6                                Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
Sampling     : Off                              Int. Sampling  : On
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Forward                          
Next Hop     : Not Specified                    
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts

Entry        : fSpec-1-32767  - inserted by BGP FLowSpec
Description  : (Not Specified)
Log Id       : n/a                              
Src. IP      : 0.0.0.0/0                        Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : 6                                Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
Sampling     : Off                              Int. Sampling  : On
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop                             
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts

Entry        : fSpec-1-49151  - inserted by BGP FLowSpec
Description  : (Not Specified)
Log Id       : n/a                              
Src. IP      : 0.0.0.0/0                        Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : 17                               Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
Sampling     : Off                              Int. Sampling  : On
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop                             
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts

===============================================================================
*A:Dut-C>config>filter#
Table 12. Output fields: filter IP with filter ID specified

Label

Description

Filter Id

The IP filter policy ID.

Scope

Template — The filter policy is of type template.

Exclusive — The filter policy is of type exclusive.

Entries

The number of entries configured in this filter ID.

Description

The IP filter policy description.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Filter Match Criteria

IP — Indicates the filter is an IP filter policy.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

ICMP Type

The ICMP type match criterion. Undefined indicates no ICMP type specified.

Fragment

False — Configures a match on all non-fragmented IP packets.

True — Configures a match on all fragmented IP packets.

Off — Fragments are not a matching criteria. All fragments and non-fragments implicitly match.

TCP-syn

False — Configures a match on packets with the SYN flag set to false.

True — Configured a match on packets with the SYN flag set to true.

Off — The state of the TCP SYN flag is not considered as part of the match criteria.

Match action

Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified.

Drop — Drop packets matching the filter entry.

Forward — The explicit action to perform is forwarding of the packet.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Src. Port

The source TCP or UDP port number.

Dest. Port

The destination TCP or UDP port number.

Dscp

The DiffServ Code Point (DSCP) name.

ICMP Code

The ICMP code field in the ICMP header of an IP packet.

Option-present

Off — Specifies not to search for packets that contain the option field or have an option field of zero.

On — Matches packets that contain the option field or have an option field of zero be used as IP filter match criteria.

TCP-ack

False — Configures a match on packets with the ACK flag set to false.

True — Configures a match on packets with the ACK flag set to true.

Off — The state of the TCP ACK flag is not considered as part of the match criteria. as part of the match criteria.

Egr. Matches

The number of egress filter matches or hits for the filter entry.

Sample output with time-range specified
A:ALA-49# show filter ip  10
===============================================================================
IP Filter
===============================================================================
Filter Id    : 10                               Applied        : No
Scope        : Template                         Def. Action    : Drop
Entries      : 2
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry        : 1010
time-range   : day                              Cur. Status    : Inactive
Src. IP      : 0.0.0.0/0                        Src. Port      : None
Dest. IP     : 10.10.100.1/24                   Dest. Port     : None
Protocol     : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Forward
Ing. Matches : 0                                Egr. Matches   : 0

Entry        : 1020
time-range   : night                            Cur. Status    : Active
Src. IP      : 0.0.0.0/0                        Src. Port      : None
Dest. IP     : 10.10.1.1/16                     Dest. Port     : None
Protocol     : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Forward
Ing. Matches : 0                                Egr. Matches   : 0
=============================================================================== 
A:ALA-49#
Sample output: associations
A:ALA-49# show filter ip 1 associations
===============================================================================
IP Filter
===============================================================================
Filter Id    : 1                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 1
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Service Id   : 1001                             Type           : VPLS
 - SAP    1/1/1:1001   (Ingress)
Service Id   : 2000                             Type           : 
 - SAP    1/1/1:2000   (Ingress)
===============================================================================
A:ALA-49#
A:ALA-49# show filter ip 160 associations
===============================================================================
IP Filter
===============================================================================
Filter Id    : 160                              Applied        : No
Scope        : Template                         Def. Action    : Drop
Entries      : 0
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
Tod-suite "english_suite"
 - ingress, time-range "day" (priority 5)
=============================================================================== 
A:ALA-49#
Table 13. Output fields: filter IP associations

Label

Description

Filter Id

The IP filter policy ID.

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Entries

The number of entries configured in this filter ID.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Service Id

The service ID on which the filter policy ID is applied.

SAP

The Service Access Point on which the filter policy ID is applied.

(Ingress)

The filter policy ID is applied as an ingress filter policy on the interface.

(Egress)

The filter policy ID is applied as an egress filter policy on the interface.

Type

The type of service of the service ID.

Sample output for IP filter counters
Table 14. Output fields: filter IP counters

Label

Description

IP Filter

Filter Id

The IP filter policy ID.

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Filter Match Criteria

IP — Indicates the filter is an IP filter policy.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Ing. Matches

The number of ingress filter matches or hits for the filter entry. The ingress counters count the packets with Layer 2 encapsulation.

Egr. Matches

The number of egress filter matches or hits for the filter entry. The egress counters count the packets without Layer 2 encapsulation.

ipv6
Syntax

ipv6 {ipv6-filter-id [entry entry-id] [association | counters]}

Context

show>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays IPv6 filter information.

Parameters
ipv6-filter-id

Displays detailed information for the specified IPv6 filter ID and filter entries.

Values

1 to 65535

entry entry-id

Displays information about the specified IPv6 filter entry ID for the specified filter ID.

Values

1 to 9999

associations

Displays information as to where the IPv6 filter policy ID is applied to the detailed filter policy ID output.

counters

Displays counter information for the specified IPv6 filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

Output

The following output are examples of IPv6 filter information, and the associated tables describe the output fields.

Sample output
*A:7210SAS>show>filter# ipv6

===============================================================================
IPv6 Filters                                                       Total:     1
===============================================================================
Filter-Id Scope    Applied Description
-------------------------------------------------------------------------------
1         Template Yes
-------------------------------------------------------------------------------
Num IPv6 filters: 1
===============================================================================
*A:7210SAS>show>filter#

Table 15. Output fields: filter IPv6

Label

Description

Filter Id

The IP filter ID.

Scope Template

The filter policy is of type template.

Exclusive

The filter policy is of type exclusive.

Applied

No - The filter policy ID has not been applied.

Yes - The filter policy ID has been applied.

Description

The IP filter policy description.

Sample output for IPv6 with a filter ID specified
*A:7210SAS>show>filter# ipv6 1

===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 2
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry        : 1
Description  : Test
Src. IP      : 1::1/128                         Src. Port      : None
Dest. IP     : ::/0                             Dest. Port     : None
Next Header  : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
TCP-syn      : Off                              TCP-ack        : Off
Match action : Forward
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts

Entry        : 2
Description  : (Not Specified)
Src. IP      : ::/0                             Src. Port      : None
Dest. IP     : 1:2::1AFC/128                    Dest. Port     : None
Next Header  : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop
Ing. Matches : 819 pkts
Egr. Matches : 0 pkts

===============================================================================
*A:7210SAS>show>filter#

Table 16. Output fields: filter IPv6 with filter ID specified

Label

Description

Filter Id

The IP filter policy ID.

Scope

Template — The filter policy is of type template.

Exclusive — The filter policy is of type exclusive.

Entries

The number of entries configured in this filter ID.

Description

The IP filter policy description.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Filter Match Criteria

IP — Indicates the filter is an IP filter policy.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Src. IP

The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.

Dest. IP

The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.

ICMP Type

The ICMP type match criterion. Undefined indicates no ICMP type specified.

IP-Option

Specifies matching packets with a specific IP option or a range of IP options in the IP header for IP filter match criteria.

TCP-syn

False — Configures a match on packets with the SYN flag set to false.

True — Configured a match on packets with the SYN flag set to true.

Off — The state of the TCP SYN flag is not considered as part of the match criteria.

Match action

Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Drop — Drop packets matching the filter entry.

Forward — The explicit action to perform is forwarding of the packet. If the action is Forward, then if configured, the next-hop information should be displayed, including Nexthop: <IP address>, Indirect: <IP address> or Interface: <IP interface name>.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Src. Port

The source TCP or UDP port number or port range.

Dest. Port

The destination TCP or UDP port number or port range.

Dscp

The DiffServ Code Point (DSCP) name.

ICMP Code

The ICMP code field in the ICMP header of an IP packet.

TCP-ack

False — Configures a match on packets with the ACK flag set to false.

True — Configured a match on packets with the ACK flag set to true.

Off — The state of the TCP ACK flag is not considered as part of the match criteria.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Egr. Matches

The number of egress filter matches or hits for the filter entry.

Sample output for IPv6 filter associations
*A:7210SAS>show>filter# ipv6 1 associations

===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 2
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Association : IPv6
-------------------------------------------------------------------------------
Service Id   : 1                                Type           : Epipe
 - SAP    1/1/1:1   (Ingress)
Service Id   : 2                                Type           : VPLS
 - SAP    1/1/1:2   (Ingress)
 - SAP    1/1/1:3   (Ingress)
===============================================================================
*A:7210SAS>show>filter#

Table 17. Output fields: filter IPv6 associations

Label

Description

Filter Id

The IPv6 filter policy ID.

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Entries

The number of entries configured in this filter ID.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Description

The IP filter policy description.

Service Id

The service ID on which the filter policy ID is applied.

SAP

The Service Access Point on which the filter policy ID is applied.

(Ingress) The filter policy ID is applied as an ingress filter policy on the interface.

(Egress) The filter policy ID is applied as an egress filter policy on the interface.

Type

The type of service of the service ID.

Sample output for IPv6 filter counters
*A:7210SAS>show>filter# ipv6 1 counters

===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 2
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry        : 1
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts

Entry        : 2
Ing. Matches : 819 pkts
Egr. Matches : 0 pkts

===============================================================================
*A:7210SAS>show>filter#
Table 18. Output fields: filter IPv6 counters

Label

Description

Filter Id

The IPv6 filter policy ID.

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Entries

The number of entries configured in this filter ID.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Description

The IP filter policy description.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Egr. Matches

The number of egress filter matches or hits for the filter entry.

Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

mac
Syntax

mac [mac-filter-id [associations | counters] [entry entry-id]]

Context

show>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays MAC filter information. When no parameters are specified, a bried listing of IP filters is produced.

Parameters
mac-filter-id

Displays detailed information for the specified filter ID and its filter entries.

Values

1 to 65535

associations

Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.

counters

Displays counter information for the specified filter ID.

entry entry-id

Displays information about the specified filter entry ID for the specified filter ID only.

Values

1 to 65535

Output

The following outputs are examples of MAC filter information. The associated tables describe the output fields.

Sample Detailed Output
===============================================================================
Mac Filter : 200
===============================================================================
Filter Id : 200 Applied : No
Scope : Exclusive D. Action : Drop
Description : Forward SERVER sourced packets
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry : 200FrameType : 802.2SNAP
Description : Not Available
Src Mac : 00:00:5a:00:00:00 ff:ff:ff:00:00:00
Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dot1p : Undefined Ethertype : 802.2SNAP
Match action: Forward
Ing. Matches: 0Egr. Matches : 0
Entry : 300 (Inactive) FrameType : Ethernet
Description : Not Available
Src Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00
Dot1p : Undefined Ethertype : Ethernet
Match action: Default
Ing. Matches: 0 Egr. Matches : 0
===============================================================================

Sample output for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C
===============================================================================
Mac Filter
===============================================================================
Filter Id   : 1                                Applied         : No
Scope       : Template                         Def. Action     : Drop
Entries     : 1                                Type            : unknown
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry       : 1 (Inactive)                     
Description : (Not Specified)
Src Mac     :                                    
Dest Mac    :                                    
Outer Dot1p*: none                             Outer Dot1p Mask: none
Inner Dot1p*: none                             Inner Dot1p Mask: none
Outer TagVal: none                             Outer TagMask   : none
Inner TagVal: none                             Inner TagMask   : none
Ethertype   : Undefined                        
Match action: Drop                             
Ing. Matches: 0 pkts                  
Egr. Matches: 0 pkts                  
                                      
===============================================================================
Table 19. Output fields: MAC filter

Label

Description

MAC Filter

Filter Id

The MAC filter policy ID

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Description

The IP filter policy description.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Filter Match Criteria

MAC — Indicates the filter is an MAC filter policy.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Description

The filter entry description.

FrameType

Ethernet — The entry ID match frame type is Ethernet IEEE 802.3.

Ethernet II — The entry ID match frame type is Ethernet Type II.

Src MAC

The source MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry.

Dest MAC

The destination MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry.

Dot1p

The IEEE 802.1p value for the match criteria. Undefined indicates no value is specified.

Outer Dot1p

The IEEE 802.1p value for the match criteria used to match the Dot1p in the outermost VLAN tag. Undefined indicates no value is specified.

Inner Dot1p

The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified.

Outer TagVal

The VLAN ID value for the match criteria used to match the VLAN ID in the outermost VLAN tag. Undefined indicates no value is specified.

Inner TagVal

The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified.

Ethertype

The Ethertype value match criterion.

Match action

Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified.

Drop — Packets matching the filter entry criteria will be dropped.

Forward — Packets matching the filter entry criteria is forwarded.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Egr. Matches

The number of egress filter matches or hits for the filter entry.

Sample output for MAC filter counters
A:ALA-49# show filter mac 8 counters
===============================================================================
Mac Filter
===============================================================================
Filter Id   : 8                                Applied         : Yes
Scope       : Template                         Def. Action     : Forward
Entries     : 2
Description : Description for Mac Filter Policy id # 8
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry       : 8                                FrameType       : Ethernet
Ing. Matches: 80 pkts 
Egr. Matches: 62 pkts 
  
Entry       : 10                               FrameType       : Ethernet
Ing. Matches: 80 pkts
Egr. Matches: 80 pkts

Table 20. Output fields: filter MAC counters

Label

Description

Mac Filter

Filter Id

The MAC filter policy ID.

Scope

Template — The filter policy is of type Template.

Exclusive — The filter policy is of type Exclusive.

Description

The MAC filter policy description.

Applied

No — The filter policy ID has not been applied.

Yes — The filter policy ID has been applied.

Def. Action

Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.

Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.

Filter Match Criteria

Mac — Indicates the filter is an MAC filter policy.

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

Ing. Matches

The number of ingress filter matches or hits for the filter entry.

Egr. Matches

The number of egress filter matches or hits for the filter entry.

Sample output for MAC filter associations
A:ALA-49# show filter mac 3 associations
===============================================================================
Mac Filter
===============================================================================
Filter ID: 3Applied: Yes
Scope: TemplateDef. Action: Drop
Entries: 1
-------------------------------------------------------------------------------
Filter Association : Mac
-------------------------------------------------------------------------------
Service Id: 1001Type: VPLS
- SAP 1/1/1:1001(Egress)
===============================================================================
A:ALA-49#
Table 21. Output fields: filter MAC associations

Label

Description

Filter Association

Mac — The filter associations displayed are for a MAC filter policy ID.

Service Id

The service ID on which the filter policy ID is applied.

SAP

The Service Access Point on which the filter policy ID is applied.

Type

The type of service of the Service ID.

(Ingress)

The filter policy ID is applied as an ingress filter policy on the interface.

(Egress)

The filter policy ID is applied as an egress filter policy on the interface.

Clear commands

ip
Syntax

ip ip-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the IP filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters
ip-filter-id

Specifies the IP filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values

1 to 65535

ingress

Specifies to only clear the ingress counters.

egress

Specifies to only clear the egress counters.

ipv6
Syntax

ipv6 ip-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the IPv6 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters
ip-filter-id

Specifies the IP filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values

1 to 65535

ingress

Specifies to only clear the ingress counters.

egress

Specifies to only clear the egress counters.

mac
Syntax

mac mac-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the MAC filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters
mac-filter-id

Specifies the MAC filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values

1 to 65535

ingress

Specifies to only clear the ingress counters.

egress

Specifies to only clear the egress counters.

Monitor commands

ip
Syntax

ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the IP filter policy.

Parameters
ip-filter-id

Specifies the IP filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be monitored.

Values

1 to 65535

interval

Specifies the interval for each display in seconds.

Values

3 to 60

Default

10

repeat repeat

Specifies how many times the command is repeated.

Values

1 to 999

Default

10

absolute

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate

Displays the rate-per-second for each statistic instead of the delta.

ipv6
Syntax

ipv6 ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the IPv6 filter policy.

Parameters
ip-filter-id

Specifies the IP filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be monitored.

Values

1 to 65535

interval

Specifies the interval for each display in seconds.

Values

3 to 60

Default

10

repeat repeat

Specifies how many times the command is repeated.

Values

1 to 999

Default

10

absolute

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate

Displays the rate-per-second for each statistic instead of the delta.

mac
Syntax

mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the MAC filter policy.

Parameters
mac-filter-id

Specifies MAC filter policy ID.

Values

1 to 65535

entry-id

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values

1 to 65535

interval

Specifies the interval for each display in seconds.

Values

3 to 60

Default

5

repeat repeat

Specifies how many times the command is repeated.

Values

1 to 999

Default

10

absolute

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate

Displays the rate-per-second for each statistic instead of the delta.

1 VLAN tag matching is supported only on 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C.