Filter Policies
Router Configuration Guide 473
• src-port/dst-port/port – Match for the specified port value, port list, or port range
against the Source Port Number/Destination Port Number of the UDP/TCP/SCTP
packet header. An option to match either source or destination (Logical OR) using a
single filter policy entry is supported by using a directionless “port” command.
Source/destination match is supported only for entries that also define protocol/next-
header match for “TCP”, “UDP”, “SCTP”, or “TCP or UDP” protocols. A non-initial
fragment will never match an entry with non-zero port criteria specified.
• tcp-ack/tcp-syn — Match for the TCP ACK/TCP SYNC flag presence/absence in
the TCP header of the packet. This match is supported only for entries that also define
protocol/next-header match for “TCP” protocol.
• Operational note for upper-layer protocol match criteria – For fragmented
traffic, when non-initial fragments do not contain the L4 header, the L4 match criteria
in the filter policy look-up key are set to zero (0). If a filter policy contains an entry
that specifies L4 zero match criterion (for example, TCP/UDP/SCTP port/src-port/
dst-port eq 0), the non-initial fragment will match the entry if other match criteria are
also met. IPv6 L4 match criteria are supported with up to 6 extension headers present
in the packet.
MAC Filter Policy Entry Match Criteria
The below lists MAC match criteria supported by SR OS routers/switches for all types of
MAC filters (normal, isid, and vid). The criteria are evaluated against the Ethernet header of
the Ethernet frame. Support for a given match criteria may depend on H/W and/or filter
direction as per below description. Match criterion is blocked if it is not supported by a
specified frame-type or MAC filter sub-type. It is recommended not to configure a filter in a
direction or on a H/W where a given match condition is not supported as this may lead to
undesired behavior.
• frame-type — Entering the frame type allows the filter to match for a specific type
of frame format. For example, configuring frame-type ethernet_II will match only
Ethernet-II frames.
• src-mac— Entering the source MAC address allows the filter to search for matching
a source MAC address frames. Operator can optionally configure a mask to be used
in a match.
• dst-mac— Entering the destination MAC address allows the filter to search for
matching destination MAC address frames. Operator can optionally configure a
mask to be used in a match.
• dot1p — Entering an IEEE 802.1p value allows the filter to search for matching
802.1p frames. Operator can optionally configure a mask to be used in a match.
• etype— Entering an Ethertype value allows the filter to search for matching Ethernet
II frames. The Ethernet type field is a two-byte field used to identify the protocol
carried by the Ethernet frame.
To Next Page
Loading...
