3.8. Filter Command Reference

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

3.8.2.1.2. Global Filter Commands

ip-filter

Syntax

[no] ip-filter filter-id [use-ipv6-resource] [create]

Context

config>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context to configure for an IP filter policy.

IP-filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on an ip-filter policy,Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.

By default, when an IPv4 filter policy is associated with a service entity (For example: SAP), the software attempts to allocate resources for the filter policy entries from the IPv4 resource pool. If resources unavailable in the pool, then the software fails to associate and display an error. If the user knows that resources are free in the IPv6 resource pool, then the use-ipv6-resource parameter is used to allow the user to share the entries in the resource chunks allocated for use by IPv6 128-bit resource pool, if available. If this parameter is specified then the resource for this filter policy is always allocated from the IPv6 128-bit filter resource pool.

Note:

By default, IPv4 filters are created using IPv4 resources, assuming an unspecified use-ipv6-resource. If such filters are to be created using IPv6 resources, the use-ipv6-resource option needs to be specified. Ahead of the application of such a filter, the user should ensure the number of policies in the newly created policy is within the limit of available resources in the IPv6 128-bit resource pool, by considering the dump of the tools dump system-resources command.

The no form of this command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all SAPs where it is applied.

Parameters

filter-id—

Specifies the IP filter policy ID number.

Values—

1 to 65535

create—

Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.

use-ipv6-resource—

Specifies that the hardware resources for the entries in this filter policy must be allocated from the IPv6 filter resource pool, if available.

ipv6-filter

Syntax

[no] ipv6-filter ipv6-filter-id [ipv6-128bit-address | ipv6-64bit-address] [create]

Context

config>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context to create IPv6 filter policy. During IIPv6 filter creation, the user must specify if IPv6 addresses, both source and destination IPv6 addresses, specified in the match criteria uses complete 128-bits or uses only the upper 64 bits of the IPv6 addresses.

The no form of this command deletes the IPv6 filter policy. A filter policy cannot be deleted until it is removed from all SAPs or network ports where it is applied

Default

128-bit addresses

Parameters

ipv6-filter-id—

Specifies the IPv6 filter policy ID number.

Values—

1 to 65535

ipv6-128bit-address—

Specifies that if the user intends to use complete 128-bit addresses, then the user requires the ipv6-128bit-address CLI parameter with the create command. When this policy is associated with a SAP, the software allocates resources for the filter entries from the IPv6 128-bit resource pool for the SAP.

ipv6-64bit-address—

Specifies that if the user intends to use upper most significant bit (MSB) 64-bit addresses, then the user requires the ipv6-64bit-address CLI parameter with the create command. When this policy is associated with a SAP, software allocates resources for the filter entries from the IPv6 64-bit resource pool for the SAP. All the IP packet fields are not available for match are when using 64-bit addresses. For more information, see Configuration Notes, to know the packet header fields available for matching when using this option.

create—

Specifies the keyword required when first creating the configuration context. After the context is created, one can navigate into the context without the create keyword.

mac-filter

Syntax

[no] mac-filter filter-id [create]

Context

config>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context for a MAC filter policy.

The mac-filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The mac-filter policy, sometimes referred to as an access control list, is a template that can be applied to multiple services as long as the scope of the policy is template.

Note:

A MAC filter policy cannot be applied to network ports on the 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied. For this reason, when many changes are required on a mac-filter policy, Nokia recommends that the policy be copied to a work area. That work-in-progress policy can be modified until complete and then written over the original filter policy. Use the config filter copy command to maintain policies in this manner.

The no form of this command deletes the mac-filter policy. A filter policy cannot be deleted until it is removed from all SAP where it is applied.

Parameters

filter-id—

Specifies the MAC filter policy ID number.

Values—

1 to 65535

create—

Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.

3.8.2.1.3. Filter Policy Commands

default-action

Syntax

default-action {drop | forward}

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter.

When multiple default-action commands are entered, the last command will overwrite the previous command.

Default

drop

Parameters

drop—

Specifies all packets will be dropped unless there is a specific filter entry which causes the packet to be forwarded.

forward—

Specifies all packets will be forwarded unless there is a specific filter entry which causes the packet to be dropped.

scope

Syntax

scope {exclusive | template}

no scope

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the filter policy scope as exclusive or template. If the scope of the policy is template and is applied to one or more services or network interfaces, the scope cannot be changed.

The no form of this command reverts the scope of the policy to the default.

Default

template

Parameters

exclusive—

Specifies that the policy can only be applied to a single entity (SAP). Attempting to assign the policy to a second entity will result in an error message. If the policy is removed from the entity, it will become available for assignment to another entity.

template—

Specifies that the policy can be applied to multiple SAPs.

3.8.2.1.4. General Filter Entry Commands

entry

Syntax

entry entry-id [time-range time-range-name] [create]

no entry entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context to create or edit an IP or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have the action command for it to be considered complete. Entries without the action command will be considered incomplete and therefore will be rendered inactive.

The no form of this command removes the specified entry from the IP or MAC filter. Entries removed from the IP or MAC filter are immediately removed from all services or network ports where that filter is applied.

Parameters

entry-id—

Specifies a match criteria and the corresponding action. Nokia recommends that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

Values—

1 to 65535

time-range time-range-name—

Specifies the time range name to be associated with this filter entry, up to 32 characters. The time-range name must already exist in the config>cron context.

create—

Specifies that when the context is created, one can navigate into the context without the create keyword. This keyword is required when first creating the configuration context.

3.8.2.1.5. IP Filter Entry Commands

action

Syntax

action [drop]

action forward

no action

Context

config>filter>ip-filter>entry

config>filter>ipv6-filter>entry

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies to match packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion. The action keyword must be entered and a keyword specified in order for the entry to be active.

Multiple action statements entered will overwrite previous actions parameters when defined.

The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.

Parameters

drop —

Specifies packets matching the entry criteria will be dropped.

forward —

Specifies packets matching the entry criteria will be forwarded.

match

Syntax

match [protocol protocol-id]

no match

Context

config>filter>ip-filter>entry

config>filter>ipv6-filter>entry

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

protocol—

Specifies an IP protocol to be used as an IP filter match criterion. The protocol type, such as TCP or UDP, is identified by its respective protocol number.

protocol-id—

Specifies the decimal value representing the IP protocol to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17) (see Table 41). The value can be expressed in decimal, hexadecimal, or binary.

Values—

0 to 255

Table 41: IP Protocol IDs and Descriptions

Protocol ID	Protocol	Description
1	icmp	Internet Control Message
2	igmp	Internet Group Management
4	ip	IP in IP (encapsulation)
6	tcp	Transmission Control
8	egp	Exterior Gateway Protocol
9	igp	Any private interior gateway
17	udp	User Datagram
27	rdp	Reliable Data Protocol
45	idrp	Inter-Domain Routing Protocol
46	rsvp	Reservation Protocol
80	iso-ip	ISO Internet Protocol
88	eigrp	EIGRP
89	ospf-igp	OSPFIGP
97	ether-ip	Ethernet-within-IP Encapsulation
98	encap	Encapsulation Header
102	pnni	PNNI over IP
103	pim	Protocol Independent Multicast
112	vrrp	Virtual Router Redundancy Protocol
115	l2tp	Layer Two Tunneling Protocol
118	stp	Schedule Transfer Protocol
123	ptp	Performance Transparency Protocol
124	isis	ISIS over IPv4
126	crtp	Combat Radio Transport Protocol
127	crudp	Combat Radio User Datagram

3.8.2.1.6. MAC Filter Entry Commands

action

Syntax

action drop

action forward

no action

Context

config>filter>mac-filter>entry

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the action for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive.

If neither drop nor forward is specified, this is considered a No-Op filter entry used to explicitly set a filter entry inactive without modifying match criteria or removing the entry.

Multiple action statements entered will overwrite previous actions parameters when defined. To remove a parameter, use the no form of the action command with the specified parameter.

The no form of this command removes the specified action statement. The filter entry is considered incomplete and therefore rendered inactive without the action keyword.

Parameters

drop —

Specifies packets matching the entry criteria will be dropped.

forward —

Specifies packets matching the entry criteria will be forwarded.

match

Syntax

match

no match

Context

config>filter>mac-filter>entry

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context for entering or editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, then all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

frame-type keyword—

Specifies an Ethernet frame type to be used for the MAC filter match criteria.

ethernet_II—

Specifies the frame type is Ethernet Type II.

3.8.2.1.7. IP Filter Match Criteria Commands

dscp

Syntax

dscp dscp-name

no dscp

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of this command removes the DSCP match criterion.

Default

no dscp

Parameters

dscp-name—

Specifies a dscp name that has been previously mapped to a value using the dscp-name command. The DiffServ code point may only be specified by its name.

Values—

be | cp1 | cp2 | cp3 | cp4 | cp5 | cp6 | cp7 | cs1 | cp9 | af11 | cp11 | af12 | cp13 | af13 | cp15 | cs2 | cp17 | af21 | cp19 | af22 | cp21 | af23 | cp23

dst-ip

Syntax

dst-ip {ip-address/mask | ip-address ipv4-address-mask}

no dst-ip

Context

config>filter>ip-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination IP address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and its associated mask, e.g. 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of this command removes the destination IPv4 address match criterion.

Default

none

Parameters

ip-address—

Specifies the IP prefix for the IP match criterion in dotted decimal notation.

Values—

a.b.c.d

mask—

Specifies the subnet mask length expressed as a decimal integer.

Values—

0 to 32

ipv4-address-mask—

Specifies any mask expressed in dotted quad notation.

Values—

0 to 255

dst-ip

Syntax

dst-ip {ipv6-address/prefix-length}

no dst-ip

Context

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination IPv6 address range to be used as an IP filter match criterion.

To match on the destination IPv6 address, specify the address and its associated mask.

The no form of this command removes the destination IPv6 address match criterion.

Default

none

Parameters

ipv6-address—

Specifies the IPv6 prefix for the IP match criterion in hex digits.

Values—

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - 0 to FFFF (hexadecimal)

d - 0 to 255 (decimal)

prefix-length—

Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.

Values—

1 to 128

dst-port

Syntax

dst-port {eq} dst-port-number

no dst-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination TCP or UDP port number for an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the destination port match criterion.

Default

none

Parameters

dst-port-number—

Specifies the destination port number to be used as a match criteria expressed as a decimal integer.

Values—

1 to 65535

eh-present

Syntax

eh-present {true | false}

no eh-present

Context

config>filter>ipv6-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command allows the user to specify if the presence of the IPv6 extension header should be used to match an IPv6 packet.

The no form of this command removes the match criterion.

Default

no eh-present

Parameters

true—

Specifies to match an IPv6 packet with an extension header.

false—

Specifies to match an IPv6 packet without an extension header.

fragment

Syntax

fragment {true | false}

no fragment

Context

config>filter>ip-filter>entry>match

Supported Platforms

7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures fragmented or non-fragmented IPv4 packets as IP filter match criteria.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters

true—

Specifies to match on all fragmented IPv4 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv4 header set to a non-zero value.

false—

Specifies to match on all non-fragmented IPv4 packets. Non-fragmented IPv4 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

fragment

Syntax

fragment {true | false | first-only | non-first-only}

no fragment

Context

config>filter>ipv6-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures fragmented or non-fragmented IPv6 packets as IP filter match criteria.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters

true—

Specifies to match on all fragmented IPv6 packets. A match will occur for all packets that have either the more fragment (MF) bit set or have the Fragment Offset field of the IPv6 header set to a non-zero value.

false—

Specifies to match on all non-fragmented IPv6 packets. Non-fragmented IPv6 packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

first-only—

Specifies to match if a packet is an initial fragment of a fragmented IPv6 packet.

non-first-only—

Specifies to match if a packet is a non-initial fragment of a fragmented IPv6 packet.

icmp-code

Syntax

icmp-code icmp-code

no icmp-code

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ICMP code field in the ICMP header of an IP packet as a filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).

For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).

The no form of this command removes the criterion from the match entry.

Default

no icmp-code

Parameters

icmp-code—

Specifies the ICMP code values that must be present to match.

Values—

icmp-code-number or icmp-code-keyword

icmp-code-number—

Specifies the ICMP code number in decimal, hexidecimal, or binary, to be used as a match criterion.

Values—

0 to 255 (decimal)

0x0 to 0xFF (hexadecimal)

0b0 to 0b11111111 (binary)

icmp-code-keyword—

Specifies the ICMP code keyword to be used as a match criterion.

Values—

icmp-type

Syntax

icmp-type icmp-type

no icmp-type

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ICMP type field in the ICMP header of an IP packet as a filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

For an IPv4 filter, this command applies only if the protocol match criterion specifies ICMP (1).

For an IPv6 filter, this command applies only if the next header match criterion specifies ipv6-icmp (58).

The no form of this command removes the criterion from the match entry.

Default

no icmp-type

Parameters

icmp-type—

Specifies the ICMP type values that must be present to match.

Values—

icmp-type-number or icmp-type-keyword

icmp-type-number—

Specifies the ICMP type number in decimal, hexidecimal, or binary, to be used as a match criterion.

Values—

0 to 255 (decimal)

0x0 to 0xFF (hexadecimal)

0b0 to 0b11111111 (binary)

icmp-type-keyword—

Specifies the ICMP type keyword to be used as a match criterion.

Values—

option-present

Syntax

option-present {true | false}

no option-present

Context

config>filter>ip-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document.

Description

This command configures matching packets that contain the option field in the IP header as an IP filter match criterion.

The no form of this command removes the checking of the option field in the IP header as a match criterion.

Parameters

true—

Specifies matching on all IP packets that contain the option field in the header. A match will occur for all packets that have the option field present.

false—

Specifies matching on IP packets that do not have any option field present in the IP header.

src-ip

Syntax

src-ip {ip-address/mask | ip-address ipv4-address-mask}

no src-ip

Context

config>filter>ip-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source IPv4 address range to be used as an IP filter match criterion.

To match on the source IPv4 address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of this command removes the source IPv4 address match criterion.

Default

no src-ip

Parameters

ip-address—

Specifies the IPv4 prefix for the IP match criterion in dotted decimal notation.

Values—

a.b.c.d

mask—

Specifies the subnet mask length, expressed as a decimal integer.

Values—

0 to 32

ipv4-address-mask—

Specifies any mask, expressed in dotted quad notation.

Values—

0 to 255

src-ip

Syntax

src-ip {ipv6-address/prefix-length}

no src-ip

Context

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source IPv6 address range to be used as an IP filter match criterion.

To match on the source IPv6 address, specify the address and its associated mask.

If the filter is created to match 64-bit address, the IPv6 address specified for the match must contain only the first 64-bits (that is, the first four 16-bit groups of the IPv6 address).

The no form of this command removes the source IPv6 address match criterion.

Default

no src-ip

Parameters

ipv6-address—

Specifies the IPv6 prefix for the IP match criterion in hex digits.

Values—

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - 0 to FFFF (hexadecimal)

d - 0 to 255 (decimal)

prefix-length—

Specifies the IPv6 prefix length for the IPv6 address as a decimal integer.

Values—

1 to 128

src-port

Syntax

src-port {eq} src-port-number

no src-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source TCP or UDP port number for an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the L4 information.

The no form of this command removes the source port match criterion.

Default

no src-port

Parameters

src-port-number—

Specifies the source port number to be used as a match criteria, expressed as a decimal integer.

Values—

0 to 65535

tcp-ack

Syntax

tcp-ack {true | false}

no tcp-ack

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.

The no form of this command removes the criterion from the match entry.

Default

no tcp-ack

Parameters

true—

Specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet.

false—

Specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet.

tcp-syn

Syntax

tcp-syn {true | false}

no tcp-syn

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet needs to initiate a TCP session with the specified destination IP address.

Note:

An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.

The no form of this command removes the criterion from the match entry.

Default

no tcp-syn

Parameters

true—

Specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header.

false—

Specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header.

3.8.2.1.8. MAC Filter Match Criteria Commands

dot1p

Syntax

dot1p ip-value [mask]

no dot1p

Context

config>filter>mac-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an IEEE 802.1p value or range to be used as a MAC filter match criterion.

When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.

The no form of this command removes the criterion from the match entry.

Egress Dot1p values used for matching will correspond to the Dot1p values used for remarking.

Default

no dot1p

Parameters

ip-value—

Specifies the IEEE 802.1p value in decimal.

Values—

0 to 7

mask—

Specifies a 3-bit mask that can be configured using the following formats:

Format Style	Format Syntax	Example
Decimal	D	4
Hexadecimal	0xH	0x4
Binary	0bBBB	0b100

To select a range from 4 up to 7 specify p-value of 4 and a mask of 0b100 for value and mask.

Values—

1 to 7 (decimal)

Default—

dst-mac

Syntax

dst-mac ieee-address [mask]

no dst-mac

Context

config>filter>mac-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a destination MAC address or range to be used as a MAC filter match criterion.

The no form of this command removes the destination mac address as the match criterion.

Default

no dst-mac

Parameters

ieee-address—

Specifies the MAC address to be used as a match criterion.

Values—

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

mask—

Specifies a 48-bit mask to match a range of MAC address values.

This 48-bit mask can be configured using the following formats:

Format Style	Format Syntax	Example
Decimal	DDDDDDDDDDDDDD	281474959933440
Hexadecimal	0xHHHHHHHHHHHH	0xFFFFFF000000
Binary	0bBBBBBBB...B	0b11110000...B

To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 0003FA000000 0xFFFFFF000000

Values—

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

Default—

0xFFFFFFFFFFFF (exact match)

etype

Syntax

etype ethernet-type

no etype

Context

config>filter>mac-filter>entry>match

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an Ethernet type II Ethertype value for use as a MAC filter match criterion.

The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field.

For the 7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C platforms, the dataplane processes a maximum of two VLAN tags in a received packet. The Ethertype used in the MAC matching criteria for ACLs is the Ethertype that is found in the packet after processing single-tagged frames, double-tagged frames, and no-tag frames

The packet is considered to have no tags if at least one of the following criteria is true:

the packet is a null-tagged frame
the packet is a priority-tagged frame
the outermost Ethertype does not match the default Ethertype (0x8100)
the outermost Ethertype does not match the configured dot1q-etype on Dot1q encapsulated ports
the outermost Ethertype does not match the configured qinq-etype on QinQ encapsulated ports

The packet is considered to have a single tag if at least one of the following criteria is true:

the outermost Ethertype matches the default Ethertype (0x8100)
the outermost Ethertype matches the configured dot1q-etype on Dot1q encapsulated ports
the outermost Ethertype matches the configured qinq-etype on QinQ encapsulated ports

The packet is considered to have double tags if at least one of the following criteria is true:

the outermost Ethertype matches the default Ethernet type (0x8100)
the configured dot1q-etype on Dot1q encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)
the configured qinq-etype on QinQ encapsulated ports and the immediately following Ethertype match the default Ethertype (0x8100)

The no form of this command removes the previously entered etype field as the match criteria.

Default

no etype

Parameters

ethernet-type—

Specifies the Ethernet type II frame Ethertype value to be used as a match criterion, expressed in hexadecimal.

Values—

0x0600 to 0xFFFF

inner-dot1p

Syntax

inner-dot1p value [vid-mask]

no inner-dot1p

Context

config>filter>mac-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the Dot1p value to be used to match against the Dot1p value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The no form of this command removes the previously entered Dot1p value as the match criteria.

Default

no inner-dot1p

Parameters

dot1p-value—

Specifies the Dot1p value to match.

Values—

0 to 7

dot1p-mask—

Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or binary.

Values—

0 to 7

inner-tag

Syntax

inner-tag value [vid-mask]

no inner-tag

Context

config>filter>mac-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The optional vid_mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

The no form of this command removes the previously entered VLAN tag value as the match criteria.

Default

no inner-tag

Parameters

value—

Specifies the VLAN value to use for the match

Values—

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

vid-mask—

Specifies the mask value to match a range of VLAN values.

Values—

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

outer-dot1p

Syntax

outer-tag value [vid-mask]

no outer-tag

Context

config>filter>mac-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

The command configures the Dot1p value to be used to match against the Dot1p value in the outermost tag of the received packet.

The no form of this command removes the previously entered Dot1p value as the match criteria.

Default

no outer-dot1p

Parameters

dot1p-value—

Specifies the Dot1p value to match.

Values—

0 to 7

dot1p-mask—

Specifies the mask value to match a range of Dot1p values. The value can be expressed in decimal or hexadecimal.

Values—

0 to 7

outer-tag

Syntax

outer-tag value [vid-mask]

no outer-tag

Context

config>filter>mac-filter>entry>match

Supported Platforms

7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

Description

This command configures the VLAN value to be used to match against the VLAN value in the inner tag (the one that follows the outermost tag in the packet) of the received packet.

The no form of this command removes the previously entered VLAN tag value as the match criteria.

Default

no outer-tag

Parameters

value—

Specifies the VLAN value to use for the match

Values—

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

vid-mask—

Specifies the mask value to match a range of VLAN values.

Values—

0 to 4095 (decimal) or 0x0 to 0xFFF (hexadecimal)

src-mac

Syntax

src-mac ieee-address [ieee-address-mask]

no src-mac

Context

config>filter>mac-filter>entry

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a source MAC address or range to be used as a MAC filter match criterion.

The no form of this command removes the source mac as the match criteria.

Default

no src-mac

Parameters

ieee-address—

Specifies the 48-bit IEEE mac address to be used as a match criterion.

Values—

HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit

ieee-address-mask—

Specifies a 48-bit mask that can be configured using:

Format Style	Format Syntax	Example
Decimal	DDDDDDDDDDDDDD	281474959933440
Hexadecimal	0xHHHHHHHHHHHH	0x0FFFFF000000
Binary	0bBBBBBBB...B	0b11110000...B

To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000

Values—

0x00000000000000 to 0xFFFFFFFFFFFF (hexadecimal)

Default—

0xFFFFFFFFFFFF

3.8.2.1.9. Policy and Entry Maintenance Commands

copy

Syntax

copy {ip-filter | mac-filter} source-filter-id dest-filter-id dest-filter-id [overwrite]

Context

config>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

If overwrite is not specified, an error will occur if the destination policy ID exists.

Parameters

ip-filter—

Specifies that the source-filter-id and the dest-filter-id are IP filter IDs.

mac-filter—

Specifies that the source-filter-id and the dest-filter-id are MAC filter IDs.

source-filter-id—

Specifies the source filter policy from which the copy command will attempt to copy. The filter policy must exist within the context of the preceding keyword (ip-filter or mac-filter).

dest-filter-id—

Specifies the destination filter policy to which the copy command will attempt to copy. If the overwrite keyword does not follow, the filter policy ID cannot already exist within the system for the filter type the copy command is issued for. If the overwrite keyword is present, the destination policy ID may or may not exist.

overwrite—

Specifies that the destination filter ID may exist. If it does, everything in the existing destination filter ID will be completely overwritten with the contents of the source filter ID. If the destination filter ID exists, either overwrite must be specified or an error message will be returned. If overwrite is specified, the function of copying from source to destination occurs in a ‘break before make’ manner and therefore should be handled with care.

filter-name

Syntax

filter-name filter-name

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the filter-name attribute of a specific filter. When configured, filter-name can be used instead of filter ID to reference the specific policy in the CLI.

Default

no filter-name

Parameters

filter-name—

Specifies a string of up to 64 characters uniquely identifying this filter policy.

renum

Syntax

renum old-entry-id new-entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command renumbers existing MAC or IP filter entries to properly sequence filter entries. This may be required in some cases since the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Parameters

old-entry-id—

Specifies the entry number of an existing entry.

Values—

1 to 65535

new-entry-id—

Specifies the new entry-number to be assigned to the old entry.

Values—

1 to 65535

3.8.2.2. Show Commands

ip

Syntax

ip ip-filter-id [association | counters]

ip ip-filter-id entry entry-id [counters]

Context

show>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays IP filter information.

Parameters

ip-filter-id—

Displays detailed information for the specified filter ID and its filter entries.

Values—

1 to 65535

entry entry-id—

Displays information about the specified filter entry ID for the specified filter ID only.

Values—

1 to 65535

associations—

Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.

counters—

Displays counter information for the specified filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

type entry-type—

Displays information about the specified filter ID for the specified entry-type only

Output

The following outputs are examples of IP filter information, and the associated tables describe the output fields.

Sample Output, Table 42
Sample Output with IP Filter ID Specified, Table 43
Sample Ouput with Time-range Specified
Sample Output: Associations, Table 44
Sample Output for IP Filter Counters, Table 45

Sample Output

A:ALA-49# show filter ip

===============================================================================

IP Filters

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

1 Template Yes

3 Template Yes

6 Template Yes

10 Template No

11 Template No

-------------------------------------------------------------------------------

Num IP filters: 5

===============================================================================

A:ALA-49#

*A:Dut-C>config>filter# show filter ip

===============================================================================

IP Filters Total: 2

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

10001 Template Yes

fSpec-1 Template Yes BGP FlowSpec filter for the Base router

-------------------------------------------------------------------------------

Num IP filters: 2

===============================================================================

*A:Dut-C>config>filter#

Table 42: Output Fields: Filter IP

Label	Description
Filter Id	The IP filter ID.
Scope	Template — The filter policy is of type template.
Scope	Exclusive — The filter policy is of type exclusive.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Description	The IP filter policy description.

Sample Output with IP Filter ID Specified

A:ALA-49>config>filter# show filter ip 3

===============================================================================

IP Filter

===============================================================================

Filter Id : 3 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 1

-------------------------------------------------------------------------------

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 10

Src. IP : 10.1.1.1/24 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : 2 Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 Egr. Matches : 0

===============================================================================

A:ALA-49>config>filter#

*A:Dut-C>config>filter# show filter ip fSpec-1 associations

===============================================================================

IP Filter

===============================================================================

Filter Id : fSpec-1 Applied : Yes

Scope : Template Def. Action : Forward

Radius Ins Pt: n/a

CrCtl. Ins Pt: n/a

Entries : 2 (insert By Bgp)

Description : BGP FlowSpec filter for the Base router

-------------------------------------------------------------------------------

Filter Association : IP

-------------------------------------------------------------------------------

Service Id : 1 Type : IES

- SAP 1/1/3:1.1 (merged in ip-fltr 10001)

===============================================================================

*A:Dut-C>config>filter#

*A:Dut-C>config>filter# show filter ip 10001

===============================================================================

IP Filter

===============================================================================

Filter Id : 10001 Applied : Yes

Scope : Template Def. Action : Drop

Radius Ins Pt: n/a

CrCtl. Ins Pt: n/a

Entries : 1

BGP Entries : 2

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 1

Description : (Not Specified)

Log Id : n/a

Src. IP : 0.0.0.0/0 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : 6 Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

Sampling : Off Int. Sampling : On

IP-Option : 0/0 Multiple Option: Off

TCP-syn : Off TCP-ack : Off

Match action : Forward

Next Hop : Not Specified

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

Entry : fSpec-1-32767 - inserted by BGP FLowSpec

Description : (Not Specified)

Log Id : n/a

Src. IP : 0.0.0.0/0 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : 6 Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

Sampling : Off Int. Sampling : On

IP-Option : 0/0 Multiple Option: Off

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

Entry : fSpec-1-49151 - inserted by BGP FLowSpec

Description : (Not Specified)

Log Id : n/a

Src. IP : 0.0.0.0/0 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : 17 Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

Sampling : Off Int. Sampling : On

IP-Option : 0/0 Multiple Option: Off

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

===============================================================================

*A:Dut-C>config>filter#

Table 43: Output Fields: Filter IP with Filter ID Specified

Label	Description
Filter Id	The IP filter policy ID.
Scope	Template — The filter policy is of type template.
Scope	Exclusive — The filter policy is of type exclusive.
Entries	The number of entries configured in this filter ID.
Description	The IP filter policy description.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Filter Match Criteria	IP — Indicates the filter is an IP filter policy.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
ICMP Type	The ICMP type match criterion. Undefined indicates no ICMP type specified.
Fragment	False — Configures a match on all non-fragmented IP packets.
	True — Configures a match on all fragmented IP packets.
	Off — Fragments are not a matching criteria. All fragments and non-fragments implicitly match.
TCP-syn	False — Configures a match on packets with the SYN flag set to false.
	True — Configured a match on packets with the SYN flag set to true.
	Off — The state of the TCP SYN flag is not considered as part of the match criteria.
Match action	Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified.
	Drop — Drop packets matching the filter entry.
	Forward — The explicit action to perform is forwarding of the packet.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Src. Port	The source TCP or UDP port number.
Dest. Port	The destination TCP or UDP port number.
Dscp	The DiffServ Code Point (DSCP) name.
ICMP Code	The ICMP code field in the ICMP header of an IP packet.
Option-present	Off — Specifies not to search for packets that contain the option field or have an option field of zero.
Option-present	On — Matches packets that contain the option field or have an option field of zero be used as IP filter match criteria.
TCP-ack	False — Configures a match on packets with the ACK flag set to false.
	True — Configures a match on packets with the ACK flag set to true.
	Off — The state of the TCP ACK flag is not considered as part of the match criteria. as part of the match criteria.
Egr. Matches	The number of egress filter matches or hits for the filter entry.

Sample Ouput with Time-range Specified

A:ALA-49# show filter ip 10

===============================================================================

IP Filter

===============================================================================

Filter Id : 10 Applied : No

Scope : Template Def. Action : Drop

Entries : 2

-------------------------------------------------------------------------------

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 1010

time-range : day Cur. Status : Inactive

Src. IP : 0.0.0.0/0 Src. Port : None

Dest. IP : 10.10.100.1/24 Dest. Port : None

Protocol : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

TCP-syn : Off TCP-ack : Off

Match action : Forward

Ing. Matches : 0 Egr. Matches : 0

Entry : 1020

time-range : night Cur. Status : Active

Src. IP : 0.0.0.0/0 Src. Port : None

Dest. IP : 10.10.1.1/16 Dest. Port : None

Protocol : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

TCP-syn : Off TCP-ack : Off

Match action : Forward

Ing. Matches : 0 Egr. Matches : 0

===============================================================================

A:ALA-49#

Sample Output: Associations

A:ALA-49# show filter ip 1 associations

===============================================================================

IP Filter

===============================================================================

Filter Id : 1 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 1

-------------------------------------------------------------------------------

Filter Association : IP

-------------------------------------------------------------------------------

Service Id : 1001 Type : VPLS

- SAP 1/1/1:1001 (Ingress)

Service Id : 2000 Type :

- SAP 1/1/1:2000 (Ingress)

===============================================================================

A:ALA-49#

A:ALA-49# show filter ip 160 associations

===============================================================================

IP Filter

===============================================================================

Filter Id : 160 Applied : No

Scope : Template Def. Action : Drop

Entries : 0

-------------------------------------------------------------------------------

Filter Association : IP

-------------------------------------------------------------------------------

Tod-suite "english_suite"

- ingress, time-range "day" (priority 5)

===============================================================================

A:ALA-49#

Table 44: Output Fields: Filter IP Associations

Label	Description
Filter Id	The IP filter policy ID.
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Entries	The number of entries configured in this filter ID.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Service Id	The service ID on which the filter policy ID is applied.
SAP	The Service Access Point on which the filter policy ID is applied.
(Ingress)	The filter policy ID is applied as an ingress filter policy on the interface.
(Egress)	The filter policy ID is applied as an egress filter policy on the interface.
Type	The type of service of the service ID.

Sample Output for IP Filter Counters

Table 45: Output Fields: Filter IP Counters

Label	Description
IP Filter Filter Id	The IP filter policy ID.
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Filter Match Criteria	IP — Indicates the filter is an IP filter policy.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
Ing. Matches	The number of ingress filter matches or hits for the filter entry. The ingress counters count the packets with Layer 2 encapsulation.
Egr. Matches	The number of egress filter matches or hits for the filter entry. The egress counters count the packets without Layer 2 encapsulation.

ipv6

Syntax

ipv6 {ipv6-filter-id [entry entry-id] [association | counters]}

Context

show>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays IPv6 filter information.

Parameters

ipv6-filter-id—

Displays detailed information for the specified IPv6 filter ID and filter entries.

Values—

1 to 65535

entry entry-id—

Displays information about the specified IPv6 filter entry ID for the specified filter ID.

Values—

1 to 9999

associations—

Displays information as to where the IPv6 filter policy ID is applied to the detailed filter policy ID output.

counters—

Displays counter information for the specified IPv6 filter ID. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

Output

The following output are examples of IPv6 filter information, and the associated tables describe the output fields.

Sample Output, Table 46
Sample Output for IPv6 with a Filter ID Specified, Table 47
Sample Output for IPv6 Filter Associations, Table 48
Sample Output for IPv6 Filter Counters, Table 49

Sample Output

*A:7210SAS>show>filter# ipv6

===============================================================================

IPv6 Filters Total: 1

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

1 Template Yes

-------------------------------------------------------------------------------

Num IPv6 filters: 1

===============================================================================

*A:7210SAS>show>filter#

Table 46: Output Fields: Filter IPv6

Label	Description
Filter Id	The IP filter ID.
Scope Template	The filter policy is of type template.
Exclusive	The filter policy is of type exclusive.
Applied	No - The filter policy ID has not been applied. Yes - The filter policy ID has been applied.
Description	The IP filter policy description.

Sample Output for IPv6 with a Filter ID Specified

*A:7210SAS>show>filter# ipv6 1

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 2

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : IPv6

-------------------------------------------------------------------------------

Entry : 1

Description : Test

Src. IP : 1::1/128 Src. Port : None

Dest. IP : ::/0 Dest. Port : None

Next Header : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

TCP-syn : Off TCP-ack : Off

Match action : Forward

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

Entry : 2

Description : (Not Specified)

Src. IP : ::/0 Src. Port : None

Dest. IP : 1:2::1AFC/128 Dest. Port : None

Next Header : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 819 pkts

Egr. Matches : 0 pkts

===============================================================================

*A:7210SAS>show>filter#

Table 47: Output Fields: Filter IPv6 with Filter ID Specified

Label	Description
Filter Id	The IP filter policy ID.
Scope	Template — The filter policy is of type template.
Scope	Exclusive — The filter policy is of type exclusive.
Entries	The number of entries configured in this filter ID.
Description	The IP filter policy description.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Filter Match Criteria	IP — Indicates the filter is an IP filter policy.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
Src. IP	The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.
Dest. IP	The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.
ICMP Type	The ICMP type match criterion. Undefined indicates no ICMP type specified.
IP-Option	Specifies matching packets with a specific IP option or a range of IP options in the IP header for IP filter match criteria.
TCP-syn	False — Configures a match on packets with the SYN flag set to false.
	True — Configured a match on packets with the SYN flag set to true.
	Off — The state of the TCP SYN flag is not considered as part of the match criteria.
Match action	Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
	Drop — Drop packets matching the filter entry.
	Forward — The explicit action to perform is forwarding of the packet. If the action is Forward, then if configured, the next-hop information should be displayed, including Nexthop: <IP address>, Indirect: <IP address> or Interface: <IP interface name>.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Src. Port	The source TCP or UDP port number or port range.
Dest. Port	The destination TCP or UDP port number or port range.
Dscp	The DiffServ Code Point (DSCP) name.
ICMP Code	The ICMP code field in the ICMP header of an IP packet.
TCP-ack	False — Configures a match on packets with the ACK flag set to false.
	True — Configured a match on packets with the ACK flag set to true.
	Off — The state of the TCP ACK flag is not considered as part of the match criteria.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Egr. Matches	The number of egress filter matches or hits for the filter entry.

Sample Output for IPv6 Filter Associations

*A:7210SAS>show>filter# ipv6 1 associations

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 2

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Association : IPv6

-------------------------------------------------------------------------------

Service Id : 1 Type : Epipe

- SAP 1/1/1:1 (Ingress)

Service Id : 2 Type : VPLS

- SAP 1/1/1:2 (Ingress)

- SAP 1/1/1:3 (Ingress)

===============================================================================

*A:7210SAS>show>filter#

Table 48: Output Fields: Filter IPv6 Associations

Label	Description
Filter Id	The IPv6 filter policy ID.
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Entries	The number of entries configured in this filter ID.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Description	The IP filter policy description.
Service Id	The service ID on which the filter policy ID is applied.
SAP	The Service Access Point on which the filter policy ID is applied. (Ingress) The filter policy ID is applied as an ingress filter policy on the interface. (Egress) The filter policy ID is applied as an egress filter policy on the interface.
Type	The type of service of the service ID.

Sample Output for IPv6 Filter Counters

*A:7210SAS>show>filter# ipv6 1 counters

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 2

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : IPv6

-------------------------------------------------------------------------------

Entry : 1

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

Entry : 2

Ing. Matches : 819 pkts

Egr. Matches : 0 pkts

===============================================================================

*A:7210SAS>show>filter#

Table 49: Output Fields: Filter IPv6 Counters

Label	Description
Filter Id	The IPv6 filter policy ID.
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Entries	The number of entries configured in this filter ID.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Description	The IP filter policy description.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Egr. Matches	The number of egress filter matches or hits for the filter entry. Egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation.

mac

Syntax

mac [mac-filter-id [associations | counters] [entry entry-id]]

Context

show>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays MAC filter information. When no parameters are specified, a bried listing of IP filters is produced.

Parameters

mac-filter-id—

Displays detailed information for the specified filter ID and its filter entries.

Values—

1 to 65535

associations—

Displays information as to where the filter policy ID is applied to the detailed filter policy ID output.

counters—

Displays counter information for the specified filter ID.

entry entry-id—

Displays information about the specified filter entry ID for the specified filter ID only.

Values—

1 to 65535

Output

The following outputs are examples of MAC filter information. The associated tables describe the output fields.

Sample Detailed Output, Sample Output for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, Table 50
Sample Output for MAC Filter Counters, Table 51
Sample Output for MAC Filter Associations, Table 52

Sample Detailed Output

===============================================================================

Mac Filter : 200

===============================================================================

Filter Id : 200 Applied : No

Scope : Exclusive D. Action : Drop

Description : Forward SERVER sourced packets

-------------------------------------------------------------------------------

Filter Match Criteria : Mac

-------------------------------------------------------------------------------

Entry : 200FrameType : 802.2SNAP

Description : Not Available

Src Mac : 00:00:5a:00:00:00 ff:ff:ff:00:00:00

Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00

Dot1p : Undefined Ethertype : 802.2SNAP

Match action: Forward

Ing. Matches: 0Egr. Matches : 0

Entry : 300 (Inactive) FrameType : Ethernet

Description : Not Available

Src Mac : 00:00:00:00:00:00 00:00:00:00:00:00

Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00

Dot1p : Undefined Ethertype : Ethernet

Match action: Default

Ing. Matches: 0 Egr. Matches : 0

===============================================================================

Sample Output for 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C

===============================================================================

Mac Filter

===============================================================================

Filter Id : 1 Applied : No

Scope : Template Def. Action : Drop

Entries : 1 Type : unknown

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : Mac

-------------------------------------------------------------------------------

Entry : 1 (Inactive)

Description : (Not Specified)

Src Mac :

Dest Mac :

Outer Dot1p*: none Outer Dot1p Mask: none

Inner Dot1p*: none Inner Dot1p Mask: none

Outer TagVal: none Outer TagMask : none

Inner TagVal: none Inner TagMask : none

Ethertype : Undefined

Match action: Drop

Ing. Matches: 0 pkts

Egr. Matches: 0 pkts

===============================================================================

Table 50: Output Fields: MAC Filter

Label	Description
MAC Filter Filter Id	The MAC filter policy ID
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Description	The IP filter policy description.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Filter Match Criteria	MAC — Indicates the filter is an MAC filter policy.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
Description	The filter entry description.
FrameType	Ethernet — The entry ID match frame type is Ethernet IEEE 802.3.
FrameType	Ethernet II — The entry ID match frame type is Ethernet Type II.
Src MAC	The source MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry.
Dest MAC	The destination MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion specified for the filter entry.
Dot1p	The IEEE 802.1p value for the match criteria. Undefined indicates no value is specified.
Outer Dot1p	The IEEE 802.1p value for the match criteria used to match the Dot1p in the outermost VLAN tag. Undefined indicates no value is specified.
Inner Dot1p	The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified.
Outer TagVal	The VLAN ID value for the match criteria used to match the VLAN ID in the outermost VLAN tag. Undefined indicates no value is specified.
Inner TagVal	The IEEE 802.1p value for the match criteria used to match the Dot1p in the inner VLAN tag. Undefined indicates no value is specified.
Ethertype	The Ethertype value match criterion.
Match action	Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified.
	Drop — Packets matching the filter entry criteria will be dropped.
	Forward — Packets matching the filter entry criteria is forwarded.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Egr. Matches	The number of egress filter matches or hits for the filter entry.

Sample Output for MAC Filter Counters

A:ALA-49# show filter mac 8 counters

===============================================================================

Mac Filter

===============================================================================

Filter Id : 8 Applied : Yes

Scope : Template Def. Action : Forward

Entries : 2

Description : Description for Mac Filter Policy id # 8

-------------------------------------------------------------------------------

Filter Match Criteria : Mac

-------------------------------------------------------------------------------

Entry : 8 FrameType : Ethernet

Ing. Matches: 80 pkts

Egr. Matches: 62 pkts

Entry : 10 FrameType : Ethernet

Ing. Matches: 80 pkts

Egr. Matches: 80 pkts

Table 51: Output Fields: Filter MAC Counters

Label	Description
Mac Filter Filter Id	The MAC filter policy ID.
Scope	Template — The filter policy is of type Template.
Scope	Exclusive — The filter policy is of type Exclusive.
Description	The MAC filter policy description.
Applied	No — The filter policy ID has not been applied.
Applied	Yes — The filter policy ID has been applied.
Def. Action	Forward — The default action for the filter ID for packets that do not match the filter entries is to forward.
Def. Action	Drop — The default action for the filter ID for packets that do not match the filter entries is to drop.
Filter Match Criteria	Mac — Indicates the filter is an MAC filter policy.
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
Ing. Matches	The number of ingress filter matches or hits for the filter entry.
Egr. Matches	The number of egress filter matches or hits for the filter entry.

Sample Output for MAC Filter Associations

A:ALA-49# show filter mac 3 associations

===============================================================================

Mac Filter

===============================================================================

Filter ID: 3Applied: Yes

Scope: TemplateDef. Action: Drop

Entries: 1

-------------------------------------------------------------------------------

Filter Association : Mac

-------------------------------------------------------------------------------

Service Id: 1001Type: VPLS

- SAP 1/1/1:1001(Egress)

===============================================================================

A:ALA-49#

Table 52: Output Fields: Filter MAC Associations

Label	Description
Filter Association	Mac — The filter associations displayed are for a MAC filter policy ID.
Service Id	The service ID on which the filter policy ID is applied.
SAP	The Service Access Point on which the filter policy ID is applied.
Type	The type of service of the Service ID.
(Ingress)	The filter policy ID is applied as an ingress filter policy on the interface.
(Egress)	The filter policy ID is applied as an egress filter policy on the interface.

3.8.2.3. Clear Commands

ip

Syntax

ip ip-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the IP filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters

ip-filter-id—

Specifies the IP filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values—

1 to 65535

ingress—

Specifies to only clear the ingress counters.

egress—

Specifies to only clear the egress counters.

ipv6

Syntax

ipv6 ip-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the IPv6 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters

ip-filter-id —

Specifies the IP filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values—

1 to 65535

ingress —

Specifies to only clear the ingress counters.

egress —

Specifies to only clear the egress counters.

mac

Syntax

mac mac-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears the counters associated with the MAC filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Parameters

mac-filter-id—

Specifies the MAC filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values—

1 to 65535

ingress—

Specifies to only clear the ingress counters.

egress—

Specifies to only clear the egress counters.

3.8.2.4. Monitor Commands

ip

Syntax

ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the IP filter policy.

Parameters

ip-filter-id—

Specifies the IP filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be monitored.

Values—

1 to 65535

interval—

Specifies the interval for each display in seconds.

Values—

3 to 60

Default—

repeat repeat—

Specifies how many times the command is repeated.

Values—

1 to 999

Default—

absolute—

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate—

Displays the rate-per-second for each statistic instead of the delta.

ipv6

Syntax

ipv6 ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the IPv6 filter policy.

Parameters

ip-filter-id—

Specifies the IP filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be monitored.

Values—

1 to 65535

interval—

Specifies the interval for each display in seconds.

Values—

3 to 60

Default—

repeat repeat—

Specifies how many times the command is repeated.

Values—

1 to 999

Default—

absolute—

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate—

Displays the rate-per-second for each statistic instead of the delta.

mac

Syntax

mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>filter

Supported Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command monitors the counters associated with the MAC filter policy.

Parameters

mac-filter-id—

Specifies MAC filter policy ID.

Values—

1 to 65535

entry-id—

Specifies that only the counters associated with the specified filter policy entry will be cleared.

Values—

1 to 65535

interval—

Specifies the interval for each display in seconds.

Values—

3 to 60

Default—

repeat repeat—

Specifies how many times the command is repeated.

Values—

1 to 999

Default—

absolute—

Displays the raw statistics without processing. No calculations are performed on the delta or rate statistics.

rate—

Displays the rate-per-second for each statistic instead of the delta.