As few or as many match parameters can be specified as required, but all conditions must be met for the packet to be considered a match and the specified action performed. The process stops when the first complete match is found and then executes the action defined in the entry, either to drop or forward packets that match the criteria.
IP filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward IP traffic include:
source IP address and mask
Source IP address and mask values can be entered as search criteria. The IP Version 4 addressing scheme consists of 32 bits expressed in dotted-decimal notation (X.X.X.X).
Address ranges are configured by specifying mask values, the 32-bit combination used to describe the address portion which refers to the subnet and which portion refers to the host. The mask length is expressed as an integer (range 1 to 32).
destination IP address and mask
Destination IP address and mask values can be entered as search criteria. Similar choice as available for source IPv6 addresses is available for destination IPv6 addresses (see above).
protocol
Entering a protocol ID (such as TCP, UDP, and so on) allows the filter to search for the protocol specified in this field.
protocol
For IPv6: entering a next header allows the filter to match the first next header following the IPv6 header.
source port
Entering the source port number allows the filter to search for matching TCP or UDP port values.
destination port
Entering the destination port number allows the filter to search for matching TCP or UDP port.
DSCP marking
Entering a DSCP marking enables the filter to search for the DSCP marking specified in this field. See Table: DSCP name to DSCP value table .
ICMP code
Entering an ICMP code allows the filter to search for matching ICMP code in the ICMP header.
ICMP type
Entering an ICMP type allows the filter to search for matching ICMP types in the ICMP header.
IPv4 filter created in the mode to use IPv6 resource cannot be applied at egress SAP. Similarly IPv4 filter created in the mode to use IPv6 resource fails to match fragment option.
fragmentation
IPv4 only: Enable fragmentation matching. A match occurs if packets have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.
option present
Enabling the option presence allows the filter to search for presence or absence of IP options in the packet. Padding and EOOL are also considered as IP options.
TCP-ACK/SYN flags
Entering a TCP-SYN/TCP-ACK flag allows the filter to search for the TCP flags specified in these fields.
MAC filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward MAC traffic include:
source MAC address and mask
Entering the source MAC address range allows the filter to search for matching a source MAC address or range. Enter the source MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 00:dc:98:1d:00:00.
destination MAC address and mask
Entering the destination MAC address range allows the filter to search for matching a destination MAC address or range. Enter the destination MAC address and mask in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx; for example, 02:dc:98:1d:00:01.
dot1p and mask
Entering an IEEE 802.1p value or range allows the filter to search for matching 802.1p frame. The Dot1p and mask accepts decimal, hex, or binary in the range of 0 to 7.
Ethertype
Entering an Ethernet type II Ethertype value to be used as a filter match criterion. The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. The Ethertype accepts decimal, hex, or binary in the range of 1536 to 65535.