Filter Command Reference

the description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

shutdown

Syntax

[no] shutdown

Context

config>filter>log

config>filter>log>summary

Description

The shutdown command administratively disables the entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.

Unlike other commands and parameters where the default state is not indicated in the configuration file, shutdown and no shutdown are always indicated in system-generated configuration files.

The no form of the command puts an entity into the administratively enabled state.

Default

no shutdown

Filter Log Commands

log

Syntax

log log-id [create]

no log log-id

Context

config>filter

Description

This command enables the context to create a filter log policy.

The no form of the command deletes the filter log ID. The log cannot be deleted if there are filter entries configured to write to the log. All filter entry logging associations need to be removed before the log can be deleted.

Default

log 101

Special Cases

Filter log 101—

filter log 101 is the default log and is automatically created by the system. Filter log 101 is always a memory filter log and cannot be changed to a syslog filter log. The log size defaults to 1000 entries. The number of entries and wrap-around behavior can be edited.

Parameters

log-id—

the filter log ID destination expressed as a decimal integer

Values—

101 to 199

destination

Syntax

destination memory num-entries

destination syslog syslog-id

no destination

Context

config>filter>log

Description

This command configures the destination for filter log entries for the specified filter log ID.

Filter logs can be sent to either memory or an existing syslog server. If the filter log destination is memory, the maximum number of entries in the log must be specified.

The no form of the command deletes the filter log association.

Default

no destination

Parameters

num-entries—

specifies that the destination of the filter log ID is a memory log. The num-entries value is the maximum number of entries in the filter log expressed as a decimal integer.

Values—

1 to 50000

syslog-id—

specifies that the destination of the filter log ID is a syslog server. The syslog-id parameter is the identifier of the syslog server.

Values—

1 to 10

summary

Syntax

summary

Context

config>filter>log

Description

This command enables the context to configure log summarization. These settings apply only if syslog is the log destination.

summary-crit

Syntax

summary-crit dst-addr

summary-crit src-addr

no summary-crit

Context

config>filter>log>summary

Description

This command defines the key of the index of the mini-table. If key information is changed while summary is in the no-shutdown state, the filter summary mini-table is flushed and reconfigured with different key information. Log packets received during the reconfiguration time will be handled as if summary was not active.

The no form of the command reverts to the default parameter.

Default

dst-addr

Parameters

dst-addr—

specifies that received log packets are summarized based on the destination IP address

src-addr—

specifies that received log packets are summarized based on the source IP address

wrap-around

Syntax

[no] wrap-around

Context

config>filter>log

Description

This command configures a memory filter log to store log entries until full or to store the most recent log entries (circular buffer).

Specifying wrap-around configures the memory filter log to store the most recent filter log entries (circular buffer). When the log is full, the oldest filter log entries are overwritten with new entries.

The no form of the command configures the memory filter log to accept filter log entries until full. When the memory filter log is full, filter logging for the log filter ID ceases.

Default

wrap-around

Filter Policy Commands

ip-filter

Syntax

ip-filter filter-id [create]

no ip-filter filter-id

Context

config>filter

Description

This command creates a configuration context for an IPv4 filter policy.

IP filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple network ports as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the subcommands, will be applied immediately to all network interfaces where this policy is applied.

The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all network interfaces where it is applied.

Parameters

filter-id—

the IP filter policy ID number

Values—

1 to 65535

create—

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

ipv6-filter

Syntax

ipv6-filter ipv6-filter-id [create]

no ipv6-filter ipv6-filter-id

Context

config>filter

Description

This command creates a configuration context for an IPv6 filter policy.

IP filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple network ports as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the subcommands, will be applied immediately to all network interfaces where this policy is applied.

The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all network interfaces where it is applied.

Parameters

ipv6-filter-id—

the IPv6 filter policy ID number

Values—

1 to 65535

create—

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

mac-filter

Syntax

mac-filter filter-id [create]

no mac-filter filter-id

Context

config>filter

Description

This command enables the context for a MAC filter policy.

The MAC filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The MAC filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services as long as the scope of the policy is template.

A MAC filter policy cannot be applied to a network interface, a VPRN service, or an IES service.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied.

The no form of the command deletes the MAC filter policy. A filter policy cannot be deleted until it is removed from all SAPs where it is applied.

Parameters

filter-id—

the MAC filter policy ID number

Values—

1 to 65535

create—

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

vlan-filter

Syntax

vlan-filter filter-id [create]

no vlan-filter filter-id

Context

config>filter

Description

This command enables the context for a VLAN filter policy.

The VLAN filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The VLAN filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to ring ports on the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module. Each ring port can support one VLAN filter, and the same VLAN filter can be applied to both ring ports. The scope of a VLAN policy is always template.

A VLAN filter policy cannot be applied to any other type of adapter card.

Any changes made to an existing policy, using any of the sub-commands, is applied immediately to all ring ports where this policy is applied.

The no form of the command deletes the VLAN filter policy. A filter policy cannot be deleted until it is removed from all the ring ports where it is applied.

Parameters

filter-id—

the VLAN filter policy ID number

Values—

1 to 65535

create—

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

default-action

Syntax

default-action {drop | forward}

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

config>filter>vlan-filter

Description

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP, MAC, or VLAN filter entries of the filter.

Default

drop

Parameters

drop—

specifies that all packets will be dropped unless there is a specific filter entry that causes the packet to be forwarded

forward—

specifies that all packets will be forwarded unless there is a specific filter entry that causes the packet to be dropped

renum

Syntax

renum old-entry-id new-entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

config>filter>vlan-filter

Description

This command renumbers existing IP, MAC, or VLAN filter entries to properly sequence filter entries.

This may be required in some cases since the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Parameters

old-entry-id—

the entry number of an existing entry

Values—

1 to 64

new-entry-id—

the new entry number to be assigned to the old entry

Values—

1 to 64

scope

Syntax

scope {exclusive | template}

no scope

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

Description

This command configures the filter policy scope as exclusive or template. If the scope of the policy is template and is applied to one or more network interfaces, the scope cannot be changed.

The no form of the command sets the scope of the policy to the default of template.

Default

template

Parameters

exclusive—

when the scope of a policy is defined as exclusive, the policy can only be applied to a single entity (network port). If an attempt is made to assign the policy to a second entity, an error message will result. If the policy is removed from the entity, it will become available for assignment to another entity.

template—

when the scope of a policy is defined as template, the policy can be applied to multiple network ports

General Filter Entry Commands

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>filter>ip-filter

config>filter>ipv6-filter

config>filter>mac-filter

config>filter>vlan-filter

Description

This command creates or edits a filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The 7705 SAR implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly, from most to least explicit.

IPv4 filter entries can specify one or more matching criteria, with one caveat. In order to support the maximum 256 entries for IPv4 filters, any entry that uses source port (src-port) and/or destination port (dst-port) ranges (lt, gt, or range keywords) as match criteria must be within the first 64 entries. See the dst-port and src-port commands for more information.

An entry might not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.

The no form of the command removes the specified entry from the filter. Entries removed from the filter are immediately removed from all entities to which that filter is applied.

Default

n/a

Parameters

entry-id—

an entry-id uniquely identifies a match criteria and the corresponding action. It is recommended that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

Values—

1 to 256 (maximum applies to IPv4 filters and MAC filters only)

create—

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

IP, MAC, and VLAN Filter Entry Commands

action

Syntax

action [drop]

action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]

no action

Context

config>filter>ip-filter>entry

config>filter>mac-filter>entry

Description

This command specifies what action to take (drop or forward) when packets match the entry criteria. The action keyword must be entered for the entry to be active. If neither drop nor forward is specified, the filter action is drop.

The action forward next-hop keywords cannot be applied to multicast traffic and only apply to IPv4.

The action forward fc keywords only apply to IPv4.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. The filter entry is considered incomplete and is rendered inactive without the action keyword.

Default

no action

Parameters

drop—

specifies that packets matching the entry criteria will be dropped

forward—

specifies that packets matching the entry criteria will be forwarded

next-hop ip-address—

specifies the IPv4 address of the direct next hop to which packets matching the entry criteria will be forwarded

indirect ip-address—

specifies the IPv4 address of the indirect next hop to which packets matching the entry criteria will be forwarded. The direct next-hop IPv4 address and egress IP interface are determined by a route table lookup.

If the next hop is not available, then a routing lookup is performed and if a match is found then the packet will be forwarded to the result of that lookup. If no match is found, then an "ICMP destination unreachable" message is send back to the origin.

Values—

0.0.0.0 to 255.255.255.255 (dotted-decimal notation)

fc fc-name—

specifies the forwarding class (FC) to be used for queuing packets through the 7705 SAR. Each FC can be mapped to a different queue, or multiple FCs can be handled by the same queue.

There are eight forwarding classes, providing different classes of service. The forwarding classes are: nc (network control), h1 (high 1), ef (expedited forwarding), h2 (high 2), l1 (low 1), l2 (low 2), af (assured forwarding), be (best effort).

Values—

be, l2, af, l1, h2, ef, h1, nc

priority low | high—

specifies the priority assigned to incoming traffic. Traffic priority is important for internal processes when some traffic may be dropped because of congestion. Low-priority traffic is dropped first.

action

Syntax

action {drop | forward}

no action

Context

config>filter>ipv6-filter>entry

config>filter>vlan-filter>entry

Description

This command specifies what action to take (drop or forward) when packets match the entry criteria. The action keyword must be entered and for the entry to be active. If neither drop nor forward is specified, the filter action is drop.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. The filter entry is considered incomplete and is rendered inactive without the action keyword.

Default

drop

Parameters

drop—

specifies that packets matching the entry criteria will be dropped

forward—

specifies that packets matching the entry criteria will be forwarded

log

Syntax

log log-id

no log

Context

config>filter>ip-filter>entry

config>filter>ipv6-filter>entry

config>filter>mac-filter>entry

Description

This command enables the context to enable filter logging for a filter entry and specifies the destination filter log ID.

The filter log ID must exist before a filter entry can be enabled to use the filter log ID.

The no form of the command disables logging for the filter entry.

Default

no log

Parameters

log-id—

the filter log ID destination expressed as a decimal integer

Values—

101 to 199

match

Syntax

match [protocol protocol-id]

no match

Context

config>filter>ip-filter>entry

Description

This command enables the context to enter match criteria for the IPv4 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Parameters

protocol—

the protocol keyword configures an IP protocol to be used as an IP filter match criterion. The protocol type such as TCP or UDP is identified by its respective protocol number.

protocol-id—

configures the decimal value representing the IP protocol to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), UDP(17). The no form of the command removes the protocol from the match criteria.

Values—

0 to 255 (values can be expressed in decimal, hexadecimal, or binary – DHB)

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

Protocol ID	Protocol	Description
1	icmp	Internet Control Message
2	igmp	Internet Group Management
4	ip	IP in IP (encapsulation)
6	tcp	Transmission Control
8	egp	Exterior Gateway Protocol
9	igp	Any private interior gateway
17	udp	User Datagram
27	rdp	Reliable Data Protocol
41	ipv6	IPv6
43	ipv6-route	Routing Header for IPv6
45	idrp	Inter-Domain Routing Protocol
46	rsvp	Reservation Protocol
47	gre	General Routing Encapsulation
58	ipv6-icmp	ICMP for IPv6
59	ipv6-no-nxt	No Next Header for IPv6
60	ipv6-opts	Destination Options for IPv6
80	iso-ip	ISO Internet Protocol
88	eigrp	EIGRP
89	ospf-igp	OSPFIGP
97	ether-ip	Ethernet-within-IP Encapsulation
98	encap	Encapsulation Header
102	pnni	PNNI over IP
103	pim	Protocol Independent Multicast
112	vrrp	Virtual Router Redundancy Protocol
115	l2tp	Layer Two Tunneling Protocol
118	stp	Schedule Transfer Protocol
123	ptp	Performance Transparency Protocol
124	isis	ISIS over IPv4
126	crtp	Combat Radio Transport Protocol
127	crudp	Combat Radio User Datagram

Note:

PTP in the context of IP filters is defined as Performance Transparency Protocol. IP protocols can be used as IP filter match criteria; the match is made on the 8-bit protocol field in the IP header.
PTP in the context of SGT QoS is defined as Precision Timing Protocol and is an application in the 7705 SAR. The PTP application name is also used in areas such as event-control and logging. Precision Timing Protocol is defined in IEEE 1588-2008.

match

Syntax

match [next-header next-header]

no match

Context

config>filter>ipv6-filter>entry

Description

This command enables the context to enter match criteria for the IPv6 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Parameters

next-header—

the IPv6 next header to match. This parameter is similar to the protocol parameter used in IPv4 filter match criteria.

Values—

[1 to 42 | 45 to 49 | 52 to 59 | 61 to 255] — (values can be expressed in decimal, hexadecimal, or binary – DHB)

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

match

Syntax

match frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}

no match

Context

config>filter>mac-filter>entry

Description

This command creates the context for entering/editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, then all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Default

frame-type 802dot3

Parameters

frame-type—

configures an Ethernet frame type to be used for the MAC filter match criteria

802dot3—

specifies the frame type as Ethernet IEEE 802.3

802dot2-llc—

specifies the frame type as Ethernet IEEE 802.2 LLC

802dot2-snap—

specifies the frame type as Ethernet IEEE 802.2 SNAP

ethernet_II—

specifies the frame type as Ethernet Type II

match

Syntax

match vlan {lt | gt | eq} vlan-id

match vlan range vlan-id to vlan-id

match untagged

no match

Context

config>filter>vlan-filter>entry

Description

This command accesses the match criteria for the filter entry and specifies a match criteria. If the match criteria are satisfied, the action associated with the match criteria is executed.

Only one match criterion (within one match statement) is allowed.

The no form of the command removes the match criteria for the entry-id.

Default

no match

Parameters

vlan {lt | gt | eq} vlan-id—

specifies an operator and a vlan-id to be used for the VLAN filter match criteria (lt for less than, gt for greater than, and eq for equal to)

Values—

1 to 4094

vlan range vlan-id to vlan-id—

specifies a range of VLAN IDs to be used for the VLAN filter match criteria.

Values—

1 to 4094

untagged—

specifies that Ethernet frames with no tag or dot1q header (null encapsulation) are used for the VLAN filter match criteria

IP and MAC Filter Match Criteria Commands

dscp

Syntax

dscp dscp-name

no dscp

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of the command removes the DSCP match criterion.

Default

no dscp

Parameters

dscp-name—

a DSCP name that has been previously mapped to a value using the dscp-name command. The DiffServ Code Point may only be specified by its name.

Values—

be | cp1 | cp2 | cp3 | cp4 | cp5 | cp6 | cp7 | cs1 | cp9 | af11 | cp11 |

af12 | cp13 | af13 | cp15 | cs2 | cp17 | af21 | cp19 | af22 | cp21 |

af23 | cp23 | cs3 | cp25 | af31 | cp27 | af32 | cp29 | af33 | cp31 | cs4 |

cp33 | af41 | cp35 | af42 | cp37 | af43 | cp39 | cs5 | cp41 | cp42 |

cp43 | cp44 | cp45 | ef | cp47 | nc1 | cp49 | cp50 | cp51 | cp52 | cp53 |

cp54 | cp55 | nc2 | cp57 | cp58 | cp59 | cp60 | cp61 | cp62 | cp63

dst-ip

Syntax

dst-ip {ip-address mask | ip-address netmask}

no dst-ip

Context

config>filter>ip-filter>entry>match

Description

This command configures a destination IPv4 address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the destination IP address match criterion.

Default

n/a

Parameters

ip-address—

the IP prefix for the IP match criterion in dotted-decimal notation

Values—

0.0.0.0 to 255.255.255.255

mask—

the subnet mask length expressed as a decimal integer

Values—

0 to 32

netmask—

any mask expressed in dotted-decimal notation

Values—

0.0.0.0 to 255.255.255.255

dst-ip

Syntax

dst-ip ipv6-address/prefix-length

no dst-ip

Context

config>filter>ipv6-filter>entry>match

Description

This command configures a destination IPv6 address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the destination IP address match criterion.

Default

n/a

Parameters

ipv6-address/prefix-length—

the IPv6 address on the interface

Values—

ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

prefix-length 0 to 128

dst-mac

Syntax

dst-mac ieee-address

no dst-mac

Context

config>filter>mac-filter>entry>match

Description

This command configures a destination MAC address to be used as a MAC filter match criterion.

To match on the destination MAC address, specify the IEEE address.

The no form of the command removes the destination MAC address match criterion.

Default

no dst-mac

Parameters

ieee-address—

the MAC address to be used as a match criterion

Values—

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx, where x is a hexadecimal digit

dst-port

Syntax

dst-port {lt | gt | eq} dst-port-number

dst-port range start end

no dst-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures a destination TCP or UDP port number or port range for an IP filter match criterion.

The no form of the command removes the destination port match criterion.

Default

n/a

Parameters

lt | gt | eq—

use relative to dst-port-number for specifying the port number match criteria:

lt specifies that all port numbers less than dst-port-number match

gt specifies that all port numbers greater than dst-port-number match

eq specifies that dst-port-number must be an exact match

dst-port-number—

the destination port number to be used as a match criteria expressed as a decimal integer

Values—

1 to 65535

start end—

specifies an inclusive range of port numbers to be used as a match criteria. The destination port numbers start and end are expressed as decimal integers.

Values—

1 to 65535

etype

Syntax

etype 0x600...0xffff

no etype

Context

config>filter>mac-filter>entry>match

Description

This command configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is a 2-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify IPv4 packets. The Ethernet type II frame Ethertype value to be used as a match criterion can be expressed as a hexadecimal (0x0600 to 0xFFFF) or a decimal (1536 to 65535) value.

The Ethernet type field is used by the Ethernet version-II frames.

The no form of the command removes the previously entered etype field as the match criteria.

Default

no etype

fragment

Syntax

fragment {true | false}

no fragment

Context

config>filter>ip-filter>entry>match

Description

This command configures fragmented or non-fragmented IP packets as an IP filter match criterion.

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default

false

Parameters

true—

configures a match on all fragmented IP packets. A match will occur for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.

false—

configures a match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

icmp-code

Syntax

icmp-code icmp-code

no icmp-code

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures matching on an ICMP code field in the ICMP header of an IPv4 or IPv6 packet as a filter match criterion.

This option is only meaningful if the protocol match criteria specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default

no icmp-code

Parameters

icmp-code—

the ICMP code values that must be present to match

Values—

0 to 255 (values can be expressed in decimal, hexadecimal, or binary – DHB)

icmp-type

Syntax

icmp-type icmp-type

no icmp-type

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures matching on the ICMP type field in the ICMP header of an IPv4 or IPv6 packet as a filter match criterion.

This option is only meaningful if the protocol match criteria specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default

no icmp-type

Parameters

icmp-type—

the ICMP type values that must be present to match

Values—

0 to 255 (values can be expressed in decimal, hexadecimal, or binary – DHB)

ip-option

Syntax

ip-option ip-option-value [ip-option-mask]

no ip-option

Context

config>filter>ip-filter>entry>match

Description

This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.

The option type octet contains three fields:

1 bit copied flag (copy options in all fragments)
2 bits option class
5 bits option number

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default

no ip-option

Parameters

ip-option-value—

the 8-bit option type (can be entered using decimal, hexadecimal, or binary formats). The mask is applied as an AND to the option byte and the result is compared with the option value.

The decimal value entered for the match should be a combined value of the 8-bit option type field and not just the option number. Therefore, to match on IP packets that contain the Router Alert option (option number = 20), enter the option type of 148 (10010100).

Values—

0 to 255

ip-option-mask—

specifies a range of option numbers to use as the match criteria

This 8-bit mask can be entered using decimal, hexadecimal, or binary formats (see Table 46).

Table 46: 8-bit mask formats

Format Style	Format Syntax	Example
Decimal	DDD	20
Hexadecimal	0x	0x14
Binary	0bBBBBBBBB	0b0010100

Values—

255 (decimal) (exact match)

Values—

0 to 255

multiple-option

Syntax

multiple-option {true | false}

no multiple-option

Context

config>filter>ip-filter>entry>match

Description

This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.

This command applies to IPv4 filters only.

Default

no multiple-option

Parameters

true—

specifies matching on IP packets that contain more than one option field in the header

false—

specifies matching on IP packets that do not contain multiple option fields in the header

option-present

Syntax

option-present {true | false}

no option-present

Context

config>filter>ip-filter>entry>match

Description

This command configures matching packets that contain the option field or have an option field of 0 in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the option field in the IP header as a match criterion.

This command applies to IPv4 filters only.

Parameters

true—

specifies matching on all IP packets that contain the option field in the header. A match will occur for all packets that have the option field present. An option field of 0 is considered as no option present.

false—

specifies matching on IP packets that do not have any option field present in the IP header (an option field of 0)

src-ip

Syntax

src-ip {ip-address mask | ip-address netmask}

no src-ip

Context

config>filter>ip-filter>entry>match

Description

This command configures a source IPv4 address range to be used as an IP filter match criterion.

To match on the source IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the source IP address match criterion.

Default

no src-ip

Parameters

ip-address —

the IP prefix for the IP match criterion in dotted-decimal notation

Values—

0.0.0.0 to 255.255.255.255

mask—

the subnet mask length expressed as a decimal integer

Values—

0 to 32

netmask—

any mask expressed in dotted-decimal notation

Values—

0.0.0.0 to 255.255.255.255

src-ip

Syntax

src-ip ipv6-address/prefix-length

no src-ip

Context

config>filter>ipv6-filter>entry>match

Description

This command configures a source IPv6 address range to be used as an IP filter match criterion.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address match criterion.

Default

n/a

Parameters

ipv6-address/prefix-length—

the IPv6 address on the interface

Values—

ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

prefix-length 0 to 128

src-mac

Syntax

src-mac ieee-address

no src-mac

Context

config>filter>mac-filter>entry>match

Description

This command configures a source MAC address to be used as a MAC filter match criterion.

The no form of the command removes the source MAC address as the match criterion.

Default

no src-mac

Parameters

ieee-address—

the 48-bit IEEE MAC address to be used as a match criterion

Values—

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx, where x is a hexadecimal digit

src-port

Syntax

src-port {lt | gt | eq} src-port-number

src-port range start end

no src-port

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures a source TCP or UDP port number or port range for an IP filter match criterion.

The no form of the command removes the source port match criterion.

Default

no src-port

Parameters

lt | gt | eq—

use relative to src-port-number for specifying the port number match criteria:

lt specifies that all port numbers less than src-port-number match

gt specifies that all port numbers greater than src-port-number match

eq specifies that src-port-number must be an exact match

src-port-number—

the source port number to be used as a match criteria expressed as a decimal integer

Values—

1 to 65535

start end—

specifies an inclusive range of port numbers to be used as a match criteria. The destination port numbers start and end are expressed as decimal integers.

Values—

1 to 65535

tcp-ack

Syntax

tcp-ack {true | false}

no tcp-ack

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The no form of the command removes the criterion from the match entry.

Default

no tcp-ack

Parameters

true—

specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet

false—

specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet

tcp-syn

Syntax

tcp-syn {true | false}

no tcp-syn

Context

config>filter>ip-filter>entry>match

config>filter>ipv6-filter>entry>match

Description

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP address.

The no form of the command removes the criterion from the match entry.

Default

no tcp-syn

Parameters

true—

specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header

false—

specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header

NAT Policy Commands

abort

Syntax

abort

Context

config>security

Description

This command discards changes made to a security feature.

Default

n/a

begin

Syntax

begin

Context

config>security

Description

This command enters the mode to create or edit security features.

Default

n/a

commit

Syntax

commit

Context

config>security

Description

This command saves changes made to security features.

Default

n/a

profile

Syntax

profile profile-id [create]

no profile profile-id

Context

config>security

Description

This command configures a profile group that provides a context within which you can configure security features such as session idle timeouts. Profile 1 is a default profile and cannot be modified.

The no form of the command removes the configured profile group.

Default

Parameters

profile-id—

specifies the ID of the profile group

Values—

1 to 65535

name

Syntax

name profile-name

no name profile-name

Context

config>security>profile

Description

This command configures a profile group name.

The no form of the command removes the configured profile group name.

Parameters

profile-name—

specifies the name of the profile

Values—

1 to 32 characters (must start with a letter)

timeouts

Syntax

timeouts

Context

config>security>profile

Description

This command configures session idle timeouts for this policy.

icmp-request

Syntax

icmp-request [days days] [hrs hours] [min minutes] [sec seconds]

no icmp-request

Context

config>security>profile>timeouts

Description

This command sets the timeout for a half-open NAT ICMP session. A half-open NAT ICMP session is created when an ICMP request is sent but no ICMP response is received.

The no form of the command removes the timeout set for icmp-request.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

tcp-established

Syntax

tcp-established [days days] [hrs hours] [min minutes] [sec seconds]

no tcp-established

Context

config>security>profile>timeouts

Description

This command sets the timeout for a TCP session in the established state.

The no form of the command removes the timeout set for tcp-established.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

tcp-syn

Syntax

tcp-syn [days days] [hrs hours] [min minutes] [sec seconds]

no tcp-syn

Context

config>security>profile>timeouts

Description

This command configures the timeout applied to a TCP session in the SYN state.

The no form of the command removes the timeout set for tcp-syn.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

tcp-time-wait

Syntax

tcp-time-wait [days days] [hrs hours] [min minutes] [sec seconds]

no tcp-time-wait

Context

config>security>profile>timeouts

Description

This command configures the timeout applied to a TCP session in a time-wait state.

The no form of the command removes the timeout entered set for tcp-time-wait.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

tcp-transitory

Syntax

tcp-transitory [days days] [hrs hours] [min minutes] [sec seconds]

no tcp-transitory

Context

config>security>profile>timeouts

Description

This command configures the idle timeout applied to a TCP session in a transitory state.

The no form of the command removes the timeout entered set for tcp-transitory.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

udp

Syntax

udp [days days] [hrs hours] [min minutes] [sec seconds]

no udp

Context

config>security>profile>timeouts

Description

This command configures the UDP mapping timeout.

The no form of the command removes the UDP mapping timeout.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

udp-dns

Syntax

udp-dns [days days] [hrs hours] [min minutes] [sec seconds]

no udp-dns

Context

config>security>profile>timeouts

Description

This command configures the timeout applied to a UDP session with destination port 53.

The no form of the command removes the udp-dns timeout.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

udp-initial

Syntax

udp-initial [days days] [hrs hours] [min minutes] [sec seconds]

no udp-initial

Context

config>security>profile>timeouts

Description

This command configures the timeout applied to a UDP session in its initial state.

The no form of the command removes the udp-initial timeout.

Default

n/a

Parameters

days—

the timeout in days

Values—

hours—

the timeout in hours

Values—

1 to 24

minutes—

the timeout in minutes

Values—

1 to 59

seconds—

the timeout in seconds

Values—

1 to 59

policy

Syntax

policy policy-id [create]

no policy policy-id

Context

config>security

Description

This command configures a policy group that provides a context within which you can configure a security policy.

The no form of the command removes the configured policy group.

Default

n/a

Parameters

policy-id—

specifies the ID of the policy group

Values—

1 to 65535

entry

Syntax

entry entry-id [create]

no entry entry-id

Context

config>security>policy

Description

This command configures a NAT policy entry.

The no form of this command deletes the entry with the specified ID. When an entry is deleted, all configuration parameters for the entry are also deleted.

Parameters

id—

the entry ID number

action

Syntax

action {forward | reject | nat}

no action

Context

config>security>policy>entry

Description

This command specifies what action to take (forward, reject, or nat) when packets match the entry criteria. The action keyword must be entered and a keyword must be specified for the entry to be active. If reject, forward, or nat is not specified, the action is rejected.

The nat and forward actions cause a 6-tuple lookup (src/dst IP, src/dst port, protocol, src zone). If there is a match, NAT is applied and the packet is routed based on the datapath session table.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. An entry is considered incomplete and is rendered inactive without the action keyword.

Default

no action

Parameters

reject—

specifies that packets matching the entry criteria will be rejected

forward—

specifies that packets matching the entry criteria will be forwarded

nat —

specifies that packets matching the entry criteria will have NAT applied to them and a session will be created on the datapath

action nat

Syntax

action nat [destination ip-address port tcp-udp-port]

no action

Context

config>security>policy>entry

Description

This command specifies the destination IP address and port to which packets that have NAT applied to them are sent.

NAT actions cause a 6-tuple lookup (src/dst IP, src/dst port, protocol, src zone). If there is a match, NAT is applied and the packet is routed based on the datapath session table.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. An entry is considered incomplete and is rendered inactive without the action keyword.

Default

no action

Parameters

destination—

specifies the static NAT (port forwarding) internal destination IP address. This parameter applies only to static destination NAT (port forwarding).

ip-address—

the static NAT inside destination IP address used for port forwarding. When configured, the original packet destination IP address is overwritten with this configured IP address.

Values—

1.0.0.0 to 223.255.255.255

port—

specifies the static NAT (port forwarding) internal destination port address. This parameter applies only to static destination NAT (port forwarding).

tcp-udp-port—

the static NAT inside port IP number used for port forwarding. When configured, the original packet destination port number is overwritten with this configured port number.

Values—

1 to 65535

limit

Syntax

[no] limit

Context

config>security>policy>entry

Description

This command is used to enter the limit context.

Default

n/a

concurrent-sessions

Syntax

concurrent-sessions number

no concurrent-sessions

Context

config>security>policy>entry>limit

Description

This command specifies the maximum number of concurrent sessions that can be created by NAT within a zone.

The no form of the command returns the system to the default.

Default

no concurrent-sessions

Parameters

number—

the number of concurrent sessions that can be programmed for the policy

Values—

1 to 6144 (7705 SAR-8/7705 SAR-18)

1 to 4096 (7705 SAR-H/7705 SAR-Hc/7705 SAR-Wx)

match

Syntax

match [local] protocol protocol-id

no match

Context

config>security>policy>entry

Description

This command configures match criteria for an entry based on the specified protocol.

The no form of the command removes the match criteria for the entry.

Default

n/a

Parameters

local—

specifies local traffic matches indicated by a destination IP address that matches a local 7705 SAR interface. The local parameter applies only to static destination NAT (port forwarding).

protocol-id—

configures an IP protocol to be used as a match criterion. The 7705 SAR supports protocol types TCP, UDP, and ICMP. Common protocol numbers include ICMP (1), TCP (6), and UDP (17).

Values—

0 to 32

direction

Syntax

direction {zone-outbound | zone-inbound | both}

Context

config>security>policy>entry>match

Description

This command sets the direction of the traffic to be matched against the IP criteria. For example, if zone-inbound is configured, then all inbound traffic to the zone has the match criteria applied to it.

Default

both

Parameters

zone-outbound—

specifies packets that are outbound from the zone

zone-inbound—

specifies packets that are inbound to the zone

both—

specifies packets that are inbound to and outbound from the zone

dst-ip

Syntax

dst-ip ip-address to ip-address

no dst-ip

Context

config>security>policy>entry>match

Description

This command configures the destination IP address or address range to be used in the matching criteria of a policy entry. All packets within the specified IP address range are processed for matching criteria.

The no form of the command removes the destination IP address match criteria.

Default

n/a

Parameters

ip-address—

the IPv4 address to be matched

Values—

0.0.0.1 to 255.255.255.255

dst-port

Syntax

dst-port {lt | gt | eq} tcp/udp port

dst-port range start end

no dst-port

Context

config>security>policy>entry>match

Description

This command configures a destination protocol TCP or UDP port number or port range for the match criteria.

The no form of the command removes the destination port match criteria.

Default

no dst-port

Parameters

lt | gt | eq—

use relative to tcp/udp port for specifying the port number match criteria:

lt specifies that all port numbers less than tcp/udp port number match

gt specifies that all port numbers greater than tcp/udp port number match

eq specifies that tcp/udp port number must be an exact match

tcp/udp port—

the destination port number to be used as a match criteria, expressed as a decimal integer

Values—

1 to 65535

start end—

specifies an inclusive range of port numbers to be used as a match criteria. The destination port numbers start and end are expressed as decimal integers.

Values—

1 to 65535

icmp-code

Syntax

icmp-code icmp-code

no icmp-code

Context

config>security>policy>entry>match

Description

This command configures matching on an ICMP code field in the ICMP header of an IPv4 packet as a match criterion.

This option is only meaningful if the protocol match criterion specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default

no icmp-code

Parameters

icmp-code—

the ICMP code values that must be present to match

Values—

0 to 255 (values can be expressed in decimal, hexadecimal, or binary – DHB)

icmp-type

Syntax

icmp-type icmp-type

no icmp-type

Context

config>security>policy>entry>match

Description

This command configures matching on the ICMP type field in the ICMP header of an IPv4 packet as a match criterion.

This option is only meaningful if the protocol match criterion specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default

no icmp-type

Parameters

icmp-type—

the ICMP type values that must be present to match

Values—

0 to 255 (values can be expressed in decimal, hexadecimal, or binary – DHB)

src-ip

Syntax

src-ip ip-address to ip-address

no src-ip

Context

config>security>policy>entry>match

Description

This command configures the source IP address or address range to be used in the matching criteria of a policy entry. All packets within the specified IP address range are processed for matching criteria.

The no form of the command removes the source IP address match criteria.

Default

n/a

Parameters

ip-address—

the IPv4 address to be matched

Values—

0.0.0.1 to 255.255.255.255

src-port

Syntax

src-port {lt | gt | eq} tcp/udp port range start end

src-port range start end

no src-port

Context

config>security>policy>entry>match

Description

This command configures a source protocol TCP or UDP port number or port range for the match criteria.

The no form of the command removes the source port match criteria.

Default

no src-port

Parameters

lt | gt | eq—

use relative to tcp/udp port for specifying the port number match criteria:

lt specifies that all port numbers less than tcp/udp port number match

gt specifies all port numbers greater than tcp/udp port number match

eq specifies that tcp/udp port number must be an exact match

tcp/udp port—

the source port number to be used as a match criteria, expressed as a decimal integer

Values—

1 to 65535

start end—

specifies an inclusive range of port numbers to be used as a match criteria. The destination port numbers start and end are expressed as decimal integers.

Values—

1 to 65535

profile

Syntax

profile {profile-id | profile-name}

no profile

Context

config>security>policy>entry

Description

This command assigns an already configured profile to a policy.

The no form of the command removes the assigned profile.

Default

Parameters

profile-id—

specifies the ID of the profile group

Values—

1 to 65535

profile-name—

specifies the name of the profile group

Values—

1 to 32 characters (must start with a letter)

name

Syntax

name policy-name

no name policy-name

Context

config>security>policy

Description

This command configures a policy group name.

The no form of the command removes the configured policy group name.

Parameters

policy-name—

specifies the name of the policy

Values—

1 to 32 characters (must start with a letter)

session-high-wmark

Syntax

session-high-wmark percentage

no session-high-wmark

Context

config>security

Description

This command configures the high-watermark threshold for NAT sessions. The alarm is raised when the high-watermark threshold is reached or exceeded. The value must be greater than or equal to the session-low-wmark value.

The no form of the command removes the high-watermark setting.

Default

no session-high-wmark

Parameters

percentage—

specifies the high-watermark threshold

Values—

1 to 100

session-low-wmark

Syntax

session-low-wmark percentage

no session-low-wmark

Context

config>security

Description

This command configures the low-watermark threshold for NAT sessions. The alarm is cleared when the session utilization percentage is equal to or less than the low-watermark threshold. The value must be lower than or equal to the session-high-wmark value.

The no form of the command removes the low-watermark setting.

Default

no session-low-wmark

Parameters

percentage—

specifies the low-watermark threshold

Values—

1 to 100

Show Commands

ip

Syntax

ip [ip-filter-id |ipv6-filter-id] [entry entry-id] [association | counters]

Context

show>filter

Description

This command displays IPv4 and IPv6 filter information.

Parameters

ip-filter-id | ipv6-filter-id—

displays detailed information for the specified filter ID and its filter entries

Values—

1 to 65535

entry-id—

displays information on the specified filter entry ID for the specified filter ID only

Values—

1 to 64

association—

appends information as to where the filter policy ID is applied to the detailed filter policy ID output

counters—

displays counter information for the specified filter ID

Output

The following outputs are examples of IP filter information:

IP filter information (Sample Output, Table 47)
IP filter information with filter ID specified (Sample Output, Table 48)
IP filter associations (Sample Output, Table 49)
IP filter counters (Sample Output, Table 50)

Sample Output

*A-ALU-1# show filter ip

===============================================================================

IP Filters

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

1 Template Yes

3 Template Yes

6 Template Yes

10 Template No

11 Template No

-------------------------------------------------------------------------------

Num IP filters: 5

===============================================================================

*A-ALU-1#

*A-ALU-1# show filter ipv6

===============================================================================

IPv6 Filters

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

1 Template No

-------------------------------------------------------------------------------

Num IP filters: 1

===============================================================================

*A-ALU-1#

Table 47: Show Filter Output Fields

Label	Description
Filter Id	The IP filter ID
Scope	Template — the filter policy is of type template
Scope	Exclusive — the filter policy is of type exclusive
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Description	The IP filter policy description

Sample Output

*A-ALU-1# show filter ip 3

===============================================================================

IP Filter

===============================================================================

Filter Id : 3 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 1

-------------------------------------------------------------------------------

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 10

Description : this is a test ip-filter entry

Log Id : n/a

Src. IP : 10.1.1.1/24 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

IP-Option : 0/0 Multiple Option: Off

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

===============================================================================

*A-ALU-1#

*A-ALU-1# show filter ipv6 1

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : IPv6

-------------------------------------------------------------------------------

Entry : 1 (Inactive)

Description : (Not Specified)

Log Id : n/a

Src. IP : ::/0 Src. Port : None

Dest. IP : ::/0 Dest. Port : None

Next Header : Undefined Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

===============================================================================

*A-ALU-1#

Table 48: Show Filter Output Fields (Filter ID Specified)

Label	Description
Filter Id	The IP filter policy ID
Scope	Template — the filter policy is of type template
Scope	Exclusive — the filter policy is of type exclusive
Entries	The number of entries configured in this filter ID
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Filter Match Criteria	IP — the filter is an IPv4 filter policy
Filter Match Criteria	IPv6 — the filter is an IPv6 filter policy
Entry	The filter entry ID. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action has been specified.
Description	The IP filter policy description
Src. IP	The source IP address and prefix length match criterion
Dest. IP	The destination IP address and prefix length match criterion
Protocol	The protocol ID for the match criteria. Undefined indicates no protocol specified. (IPv4 filters only)
Next Header	The next header ID for the match criteria. Undefined indicates no next header is specified. (IPv6 filters only)
ICMP Type	The ICMP type match criterion. Undefined indicates no ICMP type is specified.
Fragment: (IPv4 filters only)	Off — configures a match on all unfragmented packets
Fragment: (IPv4 filters only)	On — configures a match on all fragmented packets
IP-Option	Specifies matching packets with a specific IP option or range of IP options in the IP header for IP filter match criteria (IPv4 filters only)
TCP-syn	Off — the SYN bit is disabled
TCP-syn	On — the SYN bit is set
Match action	Default — the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action was specified.
	Drop — drop packets matching the filter entry
	Forward — forward packets matching the filter entry
Ing. Matches	The number of ingress filter matches/hits for the filter entry
Src. Port	The source TCP or UDP port number or port range
Dest. Port	The destination TCP or UDP port number or port range
Dscp	The DSCP name
ICMP Code	The ICMP code field in the ICMP header of an IP packet
Option-present: (IPv4 filters only)	Off — does not search for packets that contain the option field or have an option field of zero
Option-present: (IPv4 filters only)	On — matches packets that contain the option field or have an option field of zero
Multiple Option: (IPv4 filters only)	Off — the option fields are not checked
Multiple Option: (IPv4 filters only)	On — packets containing one or more option fields in the IP header will be used as IP filter match criteria
TCP-ack	Off — the ACK bit is not matched
TCP-ack	On — matches the ACK bit being set or reset in the control bits of the TCP header of an IP packet

Sample Output

*A-ALU-49# show filter ip 1 associations

===============================================================================

IP Filter

===============================================================================

Filter Id : 1 Applied : Yes

Scope : Template Def. Action : Drop

Entries : 1

-------------------------------------------------------------------------------

Filter Association : IP

-------------------------------------------------------------------------------

===============================================================================

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 10

Log Id : n/a

Src. IP : 10.1.1.1/24 Src. Port : None

Dest. IP : 0.0.0.0/0 Dest. Port : None

Protocol : 2 Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

Fragment : Off Option-present : Off

Sampling : Off Int. Sampling : On

IP-Option : 0/0 Multiple Option: Off

TCP-syn : Off TCP-ack : Off

Match action : Drop

Ing. Matches : 0 Egr. Matches : 0

===============================================================================

*A-ALU-49#

*A-ALU-49# show filter ip 1 associations

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Association : IPv6

-------------------------------------------------------------------------------

No Match Found

===============================================================================

*A-ALU-49#

Table 49: Show Filter Associations Output Fields

Label	Description
Filter Id	The IP filter policy ID
Scope	Template — the filter policy is of type Template
Scope	Exclusive — the filter policy is of type Exclusive
Entries	The number of entries configured in this filter ID
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Filter Association	IP or IPv6
Entry	The filter entry ID. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action was specified.
Src. IP	The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.
Dest. IP	The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.
Protocol	The protocol ID for the match criteria. Undefined indicates no protocol specified. (IPv4 filters only)
Next Header	The next header ID for the match criteria. Undefined indicates no next header is specified. (IPv6 filters only)
ICMP Type	The ICMP type match criterion. Undefined indicates no ICMP type specified.
Fragment: (IPv4 filters only)	Off — configures a match on all unfragmented packets
Fragment: (IPv4 filters only)	On — configures a match on all fragmented packets
TCP-syn	Off — the SYN bit is disabled
TCP-syn	On — the SYN bit is set
Match action	Default — the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is inactive, the filter entry is incomplete (no action was specified).
	Drop — drop packets matching the filter entry
	Forward — forward packets matching the filter entry
Ing. Matches	The number of ingress filter matches/hits for the filter entry
Src. Port	The source TCP or UDP port number or port range
Dest. Port	The destination TCP or UDP port number or port range
Dscp	The DSCP name
ICMP Code	The ICMP code field in the ICMP header of an IP packet
Option-present: (IPv4 filters only)	Off — does not search for packets that contain the option field or have an option field of zero
Option-present: (IPv4 filters only)	On — matches packets that contain the option field or have an option field of zero
Multiple Option: (IPv4 filters only)	Off — the option fields are not checked
Multiple Option: (IPv4 filters only)	On — packets containing one or more option fields in the IP header will be used as IP filter match criteria
TCP-ack	Off — the ACK bit is not matched
TCP-ack	On — matches the ACK bit being set or reset in the control bits of the TCP header of an IP packet

Sample Output

*A-ALU-1# show filter ip 3 counters

===============================================================================

IP Filter : 100

===============================================================================

Filter Id : 3 Applied : Yes

Scope : Template Def. Action : Drop

Entries : Not Available

-------------------------------------------------------------------------------

Filter Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 10

Ing. Matches: 749 Egr. Matches : 0

Entry : 200

Ing. Matches: 0 Egr. Matches : 0

===============================================================================

*A-ALU-1#

*A-ALU-1# show filter ipv6 1 counters

===============================================================================

IPv6 Filter

===============================================================================

Filter Id : 1 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : IPv6

-------------------------------------------------------------------------------

Entry : 1 (Inactive)

Ing. Matches : 0 pkts

Egr. Matches : 0 pkts

===============================================================================

*A-ALU-1#

Table 50: Show Filter Counters Output Fields

Label	Description
Filter Id	The IP filter policy ID
Scope	Template — the filter policy is of type Template:
Scope	Exclusive — the filter policy is of type Exclusive:
Entries	The number of entries configured in this filter ID
Applied	No — the filter policy ID has not been applied:
Applied	Yes — the filter policy ID is applied:
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop:
Filter Match Criteria	IP — indicates the filter is an IPv4 filter policy:
Filter Match Criteria	IPv6 — indicates the filter is an IPv6 filter policy
Entry	The filter entry ID. If the filter entry ID indicates the entry is (Inactive), the filter entry is incomplete as no action has been specified.
Ing. Matches	The number of ingress filter matches/hits for the filter entry

log

Syntax

log [bindings]

log log-id [match string]

Context

show>filter

Description

This command displays filter log information.When a filter log command is used with a MAC filter and a packet is matched, the log entry is different from an IP filter entry. For a MAC filter, the source and destination IP address of incoming packets are not included in the log.

Parameters

bindings —

displays the number of filter logs currently available

log-id—

the filter log ID destination expressed as a decimal integer

Values—

101 to 199

string—

specifies to display the log entries starting from the first occurrence of the specified string

Values—

up to 32 characters

Output

The following outputs are examples of filter log information:

filter log information (Sample Output, Table 51)
filter log bindings (Sample Output, Table 52)

Sample Output

*A-ALU-1# show filter log

===============================================================================

Filter Logs

===============================================================================

Log-Id Dest. Id/Entries Enabled Description

-------------------------------------------------------------------------------

101 Memory 1000 Yes Default filter log

Wrap: Enabled

1 Entries Found

===============================================================================

*A-ALU-1#

*A-ALU-1# show filter log 101

===============================================================================

Filter Log

===============================================================================

Admin state : Enabled

Description : Default filter log

Destination : Memory

Wrap : Enabled

-------------------------------------------------------------------------------

Maximum entries configured : 1000

Number of entries logged : 4

2011/1124 22:10:03 Ip Filter: 1:12 Desc: Descr. for Ip Fltr Policy id # 1 entry 12

SDP: 1:60000 Direction: Ingress Action: Drop

Src MAC: 1f-ff-f0-1f-ff-c5 Dst MAC: aa-bb-cc-dd-ee-ff EtherType: 0800

Src IP: 10.50.1.144:3216 Dst IP: 10.10.11.2:0 Flags: 0 TOS: b8 TTL: 64

Protocol: UDP

2011/1124 22:10:03 Ip Filter: 1:12 Desc: Descr. for Ip Fltr Policy id # 1 entry 12

SDP: 1:60000 Direction: Ingress Action: Drop

Src MAC: 1f-ff-f0-1f-ff-c5 Dst MAC: aa-bb-cc-dd-ee-ff EtherType: 0800

Src IP: 10.50.1.144:3216 Dst IP: 10.10.11.2:0 Flags: 0 TOS: b8 TTL: 64

Protocol: UDP

2011/1124 22:10:06 Ip Filter: 1:13 Desc: Descr. for Ip Fltr Policy id # 1 entry 13

SDP: 1:60000 Direction: Ingress Action: Drop

Src MAC: 1f-ff-f0-1f-ff-c5 Dst MAC: aa-bb-cc-dd-ee-ff EtherType: 0800

Src IP: 10.50.1.16:0 Dst IP: 10.10.11.2:31 Flags: 0 TOS: b8 TTL: 64

Protocol: UDP

2011/1124 22:10:06 Ip Filter: 1:13 Desc: Descr. for Ip Fltr Policy id # 1 entry 13

SDP: 1:60000 Direction: Ingress Action: Drop

Src MAC: 1f-ff-f0-1f-ff-c5 Dst MAC: aa-bb-cc-dd-ee-ff EtherType: 0800

Src IP: 10.50.1.16:0 Dst IP: 10.10.11.2:31 Flags: 0 TOS: b8 TTL: 64

Protocol: UDP

===============================================================================

Table 51: Show Filter Log Output Fields

Label	Description
Log-Id	The filter log ID
Dest./Destination	The destination of the filter log: memory or syslog
Id/Entries	The number of entries configured for this filter log
Enabled	Indicates whether the log is administratively enabled
Admin State	The administrative state of the log: enabled or disabled
Description	The description string configured for the filter log
Wrap	Indicates whether the wrap-around function (circular buffer) is enabled
Maximum entries configured	The maximum number of entries allowed in this filter log
Number of entries logged	The number of entries in this filter log
(date)	The timestamp of the entry
Ip Filter	The filter ID and entry ID
Desc.	The description string for the filter log
SDP	The SDP using this filter
Direction	The direction of the traffic being filtered
Action	The action taken as a result of the filter
Src MAC	The source MAC address of the packet
Dst MAC	The destination MAC address of the packet
EtherType	The Ethertype of the packet
Src IP	The source IP address of the packet
Dst IP	The destination IP address of the packet
Flags	The number of flags associated with the packet
TOS	The type of service for the packet expressed as a hexadecimal number. Use the show>qos>dscp-table command to see the definitions of the numbers.
TTL	The time to live setting remaining for the packet
Protocol	The protocol used for the packet

Sample Output

*A-ALU-1# show filter log bindings

===============================================================================

Filter Log Bindings

===============================================================================

Total Log Instances (Allowed) : 2047

Total Log Instances (In Use) : 1

Total Log Bindings : 1

-------------------------------------------------------------------------------

Type FilterId EntryId Log Instantiated

-------------------------------------------------------------------------------

Cpm 1 2 101 Yes

====================================================================

Table 52: Show Filter Log Bindings

Label	Description
Total Log Instances (Allowed)	The maximum allowed instances of filter logs allowed on the system
Total Log Instances (In Use)	The instances of filter logs presently existing on the system
Total Log Bindings	The count of the filter log bindings presently existing on the system
Type	The type of filter: CPM, IP, or MAC
FilterID	The unique identifier of the filter
EntryID	The unique identifier of an entry in the filter table
Log	The filter log identifier
Instantiated	Specifies if the filter log for this filter entry has been enabled

mac

Syntax

mac {mac-filter-id [entry entry-id] [associations | counters]}

Context

show>filter

Description

This command displays MAC filter information.

Parameters

mac-filter-id—

displays detailed information for the specified filter ID and its filter entries

Values—

1 to 65535

entry entry-id—

displays information on the specified filter entry ID for the specified filter ID

Values—

1 to 65535

associations —

displays information on where the filter policy ID is applied to the detailed filter policy ID output

counters—

displays counter information for the specified filter ID

Output

The following outputs are examples of MAC filter information:

no parameters specified (Sample Output, Table 53)
mac-filter-id specified (Sample Output, Table 54)
associations specified (Sample Output, Table 55)
counters specified (Sample Output, Table 56)

Sample Output

When no parameters are specified, a brief listing of MAC filters is produced.

*A-ALU-1>show>filter# mac

===============================================================================

Mac Filters Total: 3

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

11 Template No

232 Template Yes filter-west

5000 Template No

-------------------------------------------------------------------------------

Num MAC filters: 3

===============================================================================

*A-ALU-1#

Table 53: Show Filter MAC (No Filter- D Specified)

Label	Description
Filter-Id	The MAC filter ID
Scope:	Template — the filter policy is of type Template
Scope:	Exclusive — the filter policy is of type Exclusive
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Description	The MAC filter policy description

Sample Output

When the filter ID is specified, detailed filter information for the filter ID and its entries is displayed.

*A-ALU-1# show filter# mac 5000

===============================================================================

Mac Filter

===============================================================================

Filter Id : 5000 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : Mac

-------------------------------------------------------------------------------

Entry : 5000 (Inactive) FrameType : Ethernet

Description : (Not Specified)

Log Id : n/a

Src Mac : ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff

Dest Mac :

Dot1p : Undefined Ethertype : Undefined

DSAP : Undefined SSAP : Undefined

Snap-pid : Undefined ESnap-oui-zero : Undefined

Match action: Drop

Ing. Matches: 0 pkts

Egr. Matches: 0 pkts

===============================================================================

*A-ALU-1#

Table 54: Show Filter MAC (Filter ID Specified)

Label	Description
MAC Filter
Filter Id	The MAC filter policy ID
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Scope	Template — the filter policy is of type Template
Scope	Exclusive — the filter policy is of type Exclusive
Def. Action	Forward — the default action for the filter ID for packets that do not match the filter entries is to forward
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Entries	The number of entries in the filter policy
Description	The MAC filter policy description
Filter Match Criteria: Mac
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified
FrameType	Ethernet — the entry ID match frame type is Ethernet IEEE 802.3
FrameType	Ethernet II — the entry ID match frame type is Ethernet Type II.
Description	The filter entry description
Log Id	The filter log identifier
Src Mac	The source MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion is specified for the filter entry
Dest Mac	The destination MAC address and mask match criterion. When both the MAC address and mask are all zeros, no criterion is specified for the filter entry
Dot1p	The IEEE 802.1p value for the match criterion. Undefined indicates that no value is specified
Ethertype	The Ethertype value match criterion
DSAP	The DSAP value match criterion. Undefined indicates that no value is specified
SSAP	The SSAP value match criterion. Undefined indicates that no value is specified
Snap-pid	The Ethernet SNAP PID value match criterion. Undefined indicates that no value is specified
Esnap-oui-zero	Non-Zero — filter entry matches a non-zero value for the Ethernet SNAP OUI
	Zero — filter entry matches a zero value for the Ethernet SNAP OUI
	Undefined — no Ethernet SNAP OUI value is specified
Match action	Default— the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified
	Drop — packets matching the filter entry criteria will be dropped
	Forward — packets matching the filter entry criteria are forwarded
Ing. Matches	The number of ingress filter matches/hits for the filter entry
Egr. Matches	The number of egress filter matches/hits for the filter entry

Sample Output

*A-ALU-1# show filter# mac 11 associations

===============================================================================

Mac Filter

===============================================================================

Filter Id : 11 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Association : Mac

-------------------------------------------------------------------------------

No Match Found

===============================================================================

Table 55: Show Filter MAC Associations

Label	Description
Filter Id	The IP filter ID
Scope	Template — the filter policy is of type Template
Scope	Exclusive — the filter policy is of type Exclusive
Entries	The number of entries in the filter
Description	The MAC filter policy description
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Def. Action	Forward — the default action for the filter ID for packets that do not match the filter entries is to forward
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Filter Association	The type of filter association

Sample Output

*A-ALU-1# show filter# mac 11 counters

===============================================================================

Mac Filter

===============================================================================

Filter Id : 11 Applied : No

Scope : Template Def. Action : Drop

Entries : 1

Description : (Not Specified)

-------------------------------------------------------------------------------

Filter Match Criteria : Mac

-------------------------------------------------------------------------------

Entry : 11 (Inactive) FrameType : Ethernet II

Ing. Matches: 0 pkts

Egr. Matches: 0 pkts

===============================================================================

*A-ALU-1#

Table 56: Show Filter MAC Counters

Label	Description
Filter Id	The IP filter ID
Scope	Template — the filter policy is of type Template
Scope	Exclusive — the filter policy is of type Exclusive
Entries	The number of entries in the filter
Description	The MAC filter policy description
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Def. Action	Forward — the default action for the filter ID for packets that do not match the filter entries is to forward
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Filter Match Criteria: Mac
Entry	The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.
FrameType	Ethernet — the entry ID match frame type is Ethernet IEEE 802.3
FrameType	Ethernet II — the entry ID match frame type is Ethernet Type II
Ing. Matches	The number of ingress filter matches/hits for the filter entry
Egr. Matches	The number of egress filter matches/hits for the filter entry

vlan

Syntax

vlan [filter-id] [entry entry-id]]

Context

show>filter

Description

This command displays VLAN filter information.

Parameters

filter-id—

displays detailed information for the specified filter ID and its filter entries

Values—

1 to 65535

entry-id—

displays information on the specified filter entry ID for the specified filter ID

Values—

1 to 65535

Output

The following outputs are examples of VLAN filter information:

no parameters specified (Sample Output, Table 57)
filter-id specified (Sample Output, Table 58)

Sample Output

When no parameters are specified, a brief listing of VLAN filters is displayed.

*A-ALU-1:show>filter# vlan

===============================================================================

VLAN Filters Total: 2

===============================================================================

Filter-Id Scope Applied Description

-------------------------------------------------------------------------------

2 Template Yes VLAN_filter_2

65535 Template No

-------------------------------------------------------------------------------

Num VLAN filters: 2

===============================================================================

*A-ALU-1:show>filter#

Table 57: Show Filter VLAN (No Filter Specified)

Label	Description
Filter-Id	The VLAN filter ID
Scope	Template — the VLAN filter policy is always of type Template
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Description	The VLAN filter policy description

Sample Output

When the filter ID is specified, detailed filter information for the filter ID and its entries is displayed.

*A:7705custDoc:Sar18>show>filter# vlan 2

===============================================================================

VLAN Filter

===============================================================================

Filter Id : 2 Applied : Yes

Scope : Template Def. Action : drop

Entries : 4

Description : VLAN_filter_2

-------------------------------------------------------------------------------

Filter Match Criteria :

-------------------------------------------------------------------------------

Entry : 2

Description : vlan_fltr_entry2

Match : Untagged Action : forward

Entry : 3

Description : vlan_fltr_entry3

Match : VLAN Action : drop

Operation : eq

Vlan-Id : 2

Entry : 4

Description : vlan_fltr_entry4

Match : VLAN Action : drop

Operation : eq

Vlan-Id : 445

Entry : 65535

Description : (Not Specified)

Match : VLAN Action : drop

Operation : range

From : 2000 To : 3000

===============================================================================

*A:7705custDoc:Sar18>show>filter#

Table 58: Show Filter VLAN (Filter ID Specified)

Label	Description
VLAN Filter
Filter Id	The VLAN filter policy ID
Applied	No — the filter policy ID has not been applied
Applied	Yes — the filter policy ID is applied
Scope	Template — the filter policy is always of type Template
Def. Action	Forward — the default action for the filter ID for packets that do not match the filter entries is to forward
Def. Action	Drop — the default action for the filter ID for packets that do not match the filter entries is to drop
Entries	The number of entries in the filter policy
Description	The VLAN filter policy description
Filter Match Criteria:
Entry	The filter entry ID. If the filter entry ID indicates that the entry is (Inactive), then the filter entry is incomplete as no action has been specified
Description	The filter entry description
Match	VLAN— the type of match criteria for the entry is VLAN
Match	Untagged — the type of match criteria for the entry is untagged
Action	Drop — packets matching the filter entry criteria will be dropped
Action	Forward — packets matching the filter entry criteria will be forwarded
Operation	The match criteria operator. Valid operators are: lt (less than), gt (greater than), eq (equal to), and range (for a range of VLAN IDs).
Vlan-Id	The VLAN ID when the match criteria defines a specific VLAN ID
From	The start VLAN ID when the match criteria defines a VLAN ID range
To	The end VLAN ID when the match criteria defines a VLAN ID range

policy

Syntax

policy [policy-id | policy-name] [detail] [association]

policy [policy-id | policy-name] [entry entry-id] [detail] [association]

Context

show>security

Description

This command displays NAT policy information.

Parameters

policy-id—

displays detailed information for the specified policy ID

Values—

1 to 65535

policy-name—

specifies the name of the policy

Values—

1 to 32 characters (must start with a letter)

entry-id—

displays information on the specified policy entry ID

Values—

1 to 65535

detail—

displays detailed information on the specified policy or filter ID

association—

displays counter information for the specified policy or entry ID

Output

The following output is an example of policy information, and Table 59 describes the fields.

Sample Output

*A-ALU-1# show security policy

===============================================================================

Security Policies

===============================================================================

Policy Id Scope Applied Name

-------------------------------------------------------------------------------

1 Template Yes Inbound Policy

2 Template Yes IES Policy

-------------------------------------------------------------------------------

Num of Policies: 2

===============================================================================

*A-ALU-1#

*A-ALU-1# show security policy 1 detail

===============================================================================

Security Policy

===============================================================================

Policy Id : 1 Applied : Yes

Name : Inbound Policy

Scope : Template Def. Action : Reject

Entries : 1

Description : common egress policy

-------------------------------------------------------------------------------

Policy Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 1 Active : yes

Description : match TCP and port

Match direction : zone-inbound

Src. IP : None Src. Port : eq21

Dest. IP : None Dest. Port : None

Protocol : tcp

ICMP Type : Undefined ICMP Code : Undefined

Profile ID : DEFAULT

Action : nat Session Limit : None

Entry : 2 Active: Yes

Description : match UDP and IP TCP-ack : Off

Match direction : zone-inbound

Src. IP : 10.100.0.2 Src. Port : None

Dest. IP : None Dest. Port : None

Protocol : udp

ICMP Type : Undefined ICMP Code : Undefined

Profile ID : DEFAULT

Action : nat Session Limit : None

===============================================================================

*A-ALU-1#

*A-ALU-1# show security policy 1 association

===============================================================================

Security Policy

===============================================================================

Policy Id : 1 Applied : Yes

Name : Inbound Policy

Scope : Template Def. Action : Reject

Entries : 1

Description : common egress policy

-------------------------------------------------------------------------------

Policy Match Criteria : IP

-------------------------------------------------------------------------------

===============================================================================

Associations

Zone-Id Name Type Svc-Id Bypass

-------------------------------------------------------------------------------

1 Service Inbound Zone IES 100 No

-------------------------------------------------------------------------------

Num of Associations: 1

===============================================================================

*A-ALU-1#

*A-ALU-1# show security policy 1 entry 1 detail

===============================================================================

Security Policy

===============================================================================

Policy Id : 1 Applied : Yes

Name : Inbound Policy

Scope : Template Def. Action : Reject

Entries : 2

Description : common egress policy

-------------------------------------------------------------------------------

Policy Match Criteria : IP

-------------------------------------------------------------------------------

Entry : 1 Active : yes

Description : match TCP and port

Match direction : zone-inbound

Src. IP : None Src. Port : eq21

Dest. IP : None Dest. Port : None

Protocol : tcp

ICMP Type : Undefined ICMP Code : Undefined

Profile ID : DEFAULT

Action : nat Session Limit : None

===============================================================================

*A-ALU-1#

Table 59: Show Security Policy Output Fields (Detail)

Label	Description
Policy Id	The NAT policy ID
Name	The name of the policy
Scope	Template — the policy is of type template
Scope	Exclusive — the policy is of type exclusive
Entries	The number of entries configured in this policy ID
Description	The security policy description
Applied	No — the security policy ID has not been applied
Applied	Yes — the security policy ID is applied
Def. Action	Reject — the default action for packets that do not match the policy entries is to reject
Policy Match Criteria
Entry	The policy entry ID
Description	The policy entry description
Match Direction	Zone inbound — the match criteria is applied to packets inbound to the zone
	Zone outbound — the match criteria is applied to packets outbound from the zone
	Both — the match criteria is applied to packets both inbound to and outbound from the zone
Src. IP	The source IP address and prefix length match criterion
Dest. IP	The destination IP address and prefix length match criterion
Protocol	The protocol for the match criteria. Undefined indicates no protocol specified.
ICMP Type	The ICMP type match criterion. Undefined indicates no ICMP type is specified.
Profile ID	The NAT profile ID
Active	No — the policy match criteria entry is not active
Active	Yes — the policy match criteria entry is active
Action	Nat — applies NAT to the packets matching the profile entry
	Reject — rejects packets matching the profile entry
	Forward — forward packets matching the profile entry
Src. Port	The source TCP or UDP port number or port range
Dest. Port	The destination TCP or UDP port number or port range
ICMP Code	The ICMP code field in the ICMP header of an IP packet
Session Limit	The maximum number of concurrent sessions

profile

Syntax

profile [profile-id |name] [detail] [association]

Context

show>security

Description

This command displays NAT profile information.

Parameters

profile-id—

displays detailed information for the specified profile ID

Values—

1 to 65535

name—

displays information on the specified profile name

Values—

1 to 32 characters (must start with a letter)

detail—

displays detailed information on the specified profile ID

association—

displays counter information for the specified profile ID

Output

The following output is an example of profile information, and Table 60 describes the fields.

Sample Output

*A-ALU-1# show security profile 1 detail

===============================================================================

Security Profile

===============================================================================

Profile Id : 1 Applied : Yes

Name : DEFAULT

Description : Default Session Profile

Timeouts :

TCP Syn-Rcvd : 15 seconds

TCP Transitory : 4 min

TCP Established : 2 hrs 4 min

TCP Time-Wait : None

UDP Initial : 15 seconds

UDP Idle : 5 min

UDP DNS : 15 seconds

ICMP Request : 1 min

===============================================================================

*A-ALU-1#

Table 60: Show Security Profile Output Fields (Detail)

Label	Description
Profile Id	The NAT profile ID
Name	The name of the profile
Description	The profile description
TCP Syn-Rcvd	Timeout configured for a TCP session in a SYN state
TCP Transitory	Timeout configured for a TCP session in a transitory state
TCP Established	Timeout configured for a TCP session in an established state
TCP Time-Wait	Timeout configured for a TCP session in a time-wait state
UDP Initial	Timeout configured for a UDP session in an initial state
UDP Idle	Timeout configured for a UDP session in an idle state
UDP DNS	Timeout configured for a UDP session with destination port 53
ICMP Request	Timeout configured for an ICMP session in which an ICMP request is sent but no ICMP response is received
Applied	No — the security profile ID has not been applied
Applied	Yes — the security profile ID is applied

summary

Syntax

summary

Context

show>security

Description

This command displays a summary of NAT security information.

Output

The following output is an example of NAT summary information.

Sample Output

*A-ALU-1# show security summary

===============================================================================

Security

===============================================================================

Policy State : Committed

Last Commit : 07/11/2014 03:05:34

Policies : 2

Profiles : 2

Zones : 2

Sessions

Active : 5223 Limit : 6144

Utilization : 85% (ALARM)

Hi-Wtr-Mark : 80% Lo-Wtr-Mark : 50%

===============================================================================

*A-ALU-1#

zone

Syntax

zone [service service-id] [router router-instance]

zone [zone-id |zone-name] [detail]

zone [zone-id |zone-name] interface

zone [zone-id |zone-name] statistics

Context

show>security

Description

This command displays NAT zone information.

Parameters

service-id—

displays detailed information for the specified service ID

Values—

1 to 2147483647

router-instance—

displays detailed information for the specified router instance

Values—

1 to 2147483647

zone-id—

displays detailed information for the specified zone ID

Values—

1 to 65534

zone-name—

displays information for the specified name

Values—

1 to 32 characters (must start with a letter)

detail—

displays detailed information on the specified zone

interface—

specifies the router interface

statistics—

displays statistics for the specified zone ID

Output

The following output is an example of zone information:

Sample Output

*A-ALU-1# show security zone 1 statistics

===============================================================================

Zone Statistics

===============================================================================

Inbound Outbound

-------------------------------------------------------------------------------

Total Sessions 76798 0

Active Sessions 2555 0

Dropped

Packets 1184369 0

Octets 125543114 0

Default Action

Packets 1201223 623

Octets 127329638 145630

nat pool

Syntax

nat pool [pool-id |pool-name] [detail]

Context

show>security>zone

Description

This command displays NAT pool information.

Parameters

pool-id—

displays detailed information for the specified zone pool ID

Values—

1 to 100

pool-name—

displays information for the specified zone pool name

Values—

1 to 32 characters (must start with a letter)

detail—

displays detailed information on the specified pool ID

Output

The following output is an example of zone pool information:

Sample Output

*A-ALU-1# show security zone 1 nat pool 1 detail

===============================================================================

Security Zone

===============================================================================

Zone Id : 1 State : Committed

Name : Service Inbound Zone

===============================================================================

NAT Pool

===============================================================================

Pool Id : 1 Direction : Inbound

Type : source-nat

Name : (Not Specified)

Description : Pool 1:

-------------------------------------------------------------------------------

Entry Id : 1 Direction : Inbound

IP Address : ies-10010.30.10.1 Port : Any

-------------------------------------------------------------------------------

Num of Entries : 1

===============================================================================

*A-ALU-1#

policy

Syntax

policy [entry entry-id] [detail] [statistics]

Context

show>security>zone

Description

This command displays NAT policy information.

Parameters

entry-id—

displays detailed information for the specified entry ID

Values—

1 to 65535

detail—

displays detailed information on the zone policy

statistics—

displays statistics for the zone policy

Output

The following output is an example of zone policy information:

Sample Output

*A-ALU-1# show security zone 1 policy statistics

===============================================================================

Security Zone

===============================================================================

Zone Id : 1 State : Committed

Name : Service Inbound Zone

===============================================================================

Policy

===============================================================================

Pool Id : 1 Direction : Inbound

Type : source-nat

Name : (Not Specified)

Description : Pool 1:

-------------------------------------------------------------------------------

Entry : 1 Active : yes

Active Matches : 1 Session Limit : Any

Total Matches : 1

Entry : 2 Active : yes

Active Matches : 1 Session Limit : None

Total Matches : 1

-------------------------------------------------------------------------------

Num of Entries : 2

===============================================================================

*A-ALU-1#

session

Syntax

session [inbound |outbound] [forward |nat]

session [session-id] [detail]

session [session-id] [statistics]

Context

show>security>zone

Description

This command displays NAT session information.

Parameters

session-id—

displays detailed information for the specified session ID

Values—

1 to 6144 (7705 SAR-8/7705 SAR-18)

1 to 4096 (7705 SAR-H/7705 SAR-Hc/7705 SAR-Wx)

inbound—

displays zone inbound sessions

outbound—

displays zone outbound sessions

forward—

displays forwarded packets

nat—

displays packets that have had NAT applied to them

detail—

displays detailed information on the zone policy

statistics—

displays statistics for the zone policy

Output

The following output is an example of zone session information.

Sample Output

*A-ALU-1# show security zone 1 session

===============================================================================

Security Zone

===============================================================================

Zone Id : 1 State : Committed

Name : Service Inbound Zone

===============================================================================

Inbound Sessions

===============================================================================

Sess-Id Source Outside NAT Mapping

Proto Action From Destination

-------------------------------------------------------------------------------

00000001 NAT <Base> 10.100.0.2:161 -->10.30.10.1:5000

udp 30.100.0.2:161

00000002 NAT <Base> 10.100.0.2:21 -->10.30.10.1:5000

udp 30.100.0.2:21

-------------------------------------------------------------------------------

Num of Sessions : 2

===============================================================================

Outbound Sessions

===============================================================================

Sess-Id Source Outside NAT Mapping

Proto Action To Destination

-------------------------------------------------------------------------------

No Outbound Sessions

===============================================================================

*A-ALU-1#

Sample Output

*A-ALU-1# show security zone 1 session 1 statistics

===============================================================================

Security Zone

===============================================================================

Zone Id : 1 State : Committed

Name : Service Inbound Zone

===============================================================================

Session 1 Traffic Statistics

===============================================================================

Forward Reverse

-------------------------------------------------------------------------------

Passed

Packets 2042929 2042589

Octets 216550474 224684790

===============================================================================

*A-ALU-1#

Clear Commands

ip

Syntax

ip ip-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Description

This command clears the counters associated with the IPv4 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default

clears all counters associated with the IPv4 filter policy entries

Parameters

ip-filter-id—

the IPv4 filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be cleared

Values—

1 to 64

ingress—

only the ingress counters will be cleared

egress—

only the egress counters will be cleared

ipv6

Syntax

ipv6 ipv6-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Description

This command clears the counters associated with the IPv6 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default

clears all counters associated with the IPv6 filter policy entries

Parameters

ipv6-filter-id—

the IPv6 filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be cleared

Values—

1 to 64

ingress—

only the ingress counters will be cleared

egress—

only the egress counters will be cleared

log

Syntax

log log-id

Context

clear>filter

Description

This command clears the entries associated with the specified filter log. The clear command applies only to logs whose destination is to memory.

Parameters

log-id—

the filter log ID destination expressed as a decimal integer

Values—

101 to 199

mac

Syntax

mac mac-filter-id [entry entry-id] [ingress | egress]

Context

clear>filter

Description

This command clears the counters associated with the MAC filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default

clears all counters associated with the MAC filter policy entries

Parameters

mac-filter-id—

the MAC filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be cleared

Values—

1 to 64

ingress—

only the ingress counters will be cleared

egress—

only the egress counters will be cleared (currently not supported on the 7705 SAR)

session

Syntax

session [session-id] [statistics]

Context

clear>security

Description

This command clears the specified sessions and can also clear the associated session statistics.

Parameters

session-id—

clears the sessions associated with the specified session ID

Values—

1 to 6144 (7705 SAR-8/7705 SAR-18)

1 to 4096 (7705 SAR-H/7705 SAR-Hc/7705 SAR-Wx)

statistics—

clears statistics for the specified session ID

zone

Syntax

zone [zone-id |zone-name]

zone [zone-id |zone-name] sessions [inbound | outbound | all]

zone [zone-id |zone-name] statistics

Context

clear>security

Description

This command clears NAT zone information.

Parameters

zone-id—

specifies the zone ID

Values—

1 to 65534

zone-name—

specifies the zone name

Values—

1 to 32 characters (must start with a letter)

sessions—

removes sessions associated with the specified zone ID

inbound—

removes inbound sessions associated with the specified zone ID

outbound—

removes outbound sessions associated with the specified zone ID

all—

removes all sessions associated with the specified zone ID

statistics—

clears statistics for the specified zone ID

Monitor Commands

filter

Syntax

filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor

Description

This command monitors the counters associated with the IPv4 filter policy.

Parameters

ip-filter-id—

the IPv4 filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be monitored

Values—

1 to 64

seconds—

configures the interval for each display in seconds

Values—

3 to 60

Values—

repeat—

configures how many times the command is repeated

Values—

1 to 999

Values—

absolute—

the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.

rate—

the rate per second for each statistic is displayed instead of the delta

filter

Syntax

filter ipv6 ipv6-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor

Description

This command monitors the counters associated with the IPv6 filter policy.

Parameters

ipv6-filter-id—

the IPv6 filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be monitored

Values—

1 to 64

seconds—

configures the interval for each display in seconds

Values—

3 to 60

Values—

repeat—

configures how many times the command is repeated

Values—

1 to 999

Values—

absolute—

the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.

rate—

the rate per second for each statistic is displayed instead of the delta

filter

Syntax

filter mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor

Description

This command monitors the counters associated with the MAC filter policy.

Parameters

mac-filter-id—

the MAC filter policy ID

Values—

1 to 65535

entry-id—

only the counters associated with the specified filter policy entry will be monitored

Values—

1 to 64

seconds—

configures the interval for each display in seconds

Values—

3 to 60

Values—

repeat—

configures how many times the command is repeated

Values—

1 to 999

Values—

absolute—

the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.

rate—

the rate per second for each statistic is displayed instead of the delta

Debug Commands

zone

Syntax

zone zone-id | zone-name

no zone zone-id | zone-name

Context

debug>security

Description

This command enables or disables debugging for the zone.

Parameters

zone-id—

specifies the zone ID

Values—

1 to 65534

zone-name—

specifies the zone name

Values—

1 to 32 characters (must start with a letter)

ip-address—

the NAT IP address. The ip-address portion of the ip-address command specifies the IP host address used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted-decimal notation.

Values—

1.0.0.0 to 223.255.255.255

mask—

the NAT IP address mask.

Values—

1.0.0.0 to 223.255.255.255

inbound—

zone inbound traffic for the specified zone ID

outbound—

zone outbound traffic for the specified zone ID

all—

all traffic for the specified zone ID

forward—

specifies forwarded packets

reject—

specifies rejected packets

nat —

specifies packets matching the entry criteria that have NAT applied to them

source —

specifies the source IP address

destination —

specifies the destination IP address