[no] cpm-filter
config>system>security
This command enables the context to configure a CPM (referred to as CSM on the 7705 SAR) filter. A CPM filter is a hardware filter (that is, implemented on the network processor) for the CSM-destined traffic that applies to all the traffic destined for the CSM CPU. It can be used to drop or accept packets, as well as allocate dedicated hardware queues for the traffic. The hardware queues are not user-configurable.
The no form of the command disables the CPM filter.
default-action {accept | drop}
config>system>security>cpm-filter
This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. If there are no filter entries defined, the packets received is either accepted or dropped based on that default action.
accept
packets are accepted unless there is a specific filter entry that causes the packet to be dropped
packets are dropped unless there is a specific filter entry that causes the packet to be accepted
ip-filter
config>system>security>cpm-filter
This command enables the context to configure IPv4 CPM filter parameters.
ipv6-filter
config>system>security>cpm-filter
This command enables the context to configure IPv6 CPM filter parameters.
entry entry-id [create]
no entry entry-id
config>system>security>cpm-filter>ip-filter
config>system>security>cpm-filter>ipv6-filter
This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. A filter entry with no match criteria set matches every packet, and the entry action is taken.
The create keyword must be used with every new entry configured. After the entry has been created, you can navigate to the entry context without using the create keyword.
All IPv4 filter entries can specify one or more matching criteria. There are no range-based restrictions on any IPv4 filter entries.
For IPv6 filters, the combined number of fields for all entries in a filter must not exceed 16 fields (or 256 bits), where a field contains the bit representation of the matching criteria.
identifies a CPM filter entry as configured on this system.
action {accept | drop}
no action
config>system>security>cpm-filter>ip-filter>entry
config>system>security>cpm-filter>ipv6-filter>entry
This command specifies the action to take for packets that match this filter entry.
drop
packets matching the entry criteria are forwarded
packets matching the entry criteria are dropped
log log-id
no log
config>system>security>cpm-filter>ip-filter>entry
config>system>security>cpm-filter>ipv6-filter>entry
This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled.
The no form of the command deletes the log ID.
the log ID where packets matching this entry should be entered
match [protocol protocol-id]
no match
config>system>security>cpm-filter>ip-filter>entry
This command enables the context to enter match criteria for the IPv4 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.
If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of the command removes the match criteria for the entry-id.
protocol-number or protocol-name
the protocol number in decimal, hexadecimal, or binary, to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17). See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
the protocol name to be used as an IP filter match criterion. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
match [next-header next-header]
no match
config>system>security>cpm-filter>ipv6-filter>entry
This command enables the context to enter match criteria for the IPv6 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.
If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of the command removes the match criteria for the entry-id.
protocol-number or protocol-name
the IPv6 next header to match, expressed as a protocol number in decimal, hexadecimal, or binary. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
the IPv6 next header to match, expressed as a protocol name. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
dscp dscp-name
no dscp
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
The no form of the command removes the DSCP match criterion.
no dscp
a DSCP name that has been previously mapped to a value using the dscp-name command. The DiffServ Code Point can only be specified by its name.
dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
no dst-ip
config>system>security>cpm-filter>ip-filter>entry>match
This command configures a destination IPv4 address range or specifies an IPv4 prefix list configured under the match-list command to be used as an IP filter match criterion. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The no form of the command removes the destination IPv4 address or IPv4 prefix list match criterion.
no dst-ip
the IP prefix for the IP match criterion in dotted-decimal notation
the subnet mask length expressed as a decimal integer
the dotted-decimal equivalent of the mask length
the name of the IPv4 prefix list configured with the match-list command
dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
no dst-ip
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures a destination IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as an IP filter match criterion. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the destination IP address, specify the address and prefix length; for example, 11::12/128.
The no form of the command removes the destination IPv6 address or IPv6 prefix list match criterion.
n/a
the IPv6 address on the interface
the name of the IPv6 prefix list configured with the match-list command
dst-port tcp/udp port-number [mask]
no dst-port
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command specifies the TCP/UDP port to match the destination port of the packet.
The no form of the command removes the destination port match criterion.
The TCP or UDP protocol must be configured using the match command before this filter can be configured.
the destination port number to be used as a match criterion
the 16-bit mask to be applied when matching the destination port
fragment {true | false}
no fragment
config>system>security>cpm-filter>ip-filter>entry>match
This command configures fragmented or non-fragmented IP packets as an IP filter match criterion.
The no form of the command removes the match criterion.
This command applies to IPv4 filters only.
false
configures a match on all fragmented IP packets. A match occurs for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.
configures a match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.
icmp-code icmp-code
no icmp-code
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion.
The ICMP protocol must be configured using the match command before this filter can be configured.
The no form of the command removes the criterion from the match entry.
no icmp-code
icmp-code-number or icmp-code-keyword
the ICMP code number in decimal, hexadecimal, or binary, to be used as a filter match criterion
the ICMP code keyword to be used as a filter match criterion
icmp-type icmp-type
no icmp-type
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures matching on an ICMP type field in the ICMP header of an IP packet as an IP filter match criterion.
The ICMP protocol must be configured using the match command before this filter can be configured.
The no form of the command removes the criterion from the match entry.
no icmp-type
icmp-type-number or icmp-type-keyword
the ICMP type number in decimal, hexadecimal, or binary, to be used as a match criterion
the ICMP type keyword to be used as a match criterion
ip-option ip-option-value [ip-option-mask]
no ip-option
config>system>security>cpm-filter>ip-filter>entry>match
This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.
The option type octet contains 3 fields:
1 bit copied flag (copy options in all fragments)
2 bits option class
5 bits option number
The no form of the command removes the match criterion.
This command applies to IPv4 filters only.
no ip-option
the 8-bit option type (can be entered using decimal, hexadecimal, or binary formats). The mask is applied as an AND to the option byte and the result is compared with the option value.
The decimal value entered for the match should be a combined value of the 8-bit option type field and not just the option number. Therefore, to match on IP packets that contain the Router Alert option (option number = 20), enter the option type of 148 (10010100).
specifies a range of option numbers to use as the match criteria
This 8-bit mask can be entered using decimal, hexadecimal, or binary formats as shown in Table: IP Option Formats.
Format Style |
Format Syntax |
Example |
|---|---|---|
Decimal |
DDD |
20 |
Hexadecimal |
0xHH |
0x14 |
Binary |
0bBBBBBBBB |
0b0010100 |
multiple-option {true | false}
no multiple-option
config>system>security>cpm-filter>ip-filter>entry>match
This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion.
The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
This command applies to IPv4 filters only.
no multiple-option
specifies matching on IP packets that contain more than one option field in the header
specifies matching on IP packets that do not contain multiple option fields in the header
option-present {true | false}
no option-present
config>system>security>cpm-filter>ip-filter>entry>match
This command configures matching packets that contain the option field or have an option field of 0 in the IP header as an IP filter match criterion.
The no form of the command removes the checking of the option field in the IP header as a match criterion.
This command applies to IPv4 filters only.
specifies matching on all IP packets that contain the option field in the header. A match occurs for all packets that have the option field present. An option field of 0 is considered as no option present.
specifies matching on IP packets that do not have any option field present in the IP header (an option field of 0)
src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
no src-ip
config>system>security>cpm-filter>ip-filter>entry>match
This command specifies the IPv4 address or specifies an IPv4 prefix list configured under the match-list command to be used as a match criterion for an IP filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the source IPv4 address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The no form of the command removes the source IPv4 address or IPv4 prefix list match criterion.
no src-ip
the IP prefix for the IP match criterion in dotted-decimal notation
the subnet mask length expressed as a decimal integer
the dotted-decimal equivalent of the mask length
the name of the IPv4 prefix list configured with the match-list command
src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
no src-ip
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures a source IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as a match criterion for an IP filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the source IP address, specify the address and prefix length; for example, 11::12/128.
The no form of the command removes the source IP address match criterion.
n/a
the IPv6 address on the interface
the name of the IPv6 prefix list configured with the match-list command
src-port tcp/udp port-number [mask]
no src-port
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command specifies the TCP/UDP port to match the source port of the packet.
no src-port
the source port number to be used as a match criterion
the 16-bit mask to be applied when matching the source port
tcp-ack {true | false}
no tcp-ack
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.
The no form of the command removes the criterion from the match entry.
no tcp-ack
specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet
specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet
tcp-syn {true | false}
no tcp-syn
config>system>security>cpm-filter>ip-filter>entry>match
config>system>security>cpm-filter>ipv6-filter>entry>match
This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.
The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP address.
The no form of the command removes the criterion from the match entry.
no tcp-syn
specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header
specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header
renum old-entry-id new-entry-id
config>system>security>cpm-filter>ip-filter
config>system>security>cpm-filter>ipv6-filter
This command renumbers existing IP filter entries to resequence filter entries.
Resequencing may be required in some cases because the process is exited when the first match is found and the actions are executed according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.
the entry number of an existing entry
the new entry number to be assigned to the old entry