5.7. Filter Command Reference

5.7.1. Command Hierarchies

  1. Configuration Commands
    1. IP Filter Log Configuration Commands
    2. IP Filter Policy Configuration Commands
    3. IPv6 Filter Policy Configuration Commands
    4. MAC Filter Policy Commands
    5. VLAN Filter Policy Commands
    6. IP Exception Filter Policy Configuration Commands
    7. Security Policy Commands
  2. Show Commands
  3. Clear Commands
  4. Monitor Commands

5.7.1.1. Configuration Commands

5.7.1.1.1. IP Filter Log Configuration Commands

config
— filter
log log-id [create]
— no log log-id
description description-string
— no description
destination memory num-entries
destination syslog syslog-id
— no destination
[no] shutdown
summary
[no] shutdown
summary-crit dst-addr
summary-crit src-addr
— no summary-crit
[no] wrap-around

5.7.1.1.2. IP Filter Policy Configuration Commands

config
— filter
ip-filter filter-id [create]
ip-filter {filter-id | filter-name}
— no ip-filter filter-id
default-action {drop | forward}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action [drop]
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
— no action
description description-string
— no description
log log-id
— no log
match [protocol protocol-id]
— no match
dscp dscp-name
— no dscp
dst-ip ip-address ipv4-address-mask
dst-ip ip-address/mask
— no dst-ip
dst-port {lt | gt | eq} dst-port-number
dst-port range dst-port-number dst-port-number
— no dst-port
fragment {true | false}
— no fragment
icmp-code icmp-code
— no icmp-code
icmp-type icmp-type
— no icmp-type
ip-option ip-option-value [ip-option-mask]
— no ip-option
multiple-option {true | false}
— no multiple-option
option-present {true | false}
— no option-present
src-ip ip-address ipv4-address-netmask
src-ip ip-address/mask
— no src-ip
src-port {lt | gt | eq} src-port-number
src-port range src-port-number src-port-number
— no src-port
tcp-ack {true | false}
— no tcp-ack
tcp-syn {true | false}
— no tcp-syn
filter-name filter-name
— no filter-name
renum old-entry-id new-entry-id
scope {exclusive | template}
— no scope

5.7.1.1.3. IPv6 Filter Policy Configuration Commands

config
— filter
ipv6-filter ipv6-filter-id [create]
ipv6-filter {filter-id | filter-name}
— no ipv6-filter ipv6-filter-id
default-action {drop | forward}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action {drop | forward}
— no action
description description-string
— no description
log log-id
— no log
match [next-header next-header]
— no match
dscp dscp-name
— no dscp
dst-ip ipv6-address/prefix-length
— no dst-ip
dst-port {lt | gt | eq} dst-port-number
dst-port range dst-port-number dst-port-number
— no dst-port
icmp-code icmp-code
— no icmp-code
icmp-type icmp-type
— no icmp-type
src-ip ipv6-address/prefix-length
— no src-ip
src-port {lt | gt | eq} src-port-number
src-port range src-port-number src-port-number
— no src-port
tcp-ack {true | false}
— no tcp-ack
tcp-syn {true | false}
— no tcp-syn
filter-name filter-name
— no filter-name
renum old-entry-id new-entry-id
scope {exclusive | template}
— no scope

5.7.1.1.4. MAC Filter Policy Commands

config
— filter
mac-filter filter-id [create]
mac-filter {filter-id | filter-name}
— no mac-filter filter-id
default-action {drop | forward}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action [drop]
action forward
— no action
description description-string
— no description
log log-id
— no log
match frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}
— no match
dst-mac ieee-address
— no dst-mac
etype 0x0600..0xffff
— no etype
src-mac ieee-address
— no src-mac
filter-name filter-name
— no filter-name
renum old-entry-id new-entry-id
scope {exclusive | template}
— no scope

5.7.1.1.5. VLAN Filter Policy Commands

config
— filter
vlan-filter filter-id [create]
vlan-filter {filter-id | filter-name}
— no vlan-filter filter-id
default-action {drop | forward}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action {drop | forward}
— no action
description description-string
— no description
match vlan {lt | gt | eq} vlan-id
match vlan range vlan-id to vlan-id
match untagged
— no match
filter-name filter-name
— no filter-name
renum old-entry-id new-entry-id

5.7.1.1.6. IP Exception Filter Policy Configuration Commands

config
— filter
ip-exception filter-id [create]
[no] ip-exception {filter-id | filter-name}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
description description-string
— no description
match [protocol protocol-id]
— no match
dst-ip {ip-address/mask | ip-address ipv4-address-mask}
— no dst-ip
dst-port {lt | gt | eq} dst-port-number
dst-port range dst-port-number dst-port-number
— no dst-port
icmp-code icmp-code
— no icmp-code
icmp-type icmp-type
— no icmp-type
src-ip {ip-address/mask | ip-address ipv4-address-mask}
— no src-ip
src-port {lt | gt | eq} src-port-number
src-port range src-port-number src-port-number
— no src-port
filter-name filter-name
— no filter-name
renum old-entry-id new-entry-id
scope {exclusive | template}
— no scope

5.7.1.1.7. Security Policy Commands

config
— security
abort
app-group {group-id | name} [create]
— no app-group {group-id | name}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
match [protocol protocol-id]
— no match
dst-port {lt | gt | eq} port
dst-port range start end
— no dst-port
icmp-code icmp-code
— no icmp-code
icmp-type icmp-type
— no icmp-type
src-port {lt | gt | eq} port
src-port range start end
— no src-port
name name
— no name
begin
commit
host-group {group-id | name} [create]
— no host-group {group-id | name}
description description-string
— no description
host ip-address [to ip-address]
— no host
name name
— no name
logging
log-id {log-id | log-name} [create]
— no log-id {log-id | log-name}
description description-string
— no description
destination {memory [size] | syslog syslog-id}
— no destination
name name
— no name
profile {logging-profile-id | logging-profile-name}
[no] shutdown
[no] wrap-around
profile {profile-id | profile-name} [create]
— no profile {profile-id | profile-name}
description description-string
— no description
event-control event-type [event event] {suppress | throttle | off}
name name
— no name
policer-group {group-id | name} [create]
— no policer-group {group-id | name}
description description-string
— no description
name name
— no name
rate rate cbs size [bytes | kilobytes]
— no rate
policy {policy-id | policy-name} [create]
— no policy {policy-id | policy-name}
description description-string
— no description
entry entry-id [create]
— no entry entry-id
action {forward | reject | drop | nat}
action nat [destination ip-address port tcp-udp-port]
description description-string
— no description
[no] limit
concurrent-sessions number
— no concurrent-sessions
[no] fwd-direction-only
logging {to log-id {log-id | name} | suppressed | to zone}
— no logging
match [local] [protocol protocol-id ]
match [app-group {group-id | name}]
— no match
direction {zone-outbound | zone-inbound | both}
dst-ip ip-address to ip-address
dst-ip host-group {group-id | name}
— no dst-ip
dst-port {lt | gt | eq} port
dst-port range start end
— no dst-port
icmp-code icmp-code
— no icmp-code
icmp-type icmp-type
— no icmp-type
src-ip ip-address to ip-address
src-ip host-group {group-id | name}
— no src-ip
src-port {lt | gt | eq} port
src-port range start end
— no src-port
profile {profile-id | profile-name}
— no profile
name policy-name
— no name
profile {profile-id | profile-name} [create]
— no profile {profile-id | profile-name}
application
alg {auto | ftp | tftp}
— no alg
[no] assurance
dns
[no] reply-only
icmp
[no] limit-type3
request-limit packets
— no request-limit
ip
options {permit ip-option-mask | permit-any}
options ip-option-name [ip-option-name]
tcp
[no] strict
description description-string
— no description
fwd-policer-group {group-id | name}
— no fwd-policer-group
[no] name profile-name
rev-policer-group {group-id | name}
— no rev-policer-group
[no] timeouts
icmp-request [min minutes] [sec seconds] [strict | idle]
— no icmp-request
other-sessions [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
— no other-sessions
tcp-established [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
— no tcp-established
tcp-syn [days days] [hrs hours] [min minutes] [sec seconds]
— no tcp-syn
tcp-time-wait [min minutes] [sec seconds]
— no tcp-time-wait
tcp-transitory [days days] [hrs hours] [min minutes] [sec seconds]
— no tcp-transitory
udp [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
— no udp
udp-dns [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
— no udp-dns
udp-initial [min minutes] [sec seconds]
— no udp-initial
session-high-wmark percentage
— no session-high-wmark
session-low-wmark percentage
— no session-low-wmark

5.7.1.2. Show Commands

show
— filter
ip [ip-filter-id | ipv6-filter-id ] [entry entry-id] [association | counters]
log [bindings]
log log-id [match string]
mac {mac-filter-id [entry entry-id] [association | counters]}
vlan [filter-id [entry entry-id]]
show
— security
app-group [group-id | name] [entry entry-id] [detail]
capture [format {decode | raw}]
control-summary
engine
host-group
log [log-id | name]
log events [type event-type]
log profile {log-profile-id | name} [type event-type]
log profiles
policer-group [group-id | name] [statistics]
policing-summary [group-id | name] [statistics]
policy [policy-id | name] [detail | association]
policy [policy-id | name] [entry entry-id] [detail | association]
profile [profile-id | name] [detail | association]
session-summary [service service-id] [router router-instance]
summary
zone [service service-id ] [router router-instance]
zone [zone-id | name] [detail | interface | statistics]
nat pool [pool-id | name] [detail]
policy [entry entry-id] [detail | statistics]
session [inbound | outbound] [forward | nat]
session session-id [detail | statistics]}

5.7.1.3. Clear Commands

clear
— filter
ip ip-filter-id [entry entry-id] [ingress | egress]
ipv6 ipv6-filter-id [entry entry-id] [ingress | egress]
log log-id
mac mac-filter-id [entry entry-id] [ingress | egress]
— security
session session-id statistics
zone [zone-id | name] statistics
zone [zone-id | name] sessions [inbound | outbound | all]
zone [zone-id | name] statistics

5.7.1.4. Monitor Commands

monitor
filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
filter ipv6 ipv6-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
filter mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

5.7.2. Command Descriptions

  1. Configuration Commands
  2. Show Commands
  3. Clear Commands
  4. Monitor Commands

5.7.2.1. Configuration Commands

  1. Generic Commands
  2. Filter Log Commands
  3. Filter Policy Commands
  4. General Filter Entry Commands
  5. IP, MAC, VLAN, and IP Exception Filter Entry Commands
  6. IP, MAC, and IP Exception Filter Match Criteria Commands
  7. Security Policy Commands

5.7.2.1.1. Generic Commands

description

Syntax 
description description-string
no description
Context 
config>filter>ip-exception
config>filter>ip-exception>entry
config>filter>ip-filter
config>filter>log
config>filter>ip-filter>entry
config>filter>ipv6-filter
config>filter>ipv6-filter>entry
config>filter>mac-filter
config>filter>mac-filter>entry
config>filter>vlan-filter
config>filter>vlan-filter>entry
config>security>policy
config>security>policy>entry
config>security>profile
Description 

This command creates a text description for a configuration context to help identify the content in the configuration file.

The no form of the command removes any description string from the context.

Default 

n/a

Parameters 
description-string—
the description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

shutdown

Syntax 
[no] shutdown
Context 
config>filter>log
config>filter>log>summary
Description 

The shutdown command administratively disables the entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.

Unlike other commands and parameters where the default state is not indicated in the configuration file, shutdown and no shutdown are always indicated in system-generated configuration files.

The no form of the command puts an entity into the administratively enabled state.

Default 

no shutdown

5.7.2.1.2. Filter Log Commands

log

Syntax 
log log-id [create]
no log log-id
Context 
config>filter
Description 

This command enables the context to create a filter log policy.

The no form of the command deletes the filter log ID. The log cannot be deleted if there are filter entries configured to write to the log. All filter entry logging associations need to be removed before the log can be deleted.

Default 

log 101

Special Cases 
Filter log 101—
filter log 101 is the default log and is automatically created by the system. Filter log 101 is always a memory filter log and cannot be changed to a syslog filter log. The log size defaults to 1000 entries. The number of entries and wraparound behavior can be edited.
Parameters 
log-id—
the filter log ID destination expressed as a decimal integer
Values—
101 to 199

 

destination

Syntax 
destination memory num-entries
destination syslog syslog-id
no destination
Context 
config>filter>log
Description 

This command configures the destination for filter log entries for the specified filter log ID.

Filter logs can be sent to either memory or an existing syslog server. If the filter log destination is memory, the maximum number of entries in the log must be specified.

The no form of the command deletes the filter log association.

Default 

no destination

Parameters 
num-entries—
specifies that the destination of the filter log ID is a memory log. The num-entries value is the maximum number of entries in the filter log expressed as a decimal integer.
Values—
1 to 50000

 

 syslog-id—
specifies that the destination of the filter log ID is a syslog server. The syslog-id parameter is the identifier of the syslog server.
Values—
1 to 10

 

summary

Syntax 
summary
Context 
config>filter>log
Description 

This command enables the context to configure log summarization. These settings apply only if syslog is the log destination.

summary-crit

Syntax 
summary-crit dst-addr
summary-crit src-addr
no summary-crit
Context 
config>filter>log>summary
Description 

This command defines the key of the index of the mini-table. If key information is changed while summary is in the no-shutdown state, the filter summary mini-table is flushed and reconfigured with different key information. Log packets received during the reconfiguration time will be handled as if summary was not active.

The no form of the command reverts to the default parameter.

Default 

dst-addr

Parameters 
dst-addr—
specifies that received log packets are summarized based on the destination IP address
src-addr—
specifies that received log packets are summarized based on the source IP address

wrap-around

Syntax 
[no] wrap-around
Context 
config>filter>log
Description 

This command configures a memory filter log to store log entries until full or to store the most recent log entries (circular buffer).

Specifying wrap-around configures the memory filter log to store the most recent filter log entries (circular buffer). When the log is full, the oldest filter log entries are overwritten with new entries.

The no form of the command configures the memory filter log to accept filter log entries until full. When the memory filter log is full, filter logging for the log filter ID ceases.

Default 

wrap-around

5.7.2.1.3. Filter Policy Commands

ip-exception

Syntax 
ip-exception filter-id [create]
[no] ip-exception {filter-id | filter-name}
Context 
config>filter
Description 

This command creates a configuration context for an IPv4 exception filter policy. After creating an exception filter ID, you can optionally assign it to a unique name with the filter-name command. The exception filter name can be used instead of the ID for exception configuration commands, show commands, monitor commands, clear commands, and port and interface association commands.

IP exception filter policies specify matching criteria that allow a packet to be an exception to where it is applied. For more information, refer to the ip-exception command in Router Interface Commands.

The IP exception filter policy is a template that can be applied to multiple router interface group encryption contexts as long as the scope of the policy is configured as template.

Any changes made to the existing policy, using any subcommands, are applied immediately to all network interfaces where the policy is applied.

The no form of the command deletes the IP exception filter policy. An exception filter policy cannot be deleted until it is removed from all network interfaces where it is applied.

Parameters 
filter-id—
the IP exception filter policy ID number
Values—
1 to 65535

 

filter-name—
the IP exception filter policy name, up to 64 characters in length. The name must already exist within the created IP exceptions.
create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

ip-filter

Syntax 
ip-filter filter-id [create]
ip-filter {filter-id | filter-name}
no ip-filter {filter-id | filter-name}
Context 
config>filter
Description 

This command creates a configuration context for an IPv4 filter policy. After creating a filter, you can optionally assign it a unique filter name with the filter-name command. The filter name can be used instead of the filter ID to refer to a filter for filter configuration commands, show commands, monitor commands, clear commands, and port association commands.

Filter IDs and filter names support CLI auto-completion. For more information, refer to the 7705 SAR Basic System Configuration Guide, “Entering CLI Commands”.

IP filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple network ports as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the subcommands, will be applied immediately to all network interfaces where this policy is applied.

The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all network interfaces where it is applied.

Parameters 
filter-id—
the IP filter policy ID number
Values—
1 to 65535

 

create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.
filter-name—
the filter name, up to 64 characters in length

ipv6-filter

Syntax 
ipv6-filter ipv6-filter-id [create]
ipv6-filter {ipv6-filter-id | filter-name}
no ipv6-filter {ipv6-filter-id | filter-name}
Context 
config>filter
Description 

This command creates a configuration context for an IPv6 filter policy. After creating a filter, you can optionally assign it a unique filter name with the filter-name command. The filter name can be used instead of the filter ID to refer to a filter for filter configuration commands, show commands, monitor commands, clear commands, and port association commands.

Filter IDs and Filter names support CLI auto-completion. For more information, refer to the 7705 SAR Basic System Configuration Guide, “Entering CLI Commands”.

IP filter policies specify either a forward or a drop action for packets based on the specified match criteria.

The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple network ports as long as the scope of the policy is template.

Any changes made to the existing policy, using any of the subcommands, will be applied immediately to all network interfaces where this policy is applied.

The no form of the command deletes the IP filter policy. A filter policy cannot be deleted until it is removed from all network interfaces where it is applied.

Parameters 
ipv6-filter-id—
the IPv6 filter policy ID number
Values—
1 to 65535

 

create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.
filter-name—
the filter name, up to 64 characters in length

mac-filter

Syntax 
mac-filter filter-id [create]
mac-filter {filter-id | filter-name}
no mac-filter {filter-id | filter-name}
Context 
config>filter
Description 

This command enables the context for a MAC filter policy. After creating a filter, you can optionally assign it a unique filter name with the filter-name command. The filter name can be used instead of the filter ID to refer to a filter for filter configuration commands, show commands, monitor commands, clear commands, and port association commands.

Filter IDs and Filter names support CLI auto-completion. For more information, refer to the 7705 SAR Basic System Configuration Guide, “Entering CLI Commands”.

The MAC filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The MAC filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services as long as the scope of the policy is template.

A MAC filter policy cannot be applied to a network interface, a VPRN service, or an IES service.

Any changes made to the existing policy, using any of the sub-commands, will be applied immediately to all services where this policy is applied.

The no form of the command deletes the MAC filter policy. A filter policy cannot be deleted until it is removed from all SAPs where it is applied.

Parameters 
filter-id—
the MAC filter policy ID number
Values—
1 to 65535

 

create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.
filter-name—
the filter name, up to 64 characters in length

vlan-filter

Syntax 
vlan-filter filter-id [create]
vlan-filter {filter-id | filter-name}
no vlan-filter {filter-id | filter-name}
Context 
config>filter
Description 

This command enables the context for a VLAN filter policy. After creating a filter, you can optionally assign it a unique filter name with the filter-name command. The filter name can be used instead of the filter ID to refer to a filter for filter configuration commands, show commands, monitor commands, clear commands, and port association commands.

Filter IDs and Filter names support CLI auto-completion. For more information, refer to the 7705 SAR Basic System Configuration Guide, “Entering CLI Commands”.

The VLAN filter policy specifies either a forward or a drop action for packets based on the specified match criteria.

The VLAN filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to ring ports on the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module. Each ring port can support one VLAN filter, and the same VLAN filter can be applied to both ring ports. The scope of a VLAN policy is always template.

A VLAN filter policy cannot be applied to any other type of adapter card.

Any changes made to an existing policy, using any of the sub-commands, is applied immediately to all ring ports where this policy is applied.

The no form of the command deletes the VLAN filter policy. A filter policy cannot be deleted until it is removed from all the ring ports where it is applied.

Parameters 
filter-id—
the VLAN filter policy ID number
Values—
1 to 65535

 

create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.
filter-name—
the filter name, up to 64 characters in length

default-action

Syntax 
default-action {drop | forward}
Context 
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
config>filter>vlan-filter
Description 

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP, MAC, or VLAN filter entries of the filter.

Default 

drop

Parameters 
drop—
specifies that all packets will be dropped unless there is a specific filter entry that causes the packet to be forwarded
forward—
specifies that all packets will be forwarded unless there is a specific filter entry that causes the packet to be dropped

filter-name

Syntax 
filter-name filter-name
no filter-name
Context 
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
config>filter>vlan-filter
config>filter>ip-exception
Description 

This command creates a unique name to associate with this filter. The filter name can be used instead of the filter ID to refer to a filter for filter configuration commands, show commands, monitor commands, clear commands, and port and interface association commands.

Parameters 
filter-name—
the filter name, up to 64 characters in length

renum

Syntax 
renum old-entry-id new-entry-id
Context 
config>filter>ip-exception
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
config>filter>vlan-filter
Description 

This command renumbers existing IP, MAC, VLAN, or IP exception filter entries to properly sequence filter entries.

This may be required in some cases since the software exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Parameters 
old-entry-id—
the entry number of an existing entry
Values—
1 to 64

 

new-entry-id—
the new entry number to be assigned to the old entry
Values—
1 to 64

 

scope

Syntax 
scope {exclusive | template}
no scope
Context 
config>filter>ip-exception
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
Description 

This command configures the filter policy scope as exclusive or template. If the scope of the policy is template and is applied to one or more network interfaces, the scope cannot be changed.

The no form of the command sets the scope of the policy to the default of template.

Default 

template

Parameters 
exclusive—
when the scope of a policy is defined as exclusive, the policy can only be applied to a single entity (network port). If an attempt is made to assign the policy to a second entity, an error message will result. If the policy is removed from the entity, it will become available for assignment to another entity.
template—
when the scope of a policy is defined as template, the policy can be applied to multiple network ports

5.7.2.1.4. General Filter Entry Commands

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>filter>ip-exception
config>filter>ip-filter
config>filter>ipv6-filter
config>filter>mac-filter
config>filter>vlan-filter
Description 

This command creates or edits a filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The 7705 SAR implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly, from most to least explicit.

Filter entry IDs support CLI auto-completion. For more information, refer to the 7705 SAR Basic System Configuration Guide, “Entering CLI Commands”.

IPv4 filter entries can specify one or more matching criteria, with one caveat. In order to support the maximum 256 entries for IPv4 filters, any entry that uses source port (src-port) and/or destination port (dst-port) ranges (lt, gt, or range keywords) as match criteria must be within the first 64 entries. See the dst-port and src-port commands for more information.

An entry might not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.

The no form of the command removes the specified entry from the filter. Entries removed from the filter are immediately removed from all entities to which that filter is applied.

Default 

n/a

Parameters 
entry-id—
an entry-id uniquely identifies a match criteria and the corresponding action. It is recommended that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.
Values—
1 to 256 (maximum applies to IPv4 filters, MAC filters, and IP exception filters only)

 

create—
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

5.7.2.1.5. IP, MAC, VLAN, and IP Exception Filter Entry Commands

action

Syntax 
action [drop]
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
no action
Context 
config>filter>ip-filter>entry
config>filter>mac-filter>entry
Description 

This command specifies what action to take (drop or forward) when packets match the entry criteria. The action keyword must be entered for the entry to be active. If neither drop nor forward is specified, the filter action is drop.

The action forward next-hop keywords cannot be applied to multicast traffic and only apply to IPv4.

The action forward fc keywords only apply to IPv4.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. The filter entry is considered incomplete and is rendered inactive without the action keyword.

Default 

no action

Parameters 
drop—
specifies that packets matching the entry criteria will be dropped
forward—
specifies that packets matching the entry criteria will be forwarded
next-hop ip-address
specifies the IPv4 address of the direct next hop to which packets matching the entry criteria will be forwarded
indirect ip-address
specifies the IPv4 address of the indirect next hop to which packets matching the entry criteria will be forwarded. The direct next-hop IPv4 address and egress IP interface are determined by a route table lookup.

If the next hop is not available, then a routing lookup is performed and if a match is found then the packet will be forwarded to the result of that lookup. If no match is found, then an “ICMP destination unreachable” message is send back to the origin.

Values—
0.0.0.0 to 255.255.255.255 (dotted-decimal notation)

 

fc fc-name
specifies the forwarding class (FC) to be used for queuing packets through the 7705 SAR. Each FC can be mapped to a different queue, or multiple FCs can be handled by the same queue.

There are eight forwarding classes, providing different classes of service. The forwarding classes are: nc (network control), h1 (high 1), ef (expedited forwarding), h2 (high 2), l1 (low 1), l2 (low 2), af (assured forwarding), be (best effort).

Values—
be, l2, af, l1, h2, ef, h1, nc

 

priority low | high
specifies the priority assigned to incoming traffic. Traffic priority is important for internal processes when some traffic may be dropped because of congestion. Low-priority traffic is dropped first.

action

Syntax 
action {drop | forward}
no action
Context 
config>filter>ipv6-filter>entry
config>filter>vlan-filter>entry
Description 

This command specifies what action to take (drop or forward) when packets match the entry criteria. The action keyword must be entered and for the entry to be active. If neither drop nor forward is specified, the filter action is drop.

Multiple action statements entered will overwrite previous action statements when defined.

The no form of the command removes the specified action statement. The filter entry is considered incomplete and is rendered inactive without the action keyword.

Default 

drop

Parameters 
drop—
specifies that packets matching the entry criteria will be dropped
forward—
specifies that packets matching the entry criteria will be forwarded

log

Syntax 
log log-id
no log
Context 
config>filter>ip-filter>entry
config>filter>ipv6-filter>entry
config>filter>mac-filter>entry
Description 

This command enables the context to enable filter logging for a filter entry and specifies the destination filter log ID.

The filter log ID must exist before a filter entry can be enabled to use the filter log ID.

The no form of the command disables logging for the filter entry.

Default 

no log

Parameters 
log-id—
the filter log ID destination expressed as a decimal integer
Values—
101 to 199

 

match

Syntax 
match [protocol protocol-id]
no match
Context 
config>filter>ip-filter>entry
config>filter>ip-exception>entry
Description 

This command enables the context to enter match criteria for the IPv4 or IP exception filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Parameters 
protocol-id—
protocol-number or protocol-name
protocol-number—
the protocol number in decimal, hexadecimal, or binary, representing the IP protocol to be used as a filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17) (see Table 75).
Values—
[0 to 255]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

protocol-name—
configures the protocol name representing the IP protocol to be used as a filter match criterion
Values—
IPv4 filter keywords: none, icmp, igmp, ip, tcp, egp, igp, udp,      rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-     no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni,      pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip,      * - udp/tcp wildcard
IP exception filter keywords: none, icmp, igmp, tcp, udp, rsvp,      ospf-igp, pim, vrrp
Table 75:  IP Protocol IDs and Descriptions 

Protocol ID

Protocol

Description

1

icmp

Internet Control Message    

2

igmp

Internet Group Management

4

ip

IP in IP (encapsulation)

6

tcp

Transmission Control

8

egp

Exterior Gateway Protocol

9

igp

Any private interior gateway

17

udp

User Datagram

27

rdp

Reliable Data Protocol

41

ipv6

IPv6

43

ipv6-route

Routing Header for IPv6

44

ipv6-frag

Fragment Header for IPv6

45

idrp

Inter-Domain Routing Protocol

46

rsvp

Reservation Protocol

47

gre

General Routing Encapsulation

58

ipv6-icmp

ICMP for IPv6

59

ipv6-no-nxt

No Next Header for IPv6

60

ipv6-opts

Destination Options for IPv6

80

iso-ip

ISO Internet Protocol

88

eigrp

EIGRP

89

ospf-igp

OSPFIGP

97

ether-ip

Ethernet-within-IP Encapsulation

98

encap

Encapsulation Header

102

pnni

PNNI over IP

103

pim

Protocol Independent Multicast

112

vrrp

Virtual Router Redundancy Protocol

115

l2tp

Layer Two Tunneling Protocol

118

stp

Schedule Transfer Protocol

123

ptp

Performance Transparency Protocol

124

isis

ISIS over IPv4

126

crtp

Combat Radio Transport Protocol

127

crudp

Combat Radio User Datagram

132

sctp

Stream Control Transmission Protocol

137

mpls-in-ip

MPLS in IP

Note:

  1. PTP in the context of IP or IP exception filters is defined as Performance Transparency Protocol. IP protocols can be used as IP or IP exception filter match criteria; the match is made on the 8-bit protocol field in the IP header.
  2. PTP in the context of SGT QoS is defined as Precision Timing Protocol and is an application in the 7705 SAR. The PTP application name is also used in areas such as event-control and logging. Precision Timing Protocol is defined in IEEE 1588-2008.

 

match

Syntax 
match [next-header next-header]
no match
Context 
config>filter>ipv6-filter>entry
Description 

This command enables the context to enter match criteria for the IPv6 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Parameters 
next-header—
protocol-number or protocol-name
protocol-number—
the protocol number in decimal, hexadecimal, or binary, representing the IP protocol to be used as the IPv6 next header filter match criterion This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table 75 for a list of common protocol numbers.
Values—
[1 to 42 | 45 to 49 | 52 to 59 | 61 to 255]D
[0x0..0x2A | 0x2D..0x31 | 0x34..0x3B | 0x3D..0xFF]H
[0b0..0b101010 | 0b101101..0b110001 | 0b110100..0b111011 | 0b111101..0b11111111]B

 

protocol-name—
the protocol name to be used as the IPv6 next header filter match criterion. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table 75 for a list of common protocol numbers.
Values—
none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard

 

match

Syntax 
match frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}
no match
Context 
config>filter>mac-filter>entry
Description 

This command enables the context for entering/editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, then all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Default 

frame-type 802dot3

Parameters 
frame-type—
configures an Ethernet frame type to be used for the MAC filter match criteria
802dot3—
specifies the frame type as Ethernet IEEE 802.3
802dot2-llc—
specifies the frame type as Ethernet IEEE 802.2 LLC
802dot2-snap—
specifies the frame type as Ethernet IEEE 802.2 SNAP
ethernet_II—
specifies the frame type as Ethernet Type II

match

Syntax 
match vlan {lt | gt | eq} vlan-id
match vlan range vlan-id to vlan-id
match untagged
no match
Context 
config>filter>vlan-filter>entry
Description 

This command accesses the match criteria for the filter entry and specifies a match criteria. If the match criteria are satisfied, the action associated with the match criteria is executed.

Only one match criterion (within one match statement) is allowed.

The no form of the command removes the match criteria for the entry-id.

Default 

no match

Parameters 
vlan {lt | gt | eq} vlan-id
specifies an operator and a vlan-id to be used for the VLAN filter match criteria (lt for less than, gt for greater than, and eq for equal to)
Values—
1 to 4094

 

vlan range vlan-id to vlan-id
specifies a range of VLAN IDs to be used for the VLAN filter match criteria.
Values—
1 to 4094

 

untagged—
specifies that Ethernet frames with no tag or dot1q header (null encapsulation) are used for the VLAN filter match criteria

5.7.2.1.6. IP, MAC, and IP Exception Filter Match Criteria Commands

dscp

Syntax 
dscp dscp-name
no dscp
Context 
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of the command removes the DSCP match criterion.

Default 

no dscp

Parameters 
dscp-name—
 a DSCP name that has been previously mapped to a value using the dscp-name command. The DiffServ Code Point may only be specified by its name.
Values—
be | cp1 | cp2 | cp3 | cp4 | cp5 | cp6 | cp7 | cs1 | cp9 | af11 | cp11 |
af12 | cp13 | af13 | cp15 | cs2 | cp17 | af21 | cp19 | af22 | cp21 |
af23 | cp23 | cs3 | cp25 | af31 | cp27 | af32 | cp29 | af33 | cp31 | cs4 |
cp33 | af41 | cp35 | af42 | cp37 | af43 | cp39 | cs5 | cp41 | cp42 |
cp43 | cp44 | cp45 | ef | cp47 | nc1 | cp49 | cp50 | cp51 | cp52 | cp53 |
cp54 | cp55 | nc2 | cp57 | cp58 | cp59 | cp60 | cp61 | cp62 | cp63

 

dst-ip

Syntax 
dst-ip {ip-address/mask | ip-address ipv4-address-mask}
no dst-ip
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
Description 

This command configures a destination IPv4 address range to be used as an IP filter or IP exception filter match criterion.

To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the destination IP address match criterion.

Default 

n/a

Parameters 
ip-address—
the IP prefix for the IP match criterion in dotted-decimal notation
Values—
0.0.0.0 to 255.255.255.255

 

mask—
the subnet mask length expressed as a decimal integer
Values—
0 to 32

 

ipv4-address-mask—
any mask expressed in dotted-decimal notation
Values—
0.0.0.0 to 255.255.255.255

 

dst-ip

Syntax 
dst-ip ipv6-address/prefix-length
no dst-ip
Context 
config>filter>ipv6-filter>entry>match
Description 

This command configures a destination IPv6 address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the destination IP address match criterion.

Default 

n/a

Parameters 
ipv6-address/prefix-length—
the IPv6 address on the interface
Values—
ipv6-address      x:x:x:x:x:x:x:x (eight 16-bit pieces)
                           x:x:x:x:x:x:d.d.d.d
                           x:    [0 to FFFF]H
                           d:    [0 to 255]D
prefix-length      0 to 128

 

dst-mac

Syntax 
dst-mac ieee-address
no dst-mac
Context 
config>filter>mac-filter>entry>match
Description 

This command configures a destination MAC address to be used as a MAC filter match criterion.

To match on the destination MAC address, specify the IEEE address.

The no form of the command removes the destination MAC address match criterion.

Default 

no dst-mac

Parameters 
ieee-address—
the MAC address to be used as a match criterion
Values—
xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx, where x is a hexadecimal digit

 

dst-port

Syntax 
dst-port {lt | gt | eq} dst-port-number
dst-port range dst-port-number dst-port-number
no dst-port
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures a destination TCP or UDP port number or port range for an IP filter or IP exception filter match criterion.

The no form of the command removes the destination port match criterion.

Default 

n/a

Parameters 
lt | gt | eq—
use relative to dst-port-number for specifying the port number match criteria:

lt specifies that all port numbers less than dst-port-number match

gt specifies that all port numbers greater than dst-port-number match

eq specifies that dst-port-number must be an exact match

dst-port-number—
the destination port number to be used as a match criteria expressed as a decimal integer
Values—
1 to 65535

 

range—
specifies an inclusive range of port numbers to be used as a match criteria. The first dst-port-number specifies the start of the range, and the second dst-port-number specifies the end of the range.

etype

Syntax 
etype 0x600...0xffff
no etype
Context 
config>filter>mac-filter>entry>match
Description 

This command configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is a 2-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify IPv4 packets. The Ethernet type II frame Ethertype value to be used as a match criterion can be expressed as a hexadecimal (0x0600 to 0xFFFF) or a decimal (1536 to 65535) value.

The Ethernet type field is used by the Ethernet version-II frames.

The no form of the command removes the previously entered etype field as the match criteria.

Default 

no etype

fragment

Syntax 
fragment {true | false}
no fragment
Context 
config>filter>ip-filter>entry>match
Description 

This command configures fragmented or non-fragmented IP packets as an IP filter match criterion.

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default 

false

Parameters 
true—
configures a match on all fragmented IP packets. A match will occur for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.
false—
configures a match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

icmp-code

Syntax 
icmp-code icmp-code
no icmp-code
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures matching on the ICMP code field in the ICMP header of an IPv4 or IPv6 packet as a filter match criterion, or configures matching on the ICMP code field in the ICMP header of an IPv4 packet as an exception filter match criterion.

This command applies only if the protocol match criteria specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default 

no icmp-code

Parameters 
icmp-code—
icmp-code-number or icmp-code-keyword
icmp-code-number—
the ICMP code number in decimal, hexadecimal, or binary, to be used as a match criterion
Values—
[0 to 250]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

icmp-code-keyword—
the ICMP code keyword to be used as a match criterion
Values—
For IPv6:
none, no-route-to-destination, comm-with-dest-admin-prohibited, beyond-scope-src-addr, address-unreachable, port-unreachable
For IPv4 and IP-exception:
none, network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, dest-network-unknown, dest-host-unknown, src-host-isolated, network-unreachable-for-tos, host-unreachable-for-tos

 

icmp-type

Syntax 
icmp-type icmp-type
no icmp-type
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures matching on the ICMP type field in the ICMP header of an IPv4 or IPv6 packet as a filter match criterion, or configures matching on the ICMP type field in the ICMP header of an IPv4 packet as an exception filter match criterion.

This command applies only if the protocol match criteria specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default 

no icmp-type

Parameters 
icmp-type—
icmp-type-number or icmp-type-keyword
icmp-type-number—
the ICMP type number in decimal, hexadecimal, or binary, to be used as a match criterion
Values—
[0 to 250]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

icmp-type-keyword—
the ICMP type to be used as a match criterion
Values—
For IPv6:
none, dest-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, multicast-listen-query, multicast-listen-report, multicast-listen-done, router-solicitation, router-advt, neighbor-solicitation, neighbor-advertisement, redirect-message, router-renumbering, icmp-node-info-query, icmp-node-info-resp, inv-nd-solicitation, inv-nd-adv-message, multicast-listener-report-v2, home-agent-ad-request, home-agent-ad-reply, mobile-prefix-solicitation, mobile-prefix-advt, cert-path-solicitation, cert-path-advt, multicast-router-advt, multicast-router-solicitation, multicast-router-termination, fmipv6, rpl-control, ilnpv6-locator-update, duplicate-addr-request, duplicate-addr-confirmation
For IPv4 and IP-exception:
none, echo-reply, dest-unreachable, source-quench, redirect, echo-request, router-advt, router-selection, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, addr-mask-request, addr-mask-reply, photuris

 

ip-option

Syntax 
ip-option ip-option-value [ip-option-mask]
no ip-option
Context 
config>filter>ip-filter>entry>match
Description 

This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.

The option type octet contains three fields:

  1. 1 bit copied flag (copy options in all fragments)
  2. 2 bits option class
  3. 5 bits option number

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default 

no ip-option

Parameters 
ip-option-value—
 the 8-bit option type (can be entered using decimal, hexadecimal, or binary formats). The mask is applied as an AND to the option byte and the result is compared with the option value.

The decimal value entered for the match should be a combined value of the 8-bit option type field and not just the option number. Therefore, to match on IP packets that contain the Router Alert option (option number = 20), enter the option type of 148 (10010100).

Values—
0 to 255

 

ip-option-mask—
specifies a range of option numbers to use as the match criteria

This 8-bit mask can be entered using decimal, hexadecimal, or binary formats (see Table 76).

Table 76:  8-bit mask formats 

Format Style

Format Syntax

Example

Decimal

DDD

20

Hexadecimal

0x

0x14

Binary

0bBBBBBBBB

0b0010100

Default—
255 (decimal) (exact match)
Values—
0 to 255

 

multiple-option

Syntax 
multiple-option {true | false}
no multiple-option
Context 
config>filter>ip-filter>entry>match
Description 

This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.

This command applies to IPv4 filters only.

Default 

no multiple-option

Parameters 
­true—
specifies matching on IP packets that contain more than one option field in the header
false—
specifies matching on IP packets that do not contain multiple option fields in the header

option-present

Syntax 
option-present {true | false}
no option-present
Context 
config>filter>ip-filter>entry>match
Description 

This command configures matching packets that contain the option field or have an option field of 0 in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the option field in the IP header as a match criterion.

This command applies to IPv4 filters only.

Parameters 
true—
specifies matching on all IP packets that contain the option field in the header. A match will occur for all packets that have the option field present. An option field of 0 is considered as no option present.
false—
specifies matching on IP packets that do not have any option field present in the IP header (an option field of 0)

src-ip

Syntax 
src-ip {ip-address/mask | ip-address ipv4-address-mask}
no src-ip
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
Description 

This command configures a source IPv4 address range to be used as an IP filter or IP exception filter match criterion.

To match on the source IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the source IP address match criterion.

Default 

no src-ip

Parameters 
ip-address —
the IP prefix for the IP match criterion in dotted-decimal notation
Values—
0.0.0.0 to 255.255.255.255

 

mask—
the subnet mask length expressed as a decimal integer
Values—
0 to 32

 

ipv4-address-mask—
any mask expressed in dotted-decimal notation
Values—
0.0.0.0 to 255.255.255.255

 

src-ip

Syntax 
src-ip ipv6-address/prefix-length
no src-ip
Context 
config>filter>ipv6-filter>entry>match
Description 

This command configures a source IPv6 address range to be used as an IP filter match criterion.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address match criterion.

Default 

n/a

Parameters 
ipv6-address/prefix-length—
the IPv6 address on the interface
Values—
ipv6-address      x:x:x:x:x:x:x:x (eight 16-bit pieces)
                           x:x:x:x:x:x:d.d.d.d
                           x:    [0 to FFFF]H
                           d:    [0 to 255]D
prefix-length      0 to 128

 

src-mac

Syntax 
src-mac ieee-address
no src-mac
Context 
config>filter>mac-filter>entry>match
Description 

This command configures a source MAC address to be used as a MAC filter match criterion.

The no form of the command removes the source MAC address as the match criterion.

Default 

no src-mac

Parameters 
ieee-address—
the 48-bit IEEE MAC address to be used as a match criterion
Values—
xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx, where x is a hexadecimal digit

 

src-port

Syntax 
src-port {lt | gt | eq} src-port-number
src-port range src-port-number src-port-number
no src-port
Context 
config>filter>ip-exception>entry>match
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures a source TCP or UDP port number or port range for an IP filter or IP exception filter match criterion.

The no form of the command removes the source port match criterion.

Default 

no src-port

Parameters 
lt | gt | eq—
use relative to src-port-number for specifying the port number match criteria:

lt specifies that all port numbers less than src-port-number match

gt specifies that all port numbers greater than src-port-number match

eq specifies that src-port-number must be an exact match

src-port-number—
the source port number to be used as a match criteria expressed as a decimal integer
Values—
1 to 65535

 

range—
specifies an inclusive range of port numbers to be used as a match criteria. The first src-port-number specifies the start of the range, and the second src-port-number specifies the end of the range.

tcp-ack

Syntax 
tcp-ack {true | false}
no tcp-ack
Context 
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The no form of the command removes the criterion from the match entry.

Default 

no tcp-ack

Parameters 
true—
specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet
false—
specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet

tcp-syn

Syntax 
tcp-syn {true | false}
no tcp-syn
Context 
config>filter>ip-filter>entry>match
config>filter>ipv6-filter>entry>match
Description 

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP address.

The no form of the command removes the criterion from the match entry.

Default 

no tcp-syn

Parameters 
true—
specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header
false—
specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header

5.7.2.1.7. Security Policy Commands

abort

Syntax 
abort
Context 
config>security
Description 

This command discards changes made to a security feature.

Default 

n/a

begin

Syntax 
begin
Context 
config>security
Description 

This command enters the mode to create or edit security features.

Default 

n/a

commit

Syntax 
commit
Context 
config>security
Description 

This command saves changes made to security features.

Default 

n/a

app-group

Syntax 
app-group {group-id | name} [create]
no app-group {group-id | name}
Context 
config>security
Description 

This command enters the context for creating an application group to be used in a security policy.

The no form of the command removes the configured application group.

Default 

n/a

Parameters 
group-id—
the application group ID, from 1 to 100
name—
the name of the application group, up to 32 characters in length (must start with a letter)

name

Syntax 
name name
no name
Context 
config>security>app-group
config>security>host-group
config>security>policer-group
Description 

This command configures a name for an application group, host group, or policer group.

The no form of the command removes the configured name.

Parameters 
name—
 the name of the application group, host group, or policer group, up to 32 characters in length (must start with a letter)

description

Syntax 
description description-string
no description
Context 
config>security>app-group
config>security>host-group
config>security>policer-group
Description 

This command configures a description for the specified application group, host group, or policer group.

Default 

n/a

Parameters 
description-string—
the description for an application group, host group, or policer group, up to 80 characters in length

host-group

Syntax 
host-group {group-id | name} [create]
no host-group {group-id | name}
Context 
config>security
Description 

This command enters the context for creating a host group to be used in a security policy.

The no form of the command removes the configured host group.

Default 

n/a

Parameters 
group-id—
the host group ID, from 1 to 100
name—
the name of the host group, up to 32 characters in length (must start with a letter)

host

Syntax 
host ip-address [to ip-address]
no host
Context 
config>security>host-group
Description 

This command configures a range of hosts to be used in a host group. Up to 10 entries can be configured for a host group.

Default 

n/a

Parameters 
ip-address—
the IPv4 address of the host

logging

Syntax 
logging
Context 
config>security
Description 

This command enters the security logging context.

Default 

n/a

log-id

Syntax 
log-id {log-id | log-name} [create]
no log-id {log-id | log-name}
Context 
config>security>logging
Description 

This command configures the identifier for the security log. The 7705 SAR supports up to 100 security logs. This log ID can be applied at the zone level using the config>router>zone>log context or at the rule level using the config>security>policy>entry>logging context, but not to both at the same time.

The no form of the command removes the configured security group.

Default 

n/a

Parameters 
log-id—
the security log ID, from 1 to 100
log-name—
the name of the security log, up to 32 characters in length (must start with a letter)

description

Syntax 
description description-string
no description
Context 
config>security>log
Description 

This command configures a description for the specified security log.

Default 

n/a

Parameters 
description-string—
the description for a security log, up to 80 characters in length

destination

Syntax 
destination {memory [size] | syslog syslog-id}
no destination
Context 
config>security>log
Description 

This command configures the destination location of the specified security log.

Default 

n/a

Parameters 
memory—
specifies that the log destination is the 7705 SAR local memory (compact flash or flash drive)
size—
the number of log events that can be held in memory, up to 1024
syslog—
specifies that the log destination is the system log
syslog-id—
the identifier of the system log, up to 32 characters in length

name

Syntax 
name name
no name
Context 
config>security>log
Description 

This command configures the name of the specified security log.

Default 

n/a

Parameters 
name—
the name of the security log, up to 32 characters in length

profile

Syntax 
profile {logging-profile-id | logging-profile-name}
Context 
config>security>log
Description 

This command configures the logging profile to which the specified security log will match events.

Default 

n/a

Parameters 
logging-profile-id—
the logging profile ID for the security log
Values—
1 to 100

 

logging-profile-name—
the logging profile name for the security log, up to 32 characters in length

shutdown

Syntax 
[no] shutdown
Context 
config>security>log
Description 

This command disables logging to the specified security log. Logging is enabled by default.

The no form of this command enables logging to the specified security profile.

Default 

no shutdown

wrap-around

Syntax 
[no] wrap-around
Context 
config>security>log
Description 

This command enables log wraparound when the maximum log size has been reached in the log destination location. When wraparound is enabled, the log starts over at 1 and overwrites the existing logs when the log size is at maximum. When wraparound is disabled, the log stops adding entries when the log size is at maximum.

The no form of this command disables log wraparound.

Default 

no wrap-around

profile

Syntax 
profile {profile-id | profile-name} [create]
no profile {profile-id | profile-name}
Context 
config>security>logging
Description 

This command configures the security logging profile.

The no form of the command removes the configured profile.

Default 

n/a

Parameters 
profile-id—
the ID of the profile group, from 1 to 65535
profile-name—
the name of the profile group, up to 32 characters in length

description

Syntax 
description description-string
no description
Context 
config>security>logging>profile
Description 

This command configures a description for this logging profile.

The no form of the command removes the configured description for this logging profile.

Default 

n/a

Parameters 
description-string—
the description string for this logging profile, up to 80 characters in length

event-control

Syntax 
event-control event-type [event event] {suppress | throttle | off}
Context 
config>security>logging>profile
Description 

This command controls the generation of security log events. A log can be configured to generate all event types and events, or to generate specific event types and events. In addition, for each event type or event, one of three actions can be configured: suppress, throttle, or off. These configurations all become part of the specified logging profile. Table 77 lists the supported event types and events on 7705 SAR firewalls.

Table 77:  Event Types and Events Supported on 7705 SAR Firewalls  

Event Type

Event

Packet

TcpInvalidHeader

DnsInvalidHeader

DnsUnmatchedAnswer

IcmpUnmatchedReply

TcpInvalidFlagCombination

TcpRst

PolicyErrorFrag

FragDropAction

DuplicateFrag

LandAttack

Zone

NoRuleMatched

SessionLimitReached

Policy

Matched

MatchedNAT

ActionReject

MaxConcurrentUsesReached

FragsNotAccepted

TcpSynReqdtoEstablish

Session

SessionBegin

SessionEnd

SessionBeginEnd

RuleActionDrop

ProhibitedIpOption

InvalidIcmpT3

PktLimitReached

Application

Summary

HandshakeMissing

HandshakeCtlInvalid

HandshakeDataUnexpected

OptError

OptBadLen

OptTTcpForbidden

OptNonStdForbidden

OptTStampMissing

OptTStampUnexpected

TStampTooOld

TStampEchoInvalid

ScaleUnexpected

SeqNumOutside

AckNumOutside

AckNumNotZero

AckNumStale

AckUnexpected

AckMissing

FlagsSynRst

SynUnexpected

SynMissing

FinUnexpected

InvCksum

ConnReused

RstSeqNumUnexpected

TTL

NotFullHeader

FlagsSynFin

SplitHandshake

ALG

CmdIncomplete

DynamicRuleInserted

DynamicRuleInsertedPASV

CannotInsertDynamicRule

CannotInsertDynamicRulePASV

BadCmdSyntax

BadPortCmdSyntax

BadPasvCmdSyntax

BadAddrSyntax

TftpDynRuleInsertErr

TftpDynRuleInserted

Default 

n/a

Parameters 
event-type—
the type of event to be controlled for in this logging profile, as shown in Table 77
event—
the name of the event to be controlled for in this logging profile as shown in Table 77
suppress—
suppresses the specified event type or event in this logging profile
throttle—
throttles a repeating event type or event when the same event type or event is generated repeatedly within 1 s in this logging profile
off—
allows the event type or event to be logged in this logging profile

name

Syntax 
name name
no name
Context 
config>security>logging>profile
Description 

This command configures a name for this logging profile.

The no form of the command removes the configured name for this logging profile.

Default 

n/a

Parameters 
name—
the name of the logging profile, up to 32 characters in length

profile

Syntax 
profile {profile-id | profile-name} [create]
no profile {profile-id | profile-name}
Context 
config>security
Description 

This command configures a profile group that provides a context within which you can configure security features such as session idle timeouts and application assurance parameters. Profile 1 is a default profile and cannot be modified.

The no form of the command removes the configured profile group.

Default 

1

Parameters 
profile-id—
the ID of the profile group, from 1 to 100
profile-name—
the name of the profile group, up to 32 characters in length

application

Syntax 
application
Context 
config>security>profile
Description 

This command enters the application context for firewall configuration.

alg

Syntax 
alg {auto | ftp | tftp}
no alg
Context 
config>security>profile>app
Description 

This command enables application level gateway (ALG) inspection by the firewall.

The no form of the command disables ALG inspection by the firewall.

Default 

n/a

Parameters 
auto—
specifies that the firewall automatically determines the application traffic that requires inspection
ftp—
specifies that the firewall must inspect FTP application traffic as determined by the port matching criteria in the security policy and apply the FTP ALG to the command traffic. This option should be used when FTP ALG is required on any TCP port being used for FTP.
tftp—
specifies that the firewall must inspect TFTP application traffic as determined by the port matching criteria in the security policy and apply the TFTP ALG to the command traffic. This option should be used when TFTP ALG is required on any UDP port being used for TFTP.

assurance

Syntax 
[no] assurance
Context 
config>security>profile>app
Description 

This command enables the context for configuring application assurance parameters. Enabling application assurance automatically sets the defaults for the parameters as listed in Table 78.

Table 78:   Application Assurance Parameter Default Values 

Parameter

Default Value

DNS

reply-only

ICMP

limit-type3

IP

options permit-any

TCP

no strict

The no form of the command disables application assurance on the firewall.

Default 

n/a

dns

Syntax 
dns
Context 
config>security>profile>aa
Description 

This command enables the context for configuring DNS inspection parameters on a firewall in the application assurance parameters context.

Default 

n/a

reply-only

Syntax 
[no] reply-only
Context 
config>security>profile>aa>dns
Description 

This command limits the number of replies to DNS requests. When enabled, the firewall permits a single reply to each DNS request.

The no form of the command disables the limiting of DNS replies; the firewall permits all replies to each DNS request.

Default 

reply-only

icmp

Syntax 
icmp
Context 
config>security>profile>aa
Description 

This command enables the context for configuring ICMP limit parameters on a firewall in the application assurance parameters context.

Default 

n/a

limit-type3

Syntax 
[no] limit-type3
Context 
config>security>profile>aa>icmp
Description 

This command limits the number of ICMP type 3 replies through a firewall. When enabled, only 15 ICMP type 3 replies are permitted through the firewall for each ICMP and IP session.

The no form of the command disables the limiting of ICMP type 3 replies through a firewall; all ICMP type 3 replies are permitted through the firewall for each ICMP and IP session.

Default 

limit-type3

request-limit

Syntax 
request-limit packets
no request-limit
Context 
config>security>profile>aa>icmp
Description 

This command configures the number of ICMP requests and replies allowed through the firewall for each ICMP session. Any requests or replies that are received beyond the configured limit are discarded until the ICMP session times out.

The no form of the command allows all ICMP requests and replies through the firewall for each ICMP session.

Default 

5

Parameters 
packets—
 the maximum number of ICMP request and reply packets permitted through the firewall for each ICMP session, from 1 to 15

ip

Syntax 
ip
Context 
config>security>profile>aa
Description 

This command enables the context for configuring IP layer inspection on a firewall in the application assurance parameters context.

Default 

n/a

options

Syntax 
options {permit ip-option-mask | permit-any}
options ip-option-name [ip-option-name]
Context 
config>security>profile>aa>ip
Description 

This command controls the inspection of IP options in an IP packet header. The IP options can be specified using either the bit mask value or the name.

The permit command only applies when using bit mask values. It allows packets through the firewall when the IP options on those packets match the bit mask value specified in the ip-option-mask parameter. The ip-option-mask is a flat bit representation of the IP Option Number. The IP Option Copy Bit and IP Option Class Bits are omitted from the ip-option-mask. For example, to permit a packet with the router alert option (which uses IP Option Number 20), bit 20 of the ip-option-mask should be set, which configures the ip-option-mask parameter as 0x00100000. To discard all IP packets with IP options, configure the ip-option-mask parameter as 0x0. To permit any option, configure the ip-option-mask parameter as 0xffffffff or use the permit-any command. When permit-any is configured, the 7705 SAR does not examine IP options and allows all packets through the firewall.

Multiple options can be permitted in a single line of configuration by “AND”ing the IP option bit mask values. For example, to permit packets with the router alert, EOOL, and NOP options, configure the ip-option-mask parameter as 0x00100003.

When IP options are specified using ip-option-name, the permit command is implied. Multiple options can be specified by listing multiple names.

Table 79 lists the names and bit mask values of the supported IP options.

Table 79:  Supported IP Options  

IP Option Number

IP Option Value

IP Option Name

Bit Mask Value

0

0

EOOL – End of Options List

0x00000001

1

1

NOP – No Operation

0x00000002

2

130

SEC – Security

0x00000004

3

131

LSR – Loose Source Route

0x00000008

4

68

TS – time Stamp

0x00000010

5

133

E-SEC – Extended Security

0x00000020

6

134

CIPSO – Commercial Security

0x00000040

7

7

RR – Record Route

0x00000080

8

136

SID – Stream ID

0x00000100

9

137

SSR – Strict Source Route

0x00000200

10

10

ZSU – Experimental Measurement

0x00000400

11

11

MTUP – MTU Probe

0x00000800

12

12

MTUR – MTU Reply

0x00001000

13

205

FINN – Experimental Flow Control

0x00002000

14

142

VISA – Experimental Access Control

0x00004000

15

15

Encode

0x00008000

16

144

IMITD – IMI Traffic Descriptor

0x00010000

17

145

EIP – Extended Internet Protocol

0x00020000

18

82

TR – Traceroute

0x00040000

19

147

ADDEXT – Address Extension

0x00080000

20

148

RTRALT – Router Alert

0x00100000

21

149

SDB – Selective Directed Broadcast

0x00200000

22

150

unassigned

0x00400000

23

151

DPS – Dynamic Packet State

0x00800000

24

152

UMP – Upstream Multicast Packet

0x01000000

25

25

QS – Quick-Start

0x02000000

30

30

EXP – RFC3692-style experiment

0x40000000

30

94

EXP – RFC3692-style experiment

0x40000000

30

158

EXP – RFC3692-style experiment

0x40000000

30

222

EXP – RFC3692-style experiment

0x40000000

Default 

permit-any

Parameters 
permit—
allows packets with the specified IP options through the firewall
ip-option-mask—
  the IP options to be matched by the firewall, up to 11 characters (in decimal, hexadecimal, or binary)
ip-option-name—
 the IP option name to be matched by the firewall; up to 30 option names can be specified
Values—
nop | sec | lsr | ts |e-sec | cipso | rr | sid | ssr | zsu | mtup | mtur | finn | visa | encode | imitd | eip | tr | addext | rtralt | sdb | 15 | dps | ump | qs | 26 | 27 | 28 | 29 | exp

 

permit-any—
allows packets with any IP options through the firewall

tcp

Syntax 
tcp
Context 
config>security>profile>aa
Description 

This command enables the context for configuring TCP layer inspection on a firewall in the application assurance parameters context.

Default 

n/a

strict

Syntax 
[no] strict
Context 
config>security>profile>aa>tcp
Description 

This command enables strict examination of TCP packets through the firewall. When enabled, the firewall examines the header of each TCP packet for that session to ensure compliance with RFC 793.

Note:

The TCP sessions that are configured with strict TCP are processed in the 7705 SAR CSM complex. Aggregate throughput of sessions through the CSM is limited by the processing power of the CSM that is performing multiple tasks. Throughput for a session on the CSM will not match the maximum throughput of a session that only traverses the datapath.

The no form of the command disables examination of the TCP header on each TCP packet.

Default 

no strict

fwd-policer-group

Syntax 
fwd-policer-group {group-id | name}
no fwd-policer-group
Context 
config>security>profile
Description 

This command configures a forward policer group for a security profile. A TCP/UDP security session is bidirectional. When a security sessions is created from a private domain to a public domain, the session’s forward direction is from the private to the public domain and the session’s reverse direction is from the public to the private domain. A forward-direction policer group acts on traffic that is traversing from the private domain to the public domain.

The no form of the command removes the configured forward policer group.

Parameters 
group-id—
 the identifier of the forward policer group associated with this security profile, from 1 to 1024
name—
 the name of the forward policer group associated with this security profile, up to 32 characters in length (must start with a letter)

name

Syntax 
[no] name profile-name
Context 
config>security>profile
Description 

This command configures a profile group name.

The no form of the command removes the configured profile group name.

Parameters 
profile-name—
 the name of the profile, up to 32 characters in length (must start with a letter)

rev-policer-group

Syntax 
rev-policer-group {group-id | name}
no rev-policer-group
Context 
config>security>profile
Description 

This command configures a reverse policer group for a security profile. A TCP/UDP security session is bidirectional. When a security sessions is created from a private domain to a public domain, the session’s forward direction is from the private to the public domain and the session’s reverse direction is from the public to the private domain. A reverse-direction policer group acts on traffic that is traversing from the public domain to the private domain.

The no form of the command removes the configured reverse policer group.

Parameters 
group-id—
 the identifier of the reverse policer group associated with this security profile, from 1 to 1024
name—
 the name of the reverse policer group associated with this security profile, up to 32 characters in length (must start with a letter)

timeouts

Syntax 
timeouts
Context 
config>security>profile
Description 

This command configures session idle timeouts for this profile.

icmp-request

Syntax 
icmp-request [min minutes] [sec seconds] [strict | idle]
no icmp-request
Context 
config>security>profile>timeouts
Description 

This command sets the timeout for an ICMP security session. An ICMP session is based on the packet source and destination IP addresses and ICMP identifier. This timer removes the ICMP session if no ICMP packets have been received for the configured time.

The no form of the command removes the timeout set for icmp-request.

Default 

60 s

Parameters 
minutes—
the timeout in minutes
Values—
1 to 4

 

seconds—
the timeout in seconds
Values—
1 to 59

 

other-sessions

Syntax 
other-sessions [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
no other-sessions
Context 
config>security>profile>timeouts
Description 

This command sets the timeout for protocol sessions other than TCP, UDP, or ICMP. These other protocol sessions are based on a 3-tuple match of source IP address, destination IP address, and protocol, except for SCTP (protocol 132), which uses a 5-tuple match like UDP. If no packets are received after the configured time, the firewall session is discontinued and removed from the 7705 SAR.

The no form of the command removes the timeout set for other-sessions.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 23

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

strict—
configures the timer to time out after the last session transition state
idle —
configures the timer to time out when no packets have arrived on the session for the configured period

tcp-established

Syntax 
tcp-established [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
no tcp-established
Context 
config>security>profile>timeouts
Description 

This command sets the timeout for a TCP session in the established state.

The no form of the command removes the timeout set for tcp-established.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 24

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

tcp-syn

Syntax 
tcp-syn [days days] [hrs hours] [min minutes] [sec seconds]
no tcp-syn
Context 
config>security>profile>timeouts
Description 

This command configures the timeout applied to a TCP session in the SYN state.

The no form of the command removes the timeout set for tcp-syn.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 24

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

tcp-time-wait

Syntax 
tcp-time-wait [min minutes] [sec seconds]
no tcp-time-wait
Context 
config>security>profile>timeouts
Description 

This command configures the timeout applied to a TCP session in a time-wait state.

The no form of the command removes the timeout set for tcp-time-wait.

Default 

n/a

Parameters 
minutes—
the timeout in minutes
Values—
1 to 4

 

seconds—
the timeout in seconds
Values—
1 to 59

 

tcp-transitory

Syntax 
tcp-transitory [days days] [hrs hours] [min minutes] [sec seconds]
no tcp-transitory
Context 
config>security>profile>timeouts
Description 

This command configures the idle timeout applied to a TCP session in a transitory state.

The no form of the command removes the timeout set for tcp-transitory.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 24

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

udp

Syntax 
udp [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
no udp
Context 
config>security>profile>timeouts
Description 

This command configures the UDP mapping timeout.

The no form of the command removes the UDP mapping timeout.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 24

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

udp-dns

Syntax 
udp-dns [days days] [hrs hours] [min minutes] [sec seconds] [strict | idle]
no udp-dns
Context 
config>security>profile>timeouts
Description 

This command configures the timeout applied to a UDP session with destination port 53.

The no form of the command removes the udp-dns timeout.

Default 

n/a

Parameters 
days—
the timeout in days
Values—
1

 

hours—
the timeout in hours
Values—
1 to 24

 

minutes—
the timeout in minutes
Values—
1 to 59

 

seconds—
the timeout in seconds
Values—
1 to 59

 

udp-initial

Syntax 
udp-initial [min minutes] [sec seconds]
no udp-initial
Context 
config>security>profile>timeouts
Description 

This command configures the timeout applied to a UDP session in its initial state.

The no form of the command removes the udp-initial timeout.

Default 

n/a

Parameters 
minutes—
the timeout in minutes
Values—
1 to 5

 

seconds—
the timeout in seconds
Values—
1 to 59

 

policer-group

Syntax 
policer-group {group-id | name} [create]
no policer-group {group-id | name}
Context 
config>security
Description 

This command enters the context for creating a policer group to be used in a security profile.

The no form of the command removes the configured policer group.

Parameters 
group-id—
 the ID of the policer group, from 1 to 1024
name—
 the name of the policer group, up to 32 characters in length (must start with a letter)

rate

Syntax 
rate rate cbs size [bytes | kilobytes]
no rate
Context 
config>security>policer-group
Description 

This command sets the policer rate and CBS buffer size for the policer group.

Parameters 
rate—
 the policer rate, in Mb/s
Values—
1 to 10000

 

size—
 the CBS buffer size, in bytes
Values—
1 to 130816

 

policy

Syntax 
policy {policy-id | policy-name} [create]
no policy {policy-id | policy-name}
Context 
config>security
Description 

This command configures a policy group that provides a context within which you can configure a security policy.

The no form of the command removes the configured policy group.

Default 

n/a

Parameters 
policy-id—
 the ID of the policy group, from 1 to 65535
policy-name—
 the name of the policy group, up to 32 characters in length

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>security>app-group
config>security>policy
Description 

This command configures an entry in a security policy or in an application group.

The no form of this command deletes the entry with the specified ID. When an entry is deleted, all configuration parameters for the entry are also deleted.

Parameters 
entry-id—
the entry ID number
Values—
1 to 65535 for a security policy
1 to 65535 for an application group

 

action

Syntax 
action {forward | reject | drop | nat}
Context 
config>security>policy>entry
Description 

This command specifies what action to take (forward, reject, drop, or NAT) when packets match the entry criteria. An action must be specified in order for the entry to be active. If no action is specified, the entry is inactive.

The nat and forward actions each cause a 6-tuple lookup (source/destination IP address, source/destination port number, protocol, and source zone).

The drop action configures a firewall session on the datapath with the action to drop packets that match the entry criteria. The drop action should be used when an IP connection is carrying a large amount of traffic and CSM processing resources need to be preserved, because the drop action means that packets will not be extracted to the CSM to be rejected. Drop sessions are unidirectional and can be used as a way of blocking traffic from a source issuing a denial of service (DoS) attack.

Entering multiple action statements will overwrite previous action statements.

The no form of the command removes the specified action statement.

Default 

no action

Parameters 
reject—
specifies that packets matching the entry criteria will be rejected on the CSM and no firewall session is created on the datapath
forward—
specifies that packets matching the entry criteria will be forwarded and a firewall session is created on the datapath
drop—
specifies that a firewall session is created on the datapath with the action to drop packets that match the entry criteria
nat —
specifies that packets matching the entry criteria will have NAT applied to them and a NAT session is created on the datapath

action nat

Syntax 
action nat [destination ip-address port tcp-udp-port]
Context 
config>security>policy>entry
Description 

This command specifies the destination IP address and port to which packets that have NAT applied to them are sent.

NAT actions cause a 6-tuple lookup (source/destination IP address, source/destination port number, protocol, and source zone). If there is a match, NAT is applied and the packet is routed based on the datapath session table.

Entering multiple action statements will overwrite previous action statements.

The no form of the command removes the specified action statement. An entry is considered incomplete and is rendered inactive if no action is specified.

Default 

no action

Parameters 
ip-address—
the static NAT (port forwarding) inside destination IP address to be used for port forwarding. When configured, the original packet destination IP address is overwritten with this IP address. This parameter applies only to static destination NAT (port forwarding).
Values—
1.0.0.0 to 223.255.255.255

 

tcp-udp-port—
the static NAT inside port IP number used for port forwarding. When configured, the original packet destination port number is overwritten with this port number. This parameter applies only to static destination NAT (port forwarding).
Values—
1 to 65535

 

limit

Syntax 
[no] limit
Context 
config>security>policy>entry
Description 

This command is used to enter the limit context.

Default 

n/a

concurrent-sessions

Syntax 
concurrent-sessions number
no concurrent-sessions
Context 
config>security>policy>entry>limit
Description 

This command specifies the maximum number of concurrent security sessions that can be created for the specified policy.

The no form of the command returns the system to the default.

Default 

no concurrent-sessions

Parameters 
number—
the number of concurrent sessions that can be programmed for the policy
Values—
1 to 16383

 

fwd-direction-only

Syntax 
[no] fwd-direction-only
Context 
config>security>policy>entry>limit
Description 

This command forces a firewall to create a unidirectional session when a packet matches the criteria of the policy entry. In normal operating mode, when a packet matches the criteria and the packet is allowed through, the firewall creates a bidirectional session so that packets traveling in the reverse direction on that session are also allowed through the firewall.

The no form of the command creates a bidirectional firewall session for a matched packet.

Default 

no fwd-direction-only

logging

Syntax 
logging {to log-id {log-id | name} | suppressed | to zone}
no logging
Context 
config>security>policy>entry
Description 

This command configures logging control for this security policy entry. Logging can be enabled per entry using the to log-id command, or per zone using the to zone command. Logging is suppressed by default.

Default 

suppressed

Parameters 
to log-id—
specifies to log events per entry
log-id—
the log ID
Values—
1 to 100

 

name—
the log name, up to 32 characters in length
suppressed—
specifies to suppress all logs generated by the entry
to zone—
specifies to use the zone log settings

match

Syntax 
match [protocol protocol-id]
no match
Context 
config>security>app-group>entry
Description 

This command configures match criteria for an application group entry based on the specified protocol. An application group must be configured with at least one matching protocol before it can be assigned to a security policy.

When an application group is applied to NAT, the only protocols supported as match criteria are TCP, UDP, and ICMP.

The no form of the command removes the match criteria for the entry.

Default 

no match

Parameters 
protocol-id—
protocol-number | protocol-name
protocol-number—
the protocol number in decimal, hexadecimal, or binary, to be used as a match criterion. See Table 75 for a list of common protocol numbers.
Values—
[0 to 255]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

protocol-name—
the name of a protocol to be used as a match criterion. The 7705 SAR supports the protocols listed below.
Values—
none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip

 

match

Syntax 
match [local] [protocol protocol-id]
match [app-group {group-id | name}]
no match
Context 
config>security>policy>entry
Description 

This command configures match criteria for an entry based on the specified protocol or application group.

When a security policy is applied to NAT, the only protocols supported as match criteria are TCP, UDP, ICMP, and *.

The no form of the command removes the match criteria for the entry.

Default 

n/a

Parameters 
local—
specifies that the destination IP address must be a local interface. The local parameter applies only to static destination NAT (port forwarding).
protocol-id—
protocol-number | protocol-name
protocol-number—
the protocol number in decimal, hexadecimal, or binary, to be used as a match criterion. See Table 75 for a list of common protocol numbers.
Values—
[0 to 255]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

protocol-name—
the name of a protocol to be used as a match criterion. The 7705 SAR supports the protocols listed below.
Values—
none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * — tcp/udp wildcard

 

group-id—
the application group ID, from 1 to 100
name—
the name of the application group, up to 32 characters in length (must start with a letter)

direction

Syntax 
direction {zone-outbound | zone-inbound | both}
Context 
config>security>policy>entry>match
Description 

This command sets the direction of the traffic to be matched against the IP criteria. For example, if zone-inbound is configured, then all inbound traffic to the zone has the match criteria applied to it.

Default 

both

Parameters 
zone-outbound—
specifies packets that are outbound from the zone
zone-inbound—
specifies packets that are inbound to the zone
both—
specifies packets that are inbound to and outbound from the zone

dst-ip

Syntax 
dst-ip ip-address to ip-address
dst-ip host-group {group-id | name}
no dst-ip
Context 
config>security>policy>entry>match
Description 

This command configures the destination IP address or address range to be used in the matching criteria of a policy entry. All packets within the specified IP address range are processed for matching criteria. For host group matching criteria, the host group must be configured before adding it to the policy.

The no form of the command removes the destination IP address match criterion.

Default 

n/a

Parameters 
ip-address—
the IPv4 address or address range to be matched
Values—
0.0.0.1 to 255.255.255.255

 

group-id—
the identifier of the host group to be matched
Values—
1 to 100

 

name—
the name of the host group to be matched, up to 32 characters in length (must start with a letter)

dst-port

Syntax 
dst-port {lt | gt | eq} port
dst-port range start end
no dst-port
Context 
config>security>policy>entry>match
config>security>app-group>entry>match
Description 

This command configures a destination protocol TCP or UDP port number or port range for the match criterion.

The no form of the command removes the destination port match criterion.

Default 

no dst-port

Parameters 
lt | gt | eq—
use relative to tcp/udp port for specifying the port number match criterion:

lt specifies that all port numbers less than the tcp/udp port number match

gt specifies that all port numbers greater than the tcp/udp port number match

eq specifies that the tcp/udp port number must be an exact match

port—
the destination port number to be used as a match criterion, expressed as a decimal integer
Values—
1 to 65535

 

start end
specifies an inclusive range of port numbers to be used as a match criterion. The destination port numbers start and end are expressed as decimal integers.
Values—
1 to 65535

 

icmp-code

Syntax 
icmp-code icmp-code
no icmp-code
Context 
config>security>policy>entry>match
config>security>app-group>entry>match
Description 

This command configures matching on an ICMP code field in the ICMP header of an IPv4 packet as a match criterion.

This option is only meaningful if the protocol match criterion specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default 

no icmp-code

Parameters 
icmp-code—
icmp-code-number | icmp-code-keyword
icmp-code-number—
the ICMP code number in decimal, hexadecimal, or binary, to be used as a match criterion
Values—
[0 to 255]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

icmp-code-keyword—
the name of an ICMP code to be used as a match criterion
Values—
none, network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, dest-network-unknown, dest-host-unknown, src-host-isolated, network-unreachable-for-tos, host-unreachable-for-tos

 

icmp-type

Syntax 
icmp-type icmp-type
no icmp-type
Context 
config>security>policy>entry>match
config>security>app-group>entry>match
Description 

This command configures matching on the ICMP type field in the ICMP header of an IPv4 packet as a match criterion.

This option is only meaningful if the protocol match criterion specifies ICMP (1).

The no form of the command removes the criterion from the match entry.

Default 

no icmp-type

Parameters 
icmp-type—
icmp-type-number | icmp-type-keyword
icmp-type-number—
the ICMP type number in decimal, hexadecimal, or binary, to be used as a match criterion
Values—
[0 to 255]D
[0x0 to 0xFF]H
[0b0 to 0b11111111]B

 

icmp-type-keyword—
the name of an ICMP type to be used as a match criterion
Values—
none, echo-reply, dest-unreachable, source-quench, redirect, echo-request, router-advt, router-selection, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, addr-mask-request, addr-mask-reply, photuris

 

src-ip

Syntax 
src-ip ip-address to ip-address
src-ip host-group {group-id | name}
no src-ip
Context 
config>security>policy>entry>match
Description 

This command configures the source IP address or address range to be used in the matching criteria of a policy entry. All packets within the specified IP address range are processed for matching criteria. For host group matching criteria, the host group must be configured before adding it to the policy.

The no form of the command removes the source IP address match criterion.

Default 

n/a

Parameters 
ip-address—
the IPv4 address to be matched
Values—
0.0.0.1 to 255.255.255.255

 

group-id—
the identifier of the host group to be matched
Values—
1 to 100

 

name—
the name of the host group to be matched, up to 32 characters in length (must start with a letter)

src-port

Syntax 
src-port {lt | gt | eq} port
src-port range start end
no src-port
Context 
config>security>policy>entry>match
config>security>app-group>entry>match
Description 

This command configures a source protocol TCP or UDP port number or port range for the match criterion.

The no form of the command removes the source port match criterion.

Default 

no src-port

Parameters 
lt | gt | eq—
use relative to tcp/udp port for specifying the port number match criterion:

lt specifies that all port numbers less than the tcp/udp port number match

gt specifies all port numbers greater than the tcp/udp port number match

eq specifies that the tcp/udp port number must be an exact match

port—
the source port number to be used as a match criterion, expressed as a decimal integer
Values—
1 to 65535

 

start end
specifies an inclusive range of port numbers to be used as a match criterion. The destination port numbers start and end are expressed as decimal integers.
Values—
1 to 65535

 

profile

Syntax 
profile {profile-id | profile-name}
no profile
Context 
config>security>policy>entry
Description 

This command assigns an already configured profile to a policy.

The no form of the command removes the assigned profile.

Default 

1

Parameters 
profile-id—
the ID of the profile group, from 1 to 65535
profile-name—
 the name of the profile group, up to 32 characters in length (must start with a letter)

name

Syntax 
name policy-name
no name
Context 
config>security>policy
Description 

This command configures a policy group name.

The no form of the command removes the configured policy group name.

Parameters 
policy-name—
 the name of the policy, up to 32 characters in length (must start with a letter)

session-high-wmark

Syntax 
session-high-wmark percentage
no session-high-wmark
Context 
config>security
Description 

This command configures the high-water mark threshold for security sessions. An alarm is raised when the high-water mark threshold is reached or exceeded. The value must be greater than or equal to the session-low-wmark value.

The no form of the command removes the high-water mark setting.

Default 

no session-high-wmark

Parameters 
percentage—
specifies the high-water mark threshold
Values—
1 to 100

 

session-low-wmark

Syntax 
session-low-wmark percentage
no session-low-wmark
Context 
config>security
Description 

This command configures the low-water mark threshold for security sessions. The alarm is cleared when the session utilization percentage is equal to or less than the low-water mark threshold. The value must be less than or equal to the session-high-wmark value.

The no form of the command removes the low-water mark setting.

Default 

no session-low-wmark

Parameters 
percentage—
specifies the low-water mark threshold
Values—
1 to 100

 

5.7.2.2. Show Commands

Note:

The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.

ip

Syntax 
ip [ip-filter-id |ipv6-filter-id] [entry entry-id] [association | counters]
Context 
show>filter
Description 

This command displays IPv4 and IPv6 filter information.

Parameters 
ip-filter-id | ipv6-filter-id—
displays detailed information for the specified filter ID or filter name and its filter entries
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
displays information on the specified filter entry ID for the specified filter ID only
Values—
1 to 64

 

association—
appends information as to where the filter policy ID is applied to the detailed filter policy ID output
counters—
displays counter information for the specified filter ID
Output 

The following outputs are examples of IP filter information:

  1. IP filter information (Output Example, Table 80)
  2. IP filter information with filter ID specified (Output Example, Table 81)
  3. IP filter associations (Output Example, Table 82)
  4. IP filter counters (Output Example, Table 83)
Output Example
*A-ALU-1# show filter ip
===============================================================================
IP Filters
===============================================================================
Filter-Id Scope    Applied Description
-------------------------------------------------------------------------------
1         Template Yes
3         Template Yes
6         Template Yes
10        Template No
11        Template No
-------------------------------------------------------------------------------
Num IP filters: 5
*A-ALU-1# show filter ipv6
===============================================================================
IPv6 Filters
===============================================================================
Filter-Id Scope    Applied Description
-------------------------------------------------------------------------------
1         Template No
-------------------------------------------------------------------------------
Num IP filters: 1
===============================================================================
*A-ALU-1#
Table 80:  Show Filter Output Fields 

Label

Description  

Filter Id

The IP filter ID

Scope

Template — the filter policy is of type template

Exclusive — the filter policy is of type exclusive

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Description

The IP filter policy description

Output Example
*A-ALU-1# show filter ip 3
===============================================================================
IP Filter
===============================================================================
Filter Id    : 3                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 1
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry        : 10
Description  : this is a test ip-filter entry
Log Id       : n/a
Src. IP      : 10.1.1.1/24                      Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
===============================================================================
*A-ALU-1# 
*A-ALU-1# show filter ipv6 1
===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : No
Scope        : Template                         Def. Action    : Drop
Entries      : 1
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry        : 1 (Inactive)
Description  : (Not Specified)
Log Id       : n/a
Src. IP      : ::/0                             Src. Port      : None
Dest. IP     : ::/0                             Dest. Port     : None
Next Header  : Undefined                        Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
 
===============================================================================
*A-ALU-1# 
Table 81:  Show Filter Output Fields (Filter ID Specified) 

Label

Description

Filter Id

The IP filter policy ID

Scope

Template — the filter policy is of type template

Exclusive — the filter policy is of type exclusive

Entries

The number of entries configured in this filter ID

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Def. Action

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Filter Match Criteria

IP — the filter is an IPv4 filter policy

IPv6 — the filter is an IPv6 filter policy

Entry

The filter entry ID. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action has been specified.

Description

The IP filter policy description

Src. IP

The source IP address and prefix length match criterion

Dest. IP

The destination IP address and prefix length match criterion

Protocol

The protocol ID for the match criteria. Undefined indicates no protocol specified. (IPv4 filters only)

Next Header

The next header ID for the match criteria. Undefined indicates no next header is specified. (IPv6 filters only)

ICMP Type

The ICMP type match criterion. Undefined indicates no ICMP type is specified.

Fragment: (IPv4 filters only)

Off — configures a match on all unfragmented packets

On — configures a match on all fragmented packets

IP-Option

Specifies matching packets with a specific IP option or range of IP options in the IP header for IP filter match criteria (IPv4 filters only)

TCP-syn

Off — the SYN bit is disabled

On — the SYN bit is set

Match action

Default — the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action was specified.

Drop — drop packets matching the filter entry

Forward — forward packets matching the filter entry

Ing. Matches

The number of ingress filter matches/hits for the filter entry

Src. Port

The source TCP or UDP port number or port range

Dest. Port

The destination TCP or UDP port number or port range

Dscp

The DSCP name

ICMP Code

The ICMP code field in the ICMP header of an IP packet

Option-present: (IPv4 filters only)

Off — does not search for packets that contain the option field or have an option field of zero

On — matches packets that contain the option field or have an option field of zero

Multiple Option: (IPv4 filters only)

Off — the option fields are not checked

On — packets containing one or more option fields in the IP header will be used as IP filter match criteria

TCP-ack

Off — the ACK bit is not matched

On — matches the ACK bit being set or reset in the control bits of the TCP header of an IP packet

Output Example
*A-ALU-49# show filter ip 1 associations
===============================================================================
IP Filter
===============================================================================
Filter Id    : 1                                Applied        : Yes
Scope        : Template                         Def. Action    : Drop
Entries      : 1
-------------------------------------------------------------------------------
Filter Association : IP
-------------------------------------------------------------------------------
===============================================================================
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry        : 10
Log Id       : n/a
Src. IP      : 10.1.1.1/24                      Src. Port      : None
Dest. IP     : 0.0.0.0/0                        Dest. Port     : None
Protocol     : 2                                Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Option-present : Off
Sampling     : Off                              Int. Sampling  : On
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Match action : Drop
Ing. Matches : 0                                Egr. Matches   : 0
===============================================================================
*A-ALU-49#
*A-ALU-49# show filter ip 1 associations
===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : No
Scope        : Template                         Def. Action    : Drop
Entries      : 1
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Association : IPv6
-------------------------------------------------------------------------------
No Match Found
===============================================================================
*A-ALU-49#
Table 82:  Show Filter Associations Output Fields 

Label

Description

Filter Id

The IP filter policy ID

Scope

Template — the filter policy is of type Template

Exclusive — the filter policy is of type Exclusive

Entries

The number of entries configured in this filter ID

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Def. Action

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Filter Association

IP or IPv6

Entry

The filter entry ID. If the filter entry ID indicates that the entry is Inactive, the filter entry is incomplete as no action was specified.

Src. IP

The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.

Dest. IP

The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.

Protocol

The protocol ID for the match criteria. Undefined indicates no protocol specified. (IPv4 filters only)

Next Header

The next header ID for the match criteria. Undefined indicates no next header is specified. (IPv6 filters only)

ICMP Type

The ICMP type match criterion. Undefined indicates no ICMP type specified.

Fragment: (IPv4 filters only)

Off — configures a match on all unfragmented packets

On — configures a match on all fragmented packets

TCP-syn

Off — the SYN bit is disabled

On — the SYN bit is set

Match action

Default — the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is inactive, the filter entry is incomplete (no action was specified).

Drop — drop packets matching the filter entry

Forward — forward packets matching the filter entry

Ing. Matches

The number of ingress filter matches/hits for the filter entry

Src. Port

The source TCP or UDP port number or port range

Dest. Port

The destination TCP or UDP port number or port range

Dscp

The DSCP name

ICMP Code

The ICMP code field in the ICMP header of an IP packet

Option-present: (IPv4 filters only)

Off — does not search for packets that contain the option field or have an option field of zero

On — matches packets that contain the option field or have an option field of zero

Multiple Option: (IPv4 filters only)

Off — the option fields are not checked

On — packets containing one or more option fields in the IP header will be used as IP filter match criteria

TCP-ack

Off — the ACK bit is not matched

On — matches the ACK bit being set or reset in the control bits of the TCP header of an IP packet

Output Example
*A-ALU-1# show filter ip 3 counters
===============================================================================
IP Filter : 100                                                                
===============================================================================
Filter Id   : 3                                Applied         : Yes           
Scope       : Template                         Def. Action     : Drop 
Entries     : Not Available                                                    
-------------------------------------------------------------------------------
Filter Match Criteria : IP                                                     
-------------------------------------------------------------------------------
Entry       : 10                                                              
Ing. Matches: 749                              Egr. Matches    : 0
                                                                               
Entry       : 200                                                              
Ing. Matches: 0                                Egr. Matches    : 0
                                                                               
===============================================================================
*A-ALU-1#
*A-ALU-1# show filter ipv6 1 counters
===============================================================================
IPv6 Filter
===============================================================================
Filter Id    : 1                                Applied        : No
Scope        : Template                         Def. Action    : Drop
Entries      : 1
Description  : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IPv6
-------------------------------------------------------------------------------
Entry        : 1 (Inactive)
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
 
===============================================================================
*A-ALU-1#
Table 83:  Show Filter Counters Output Fields 

Label

Description

Filter Id

The IP filter policy ID

Scope

Template — the filter policy is of type Template:

Exclusive — the filter policy is of type Exclusive:

Entries

The number of entries configured in this filter ID

Applied

No — the filter policy ID has not been applied:

Yes — the filter policy ID is applied:

Def. Action

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop:

Filter Match Criteria

IP — indicates the filter is an IPv4 filter policy:

IPv6 — indicates the filter is an IPv6 filter policy

Entry

The filter entry ID. If the filter entry ID indicates the entry is (Inactive), the filter entry is incomplete as no action has been specified.

Ing. Matches

The number of ingress filter matches/hits for the filter entry

log

Syntax 
log [bindings]
log log-id [match string]
Context 
show>filter
Description 

This command displays filter log information.When a filter log command is used with a MAC filter and a packet is matched, the log entry is different from an IP filter entry. For a MAC filter, the source and destination IP address of incoming packets are not included in the log.

Parameters 
bindings —
displays the number of filter logs currently available
log-id—
the filter log ID destination expressed as a decimal integer
Values—
101 to 199

 

string
specifies to display the log entries starting from the first occurrence of the specified string
Values—
up to 32 characters

 

Output 

The following outputs are examples of filter log information:

  1. filter log information (Output Example, Table 84)
  2. filter log bindings (Output Example, Table 85)
Output Example
*A-ALU-1# show filter log
===============================================================================
Filter Logs
===============================================================================
Log-Id Dest.  Id/Entries Enabled Description
-------------------------------------------------------------------------------
101    Memory 1000       Yes     Default filter log
       Wrap: Enabled
1 Entries Found
===============================================================================
*A-ALU-1#
*A-ALU-1# show filter log 101
===============================================================================
Filter Log
===============================================================================
Admin state : Enabled
Description : Default filter log
Destination : Memory
Wrap        : Enabled
-------------------------------------------------------------------------------
Maximum entries configured : 1000
Number of entries logged   : 4
2011/1124 22:10:03  Ip Filter: 1:12  Desc: Descr. for Ip Fltr Policy id # 1 entry 12
SDP: 1:60000  Direction: Ingress  Action: Drop
Src MAC: 1f-ff-f0-1f-ff-c5  Dst MAC: aa-bb-cc-dd-ee-ff  EtherType: 0800
Src IP: 10.50.1.144:3216  Dst IP: 10.10.11.2:0  Flags: 0  TOS: b8  TTL: 64
Protocol: UDP
 
2011/1124 22:10:03  Ip Filter: 1:12  Desc: Descr. for Ip Fltr Policy id # 1 entry 12
SDP: 1:60000  Direction: Ingress  Action: Drop
Src MAC: 1f-ff-f0-1f-ff-c5  Dst MAC: aa-bb-cc-dd-ee-ff  EtherType: 0800
Src IP: 10.50.1.144:3216  Dst IP: 10.10.11.2:0  Flags: 0  TOS: b8  TTL: 64
Protocol: UDP                         
 
2011/1124 22:10:06  Ip Filter: 1:13  Desc: Descr. for Ip Fltr Policy id # 1 entry 13
SDP: 1:60000  Direction: Ingress  Action: Drop
Src MAC: 1f-ff-f0-1f-ff-c5  Dst MAC: aa-bb-cc-dd-ee-ff  EtherType: 0800
Src IP: 10.50.1.16:0  Dst IP: 10.10.11.2:31  Flags: 0  TOS: b8  TTL: 64
Protocol: UDP
 
2011/1124 22:10:06  Ip Filter: 1:13  Desc: Descr. for Ip Fltr Policy id # 1 entry 13
SDP: 1:60000  Direction: Ingress  Action: Drop
Src MAC: 1f-ff-f0-1f-ff-c5  Dst MAC: aa-bb-cc-dd-ee-ff  EtherType: 0800
Src IP: 10.50.1.16:0  Dst IP: 10.10.11.2:31  Flags: 0  TOS: b8  TTL: 64
Protocol: UDP
 
===============================================================================
Table 84:  Show Filter Log Output Fields 

Label

Description

Log-Id

The filter log ID

Dest./Destination

The destination of the filter log: memory or syslog

Id/Entries

The number of entries configured for this filter log

Enabled

Indicates whether the log is administratively enabled

Admin State

The administrative state of the log: enabled or disabled

Description

The description string configured for the filter log

Wrap

Indicates whether the wraparound function (circular buffer) is enabled

Maximum entries configured

The maximum number of entries allowed in this filter log

Number of entries logged

The number of entries in this filter log

(date)

The timestamp of the entry

Ip Filter

The filter ID and entry ID

Desc.

The description string for the filter log

SDP

The SDP using this filter

Direction

The direction of the traffic being filtered

Action

The action taken as a result of the filter

Src MAC

The source MAC address of the packet

Dst MAC

The destination MAC address of the packet

EtherType

The Ethertype of the packet

Src IP

The source IP address of the packet

Dst IP

The destination IP address of the packet

Flags

The number of flags associated with the packet

TOS

The type of service for the packet expressed as a hexadecimal number. Use the show>qos>dscp-table command to see the definitions of the numbers.

TTL

The time to live setting remaining for the packet

Protocol

The protocol used for the packet

Output Example
*A-ALU-1# show filter log bindings
 
===============================================================================
Filter Log Bindings
===============================================================================
Total Log Instances (Allowed)          : 2047
Total Log Instances (In Use)           : 1
Total Log Bindings                     : 1
 
-------------------------------------------------------------------------------
Type  FilterId EntryId   Log    Instantiated
-------------------------------------------------------------------------------
 Cpm         1       2   101             Yes

====================================================================

Table 85:  Show Filter Log Bindings 

Label

Description

Total Log Instances (Allowed)

The maximum allowed instances of filter logs allowed on the system

Total Log Instances (In Use)

The instances of filter logs presently existing on the system

Total Log Bindings

The count of the filter log bindings presently existing on the system

Type

The type of filter: CPM, IP, or MAC

FilterID

The unique identifier of the filter

EntryID

The unique identifier of an entry in the filter table

Log

The filter log identifier

Instantiated

Specifies if the filter log for this filter entry has been enabled

mac

Syntax 
mac {mac-filter-id [entry entry-id] [associations | counters]}
Context 
show>filter
Description 

This command displays MAC filter information.

Parameters 
mac-filter-id—
displays detailed information for the specified filter ID or filter name and its filter entries
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry entry-id
displays information on the specified filter entry ID for the specified filter ID
Values—
1 to 65535

 

associations —
displays information on where the filter policy ID is applied to the detailed filter policy ID output
counters—
displays counter information for the specified filter ID
Output 

The following outputs are examples of MAC filter information:

  1. no parameters specified (Output Example, Table 86)
  2. mac-filter-id specified (Output Example, Table 87)
  3. associations specified (Output Example, Table 88)
  4. counters specified (Output Example, Table 89)
Output Example

When no parameters are specified, a brief listing of MAC filters is produced.

*A-ALU-1>show>filter# mac
===============================================================================
Mac Filters                                                        Total:     3
===============================================================================
Filter-Id Scope    Applied Description
-------------------------------------------------------------------------------
11        Template No
232       Template Yes     filter-west
5000      Template No
-------------------------------------------------------------------------------
Num MAC filters: 3
===============================================================================
*A-ALU-1# 
Table 86:  Show Filter MAC (No Filter ID Specified) 

Label

Description

Filter-Id

The MAC filter ID

Scope:

Template — the filter policy is of type Template

Exclusive — the filter policy is of type Exclusive

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Description

The MAC filter policy description

Output Example

When the filter ID is specified, detailed filter information for the filter ID and its entries is displayed.

*A-ALU-1# show filter# mac 5000
===============================================================================
Mac Filter
===============================================================================
Filter Id   : 5000                             Applied         : No
Scope       : Template                         Def. Action     : Drop
Entries     : 1
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry       : 5000 (Inactive)                  FrameType       : Ethernet
Description : (Not Specified)
Log Id      : n/a
Src Mac     : ff:ff:ff:ff:ff:ff
Dest Mac    :
Dot1p       : Undefined                        Ethertype       : Undefined
DSAP        : Undefined                        SSAP            : Undefined
Snap-pid    : Undefined                        ESnap-oui-zero  : Undefined
Match action: Drop
Ing. Matches: 0 pkts
Egr. Matches: 0 pkts
 
===============================================================================
*A-ALU-1# 
Table 87:  Show Filter MAC (Filter ID Specified) 

Label

Description

MAC Filter

Filter Id

The MAC filter policy ID

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Scope

Template — the filter policy is of type Template

Exclusive — the filter policy is of type Exclusive

Def. Action

Forward — the default action for the filter ID for packets that do not match the filter entries is to forward

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Entries

The number of entries in the filter policy

Description

The MAC filter policy description

Filter Match Criteria: Mac

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

FrameType

Ethernet — the entry ID match frame type is Ethernet IEEE 802.3

Ethernet II — the entry ID match frame type is Ethernet Type II.

Description

The filter entry description

Log Id

The filter log identifier

Src Mac

The source MAC address match criterion. If the MAC address is all zeros, no criterion is specified for the filter entry.

Dest Mac

The destination MAC address match criterion. If the MAC address is all zeros, no criterion is specified for the filter entry.

Dot1p

The IEEE 802.1p value for the match criterion. Undefined indicates that no value is specified

Ethertype

The Ethertype value match criterion

DSAP

The DSAP value match criterion. Undefined indicates that no value is specified

SSAP

The SSAP value match criterion. Undefined indicates that no value is specified

Snap-pid

The Ethernet SNAP PID value match criterion. Undefined indicates that no value is specified

Esnap-oui-zero

Non-Zero — filter entry matches a non-zero value for the Ethernet SNAP OUI

Zero — filter entry matches a zero value for the Ethernet SNAP OUI

Undefined — no Ethernet SNAP OUI value is specified

Match action

Default— the filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is Inactive, the filter entry is incomplete, no action was specified

Drop — packets matching the filter entry criteria will be dropped

Forward — packets matching the filter entry criteria are forwarded

Ing. Matches

The number of ingress filter matches/hits for the filter entry

Egr. Matches

The number of egress filter matches/hits for the filter entry

Output Example
*A-ALU-1# show filter# mac 11 associations
===============================================================================
Mac Filter
===============================================================================
Filter Id   : 11                               Applied         : No
Scope       : Template                         Def. Action     : Drop
Entries     : 1
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Association : Mac
-------------------------------------------------------------------------------
No Match Found
===============================================================================
Table 88:  Show Filter MAC Associations 

Label

Description

Filter Id

The IP filter ID

Scope

Template — the filter policy is of type Template

Exclusive — the filter policy is of type Exclusive

Entries

The number of entries in the filter

Description

The MAC filter policy description

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Def. Action

Forward — the default action for the filter ID for packets that do not match the filter entries is to forward

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Filter Association

The type of filter association

Output Example
*A-ALU-1# show filter# mac 11 counters
===============================================================================
Mac Filter
===============================================================================
Filter Id   : 11                               Applied         : No
Scope       : Template                         Def. Action     : Drop
Entries     : 1
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : Mac
-------------------------------------------------------------------------------
Entry       : 11 (Inactive)                    FrameType       : Ethernet II
Ing. Matches: 0 pkts
Egr. Matches: 0 pkts
 
===============================================================================
*A-ALU-1# 
Table 89:  Show Filter MAC Counters 

Label

Description

Filter Id

The IP filter ID

Scope

Template — the filter policy is of type Template

Exclusive — the filter policy is of type Exclusive

Entries

The number of entries in the filter

Description

The MAC filter policy description

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Def. Action

Forward — the default action for the filter ID for packets that do not match the filter entries is to forward

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Filter Match Criteria: Mac

Entry

The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified.

FrameType

Ethernet — the entry ID match frame type is Ethernet IEEE 802.3

Ethernet II — the entry ID match frame type is Ethernet Type II

Ing. Matches

The number of ingress filter matches/hits for the filter entry

Egr. Matches

The number of egress filter matches/hits for the filter entry

vlan

Syntax 
vlan [filter-id] [entry entry-id]]
Context 
show>filter
Description 

This command displays VLAN filter information.

Parameters 
filter-id—
displays detailed information for the specified filter ID or filter-name and its filter entries
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
displays information on the specified filter entry ID for the specified filter ID
Values—
1 to 65535

 

Output 

The following outputs are examples of VLAN filter information:

  1. no parameters specified (Output Example, Table 90)
  2. filter-id specified (Output Example, Table 91)
Output Example

When no parameters are specified, a brief listing of VLAN filters is displayed.

*A-ALU-1:show>filter# vlan
===============================================================================
VLAN Filters                                                       Total:     2
===============================================================================
Filter-Id Scope     Applied   Description                                      
-------------------------------------------------------------------------------
2         Template  Yes       VLAN_filter_2                                    
65535     Template  No                                                         
-------------------------------------------------------------------------------
Num VLAN filters: 2
===============================================================================
*A-ALU-1:show>filter#
Table 90:  Show Filter VLAN (No Filter Specified) 

Label

Description

Filter-Id

The VLAN filter ID

Scope

Template — the VLAN filter policy is always of type Template

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Description

The VLAN filter policy description

Output Example

When the filter ID is specified, detailed filter information for the filter and its entries is displayed.

*A:7705custDoc:Sar18>show>filter# vlan 2
===============================================================================
VLAN Filter
===============================================================================
Filter Id    : 2                                Applied        : Yes
Scope        : Template                         Def. Action    : drop
Entries      : 4
Description  : VLAN_filter_2
-------------------------------------------------------------------------------
Filter Match Criteria :
-------------------------------------------------------------------------------
Entry        : 2
Description  : vlan_fltr_entry2
Match        : Untagged                         Action         : forward
 
Entry        : 3
Description  : vlan_fltr_entry3
Match        : VLAN                             Action         : drop
Operation    : eq
Vlan-Id      : 2
 
Entry        : 4
Description  : vlan_fltr_entry4
Match        : VLAN                             Action         : drop
Operation    : eq
Vlan-Id      : 445
 
Entry        : 65535
Description  : (Not Specified)
Match        : VLAN                             Action         : drop
Operation    : range
From         : 2000                             To             : 3000
===============================================================================
*A:7705custDoc:Sar18>show>filter#
Table 91:  Show Filter VLAN (Filter ID Specified) 

Label

Description

VLAN Filter

Filter Id

The VLAN filter policy ID

Applied

No — the filter policy ID has not been applied

Yes — the filter policy ID is applied

Scope

Template — the filter policy is always of type Template

Def. Action

Forward — the default action for the filter ID for packets that do not match the filter entries is to forward

Drop — the default action for the filter ID for packets that do not match the filter entries is to drop

Entries

The number of entries in the filter policy

Description

The VLAN filter policy description

Filter Match Criteria:

Entry

The filter entry ID. If the filter entry ID indicates that the entry is (Inactive), then the filter entry is incomplete as no action has been specified

Description

The filter entry description

Match

VLAN— the type of match criteria for the entry is VLAN

Untagged — the type of match criteria for the entry is untagged

Action

Drop — packets matching the filter entry criteria will be dropped

Forward — packets matching the filter entry criteria will be forwarded

Operation

The match criteria operator. Valid operators are: lt (less than), gt (greater than), eq (equal to), and range (for a range of VLAN IDs).

Vlan-Id

The VLAN ID when the match criteria defines a specific VLAN ID

From

The start VLAN ID when the match criteria defines a VLAN ID range

To

The end VLAN ID when the match criteria defines a VLAN ID range

app-group

Syntax 
app-group [group-id | name] [entry entry-id] [detail]
Context 
show>security
Description 

This command displays firewall application group information.

Parameters 
group-id—
displays information for the specified application group ID
Values—
1 to 100

 

name—
 displays information for the specified application group name
Values—
1 to 32 characters in length (must start with a letter)

 

entry-id—
displays information for the specified application group entry ID
Values—
1 to 65535

 

detail—
displays detailed information on the specified application group

capture

Syntax 
capture [format {decode | raw}]
Context 
show>security
Description 

This command displays summary information about the captured packets stored in the debug security log.

Parameters 
format decode—
the debug security log displays the packet IP header and relevant Layer 4 headers
format raw—
the debug security log displays the raw packet in hexadecimal format
Output 

The following output is an example of captured packet information.

Output Example
*A-ALU-1# show security capture
===============================================================================
Security Packet Capture
===============================================================================
State          :STOPPED
Start Time     :NEVER
Running Time   : 0 days   0 hours   0 mins 0 secs
Memory Capture Contents:    [size=1024      count=0  <continuous>]
 
===============================================================================
*A-ALU-1#

control-summary

Syntax 
control-summary
Context 
show>security
Description 

This command displays a summary of the receive control queues for a security zone.

Output 

The following output is an example of receive control queue information.

Output Example
*A-ALU-1# show security control-summary
===============================================================================
Zone Control Summary (Packets)
===============================================================================
Zone                                             Forwarded              Dropped
-------------------------------------------------------------------------------
VPRN_ZONE                                                0                    0
ACCESS-POINT                                             0                    0
PUBLIC-INTERNET                                          1                    0
60                                                       0                    0
-------------------------------------------------------------------------------
Num of Zones:  4                                                              
===============================================================================
*A-ALU-1#

engine

Syntax 
engine
Context 
show>security
Description 

This command displays a system-level security engine statistics. During a CSM switch, security statistics roll back to zero.

Output 

The following output is an example of security engine statistics.

Output Example
*A-ALU-1# show security engine
===============================================================================
Security Engine 
===============================================================================
                                                                        Packets
-------------------------------------------------------------------------------
Rx Queue                                                                       
  Forwarded –  Control                                                        1
            –  Session Data                                            96932032
  Dropped                                                           19944168792
 
Security Processing                                                         
  Passed                                                               96932033
  Dropped                                                                     0
                                                                           
CPU Utilization  (Sample period:   1 sec):         100 %                        
===============================================================================
*A-ALU-1#

host-group

Syntax 
host-group [group-id | name] [detail]
Context 
show>security
Description 

This command displays firewall host group information.

Parameters 
group-id—
displays information for the specified host group ID
Values—
1 to 100

 

name—
 displays information for the specified host group name
Values—
1 to 32 characters in length (must start with a letter)

 

detail—
displays detailed information on the specified host group

log

Syntax 
log [log-id | name]
log events [type event-type]
log profile {log-profile-id | name} [type event-type]
log profiles
Context 
show>security
Description 

This command displays firewall logging information.

Parameters 
log-id—
displays information for the specified log ID
Values—
1 to 100

 

name—
 displays information for the specified log name or log profile name
Values—
1 to 32 characters (must start with a letter)

 

event-type—
displays information on the specified log event type
Values—
1 to 32 characters

 

log-profile-id—
displays information for the specified log profile ID
Values—
1 to 100

 

events—
displays information for all log events
profiles—
displays information for all log profiles
Output 

The following output is an example of security log information, and Table 92 describes the fields.

Output Example
*A-ALU-1# show security log SecurityLog11
===============================================================================
Security Log: SecurityLog11
===============================================================================
Description: Security Log ID 11
Profile    : DEFAULT
Memory log contents  [size=1024   next-event=3  (wrapped)]
 
1 06/11/2015 17:25:56  SECURITY:Packet Base IF:ies-201-150.1.0.1
 Outbound : Forward Zone (Rule:1)
 Inbound   : GRT Zone (Rule:1)
 Session   : 1-FWD
 Report    : SessionBegin
 IP header  :
    ver:4  hlen:20  tos:0x00  len:84  hxsum:0x4fa3
    id:0x0001 frag:000 (offset:0)
   151.1.1.1->151.1.1.2  proto:ICMP
 ICMP header:
    type:8  code:0  xsum:0x059e (echo-request)
 
2 06/11/2015 17:26:56  SECURITY:Audit       SESSION:1
 Outbound  : <None> 
 Inbound    : GRT Zone 
 Session    : 1-FWD
 Report     : SessionEnd (TIMER-EXPIRED)
===============================================================================
*A-ALU-1# 
 
*A-ALU-1# show security log events 
===============================================================================
Security Logging Events
===============================================================================
Name                                    ID Severity State
--------------------------------------------------------------
PACKET
  TcpInvalidHeader                      01 INFORM   throttle
  DnsInvalidHeader                      02 INFORM   throttle
  DnsUnmatchedAnswer                    03 INFORM   throttle
...
ZONE
  NoRuleMatched                         01 INFORM   throttle
  SessionLimitReached                   02 INFORM   throttle
POLICY
  Matched                               01 INFORM   suppress
  MatchedNAT                            02 INFORM   suppress
  ActionReject                          03 INFORM   throttle
...
SESSION
  SessionBegin                          01 INFORM   throttle
  SessionEnd                            02 INFORM   throttle
  SessionBeginEnd                       03 INFORM   throttle
APPLICATION
  Summary                               01 INFORM   throttle
  HandshakeMissing                      02 INFORM   throttle
  HandshakeCtlInvalid                   03 INFORM   throttle
  HandshakeDataUnexpected               04 INFORM   throttle
...
ALG
  CmdIncomplete                         01 INFORM   throttle
  DynamicRuleInserted                   02 INFORM   throttle
  DynamicRuleInsertedPASV               03 INFORM   throttle
...
--------------------------------------------------------------
Num of Events: 61
==============================================================
Table 92:  Show Security Log Output Fields  

Label

Description

Security Logs

Description

The security log identifier

Profile

The security logging profile to which the log applies

Memory log contents

Details of the log content

Outbound

Session location of the zone in the outbound direction

Inbound

Session location of the zone in the inbound direction

Session

The session ID

Report

The security log event code

IP header

The IPv4 packet header

Security Logging Events

Name

The name of the event type and event

ID

The event identifier

Severity

The severity of the event

State

Indicates how each event is being handled

policer-group

Syntax 
policer-group [group-id | name] [statistics]
Context 
show>security
Description 

This command displays policer group information.

Parameters 
group-id—
displays detailed information for the specified policer group ID
Values—
1 to 1024

 

name —
displays detailed information for the specified policer group name
Values—
1 to 32 characters (must start with a letter)

 

statistics—
displays policer group statistics when a group is specified
Output 

The following output is an example of policer group information.

Output Example
*A:7705:Dut-C# show security policer-group 1 statistics
===============================================================================
Security Policer-Group
===============================================================================
Group Id         : 1                                Applied        : Yes
Name             : policer-group 1
Description      : session rate created by SNMP
Ingress Rate     : 1 mbps
CBS (bytes)      : 1024
===============================================================================
===============================================================================
Policer Traffic Statistics
===============================================================================
                                                 Forward                Reverse
-------------------------------------------------------------------------------
Passed
  Packets                                         247690                 101822
  Octets                                        36162740               14866012
Dropped Packets
  Rate-Exceeded                                  2777461                2919967
===============================================================================

policing-summary

Syntax 
policing-summary
Context 
show>security
Description 

This command displays a summary of traffic statistics for policers.

Output 

The following output is an example of traffic statistics for policers.

Output Example
*A:7705:Dut-C# show security policing-summary
==============================================================================
Policing Summary (Packets)
==============================================================================
Policer                                      Forwarded                Dropped
------------------------------------------------------------------------------
policer-group 1                                 432001                7042904
policer-group 2                                 863995                6610910
policer-group 3                                 808609                4096798
policer-group 4                                 436480                1656494
policer-group 5                                 405590                1164140
policer-group 6                                 321247                 725240
policer-group 7                                 320532                 576457
policer-group 8                                 336382                 488707
------------------------------------------------------------------------------
Num of Groups: 8
==============================================================================

policy

Syntax 
policy [policy-id | policy-name] [detail] [association]
policy [policy-id | policy-name] [entry entry-id] [detail] [association]
Context 
show>security
Description 

This command displays security policy information.

Parameters 
policy-id—
displays detailed information for the specified policy ID
Values—
1 to 65535

 

policy-name—
 specifies the name of the policy
Values—
1 to 32 characters (must start with a letter)

 

entry-id—
displays information on the specified policy entry ID
Values—
1 to 65535

 

detail—
displays detailed information on the specified policy or filter
association—
displays counter information for the specified policy or entry ID
Output 

The following output is an example of security policy information, and Table 93 describes the fields.

Output Example
*A-ALU-1# show security policy
===============================================================================
Security Policies
===============================================================================
Policy Id    Scope          Applied        Name
-------------------------------------------------------------------------------
1            Template       Yes            Inbound Policy
2            Template       Yes            IES Policy
-------------------------------------------------------------------------------
Num of Policies: 2         
===============================================================================
*A-ALU-1# 
 
*A-ALU-1# show security policy 1 detail
===============================================================================
Security Policy
===============================================================================
Policy Id    : 1                                Applied        : Yes
Name         : Inbound Policy
Scope        : Template                         Def. Action    : Reject
Entries      : 1
Description  : common egress policy
-------------------------------------------------------------------------------
Policy Match Criteria : IP
-------------------------------------------------------------------------------
Entry            : 1                                Active         : yes
Description      : match TCP and port
Match direction  : zone-inbound
Src. IP          : None                             Src. Port      : eq21
Dest. IP         : None                             Dest. Port     : None
Protocol         : tcp                                  
ICMP Type        : Undefined                        ICMP Code      : Undefined
Profile ID       : DEFAULT                          Session        : Fwd-Dir-O*
Action           : nat                              Session Limit : None
Logging          : suppressed                            
 
Entry            : 2                                Active: Yes
Description      : match UDP and IP                 TCP-ack        : Off
Match direction  : zone-inbound
Src. IP          : 10.100.0.2                       Src. Port      : None
Dest. IP         : None                             Dest. Port     : None
Protocol         : udp                                  
ICMP Type        : Undefined                        ICMP Code      : Undefined
Profile ID       : DEFAULT                             Session     : Bi-Direct*
Action           : reject                              Session Limit : None
Logging          : suppressed                        
===============================================================================
*A-ALU-1# 
*A-ALU-1# show security policy 1 association
===============================================================================
Security Policy
===============================================================================
Policy Id    : 1                                Applied        : Yes
Name         : Inbound Policy
Scope        : Template                         Def. Action    : Reject
Entries      : 1
Description  : common egress policy
-------------------------------------------------------------------------------
Policy Match Criteria : IP
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
Associations
Zone-Id    Name                     Type        Svc-Id        Bypass
-------------------------------------------------------------------------------
1          Service Inbound Zone     IES         100           No
-------------------------------------------------------------------------------
Num of Associations: 1         
===============================================================================
*A-ALU-1# 
*A-ALU-1# show security policy 1 entry 1 detail
===============================================================================
Security Policy
===============================================================================
Policy Id    : 1                                Applied        : Yes
Name         : Inbound Policy
Scope        : Template                         Def. Action    : Reject
Entries      : 2
Description  : common egress policy
-------------------------------------------------------------------------------
Policy Match Criteria : IP
-------------------------------------------------------------------------------
Entry            : 1                                Active         : yes
Description      : match TCP and port
Match direction  : zone-inbound
Src. IP          : None                             Src. Port     : eq21
Dest. IP         : None                             Dest. Port    : None
Protocol         : tcp                                  
ICMP Type        : Undefined                        ICMP Code     : Undefined
Profile ID       : DEFAULT                          Session       : Fwd-Dir-O*
Action           : nat                              Session Limit : None
Logging          : Suppressed                                     
===============================================================================
*A-ALU-1# 
Table 93:  Show Security Policy Output Fields (Detail) 

Label

Description

Policy Id

The security policy ID

Name

The name of the policy

Scope

Template — the policy is of type template

Exclusive — the policy is of type exclusive

Entries

The number of entries configured in this policy ID

Description

The security policy description

Applied

No — the security policy ID has not been applied

Yes — the security policy ID is applied

Def. Action

Reject — the default action for packets that do not match the policy entries is to reject

Policy Match Criteria

Entry

The policy entry ID

Description

The policy entry description

Match Direction

Zone inbound — the match criteria is applied to packets inbound to the zone

Zone outbound — the match criteria is applied to packets outbound from the zone

Both — the match criteria is applied to packets both inbound to and outbound from the zone

Src. IP

The source IP address and prefix length match criterion

Dest. IP

The destination IP address and prefix length match criterion

Protocol

The protocol for the match criteria. Undefined indicates no protocol specified.

ICMP Type

The ICMP type match criterion. Undefined indicates no ICMP type is specified.

Profile ID

The profile ID

Active

No — the policy match criteria entry is not active

Yes — the policy match criteria entry is active

Action

nat — applies NAT to the packets matching the profile entry

reject — rejects packets matching the profile entry on the CSM session

forwards — forward packets matching the profile entry

drops — drop the packets matching the profile entry on the datapath session

Src. Port

The source TCP or UDP port number or port range

Dest. Port

The destination TCP or UDP port number or port range

ICMP Code

The ICMP code field in the ICMP header of an IP packet

Session

Indicates whether the security session is bidirectional or unidirectional (forward only)

Session Limit

The maximum number of concurrent sessions

Logging

Indicates whether logging has been enabled per policy entry or per zone, or whether all logs generated by the entry are suppressed

profile

Syntax 
profile [profile-id | name] [detail] [association]
Context 
show>security
Description 

This command displays security profile information.

Parameters 
profile-id—
displays detailed information for the specified profile ID
Values—
1 to 65535

 

name—
displays information on the specified profile name
Values—
1 to 32 characters (must start with a letter)

 

detail—
displays detailed information on the specified profile ID
association—
displays counter information for the specified profile ID
Output 

The following output is an example of security profile information, and Table 94 describes the fields.

Output Example
*A-ALU-1# show security profile 1 detail
===============================================================================
Security Profile
===============================================================================
Profile Id        : 1                                Applied        : Yes
Name              : DEFAULT
Description       : Default Session Profile
Packet           : 
  Fragmentation           : Allowed
Application               : Inspection-Disabled      ALG            : Auto
Timeouts          :
  TCP Syn-Rcvd    : strict 15 seconds 
  TCP Transitory  : strict 4 min 
  TCP Established : idle 2 hrs 4 min 
  TCP Time-Wait   : None 
  UDP Initial     : strict 15 seconds 
  UDP Established : idle 5 min 
  UDP DNS         : strict 15 seconds 
  ICMP Request    : strict 1 min 
  OTHER Sessions    : strict 10 min 
===============================================================================
*A-ALU-1# 
Table 94:  Show Security Profile Output Fields (Detail) 

Label

Description

Profile Id

The security profile ID

Name

The name of the profile

Description

The profile description

Packet

The configured packet level options

Fragmentation

Controls processing of IP packet fragments on a session

Application

The configured profile application parameters

TCP Syn-Rcvd

Timeout configured for a TCP session in a SYN state

TCP Transitory

Timeout configured for a TCP session in a transitory state

TCP Established

Timeout configured for a TCP session in an established state

TCP Time-Wait

Timeout configured for a TCP session in a time-wait state

UDP Initial

Timeout configured for a UDP session in an initial state

UDP Idle

Timeout configured for a UDP session in an idle state

UDP DNS

Timeout configured for a UDP session with destination port 53

ICMP Request

Timeout configured for an ICMP session in which an ICMP request is sent but no ICMP response is received

Other Sessions

Timeout for sessions other than TCP, UDP, or ICMP

Applied

No — the security profile ID has not been applied

Yes — the security profile ID is applied

ALG

Application level gateway: auto, FTP, or TFTP

session-summary

Syntax 
session-summary [service service-id] [router router-instance]
Context 
show>security
Description 

This command displays a summary of active security sessions for zones.

Output 

The following output is an example of security session summary information, and Table 95 describes the fields.

Output Example
*A-ALU-1# show security session-summary 
===============================================================================
Session Summary 
===============================================================================
Total Created       : 7                      
Active              : 7                      Limit               :  16383
Utilization         :   0% (OK)                    
Hi-Wtr-Mark         : None                     Lo-Wtr-Mark         :  None
===============================================================================
===============================================================================
Zone Session Summary 
===============================================================================
                                                           Inbound    Outbound
Zone-Id   Name                            Type    Svc-Id   Sessions   Sessions
------------------------------------------------------------------------------
1         Service Inbound Zone            IES     100      4          3
2         Service Outbound Zone           IES     200      0          0
-------------------------------------------------------------------------------
Num of Zones: 2
===============================================================================
*A-ALU-1# show security session-summary service 100
===============================================================================
Session Summary
===============================================================================
Total Created       : 7                      
Active              : 7                      Limit               :  16383
Utilization         :   0% (OK)                    
Hi-Wtr-Mark         : None                     Lo-Wtr-Mark         :  None
===============================================================================
===============================================================================
Zone Session Summary 
===============================================================================
                                                           Inbound    Outbound
Zone-Id   Name                            Type    Svc-Id   Sessions   Sessions
1         Service Inbound Zone            IES     100      4          3
-------------------------------------------------------------------------------
Num of Zones: 1
===============================================================================
*A-ALU-1# show security session-summary router 1
===============================================================================
Session Summary
===============================================================================
Total Created       : 7                      
Active              : 7                      Limit               :  16383
Utilization         :   0% (OK)                    
Hi-Wtr-Mark         : None                     Lo-Wtr-Mark         :  None
No Matching Zones
===============================================================================
Zone Session Summary 
===============================================================================
                                                           Inbound    Outbound
Zone-Id   Name                            Type    Svc-Id   Sessions   Sessions
-------------------------------------------------------------------------------
===============================================================================
*A-ALU-1# 
Table 95:  Show Session Summary Output Fields  

Label

Description

Total Created

The total number of security sessions created since node startup or last cleared statistics

Active

The number of security sessions that are currently active

Limit

The total number of security sessions allowed

Utilization

The number of active security sessions, expressed as a percentage of the total allowed

Hi-Wtr-Mark

Indicates the high-water mark threshold configured for security sessions

Lo-Wtr-Mark

Indicates the low-water mark threshold configured for security sessions

Zone-Id

The zone ID

Name

The name of the zone

Type

The zone type

Svc-Id

The service ID

Inbound Sessions

The number of sessions inbound to the zone

Outbound Sessions

The number of sessions outbound from the zone

summary

Syntax 
summary
Context 
show>security
Description 

This command displays a summary of security information.

Output 

The following output is an example of security summary information.

Output Example
*A-ALU-1# show security summary 
===============================================================================
Security 
===============================================================================
Policy State     : Committed
Last Commit      : 05/07/2015 03:05:34
Policies         : 2
Profiles         : 2
Zones            : 2
             
Sessions         
Active           : 5223                            Limit        : 16383
Utilization      : 85% (ALARM)
Hi-Wtr-Mark      : 80%                             Lo-Wtr-Mark  : 50%
===============================================================================
*A-ALU-1# 

zone

Syntax 
zone [service service-id] [router router-instance]
zone [zone-id | zone-name] [detail]
zone [zone-id | zone-name] interface
zone [zone-id | zone-name] statistics
Context 
show>security
Description 

This command displays security zone information. During a CSM activity switch, security session statistics roll back to zero; however, statistics for active security sessions do not.

Parameters 
service-id—
displays detailed information for the specified service ID
Values—
1 to 2147483647

 

router-instance—
displays detailed information for the specified router instance
Values—
1 to 2147483647

 

zone-id—
displays detailed information for the specified zone ID
Values—
1 to 65534

 

zone-name—
displays information for the specified name
Values—
1 to 32 characters (must start with a letter)

 

detail—
displays detailed information on the specified zone
interface—
specifies the router interface
statistics—
displays statistics for the specified zone ID
Output 

The following output is an example of zone information.

Output Example
*A:7705:Dut-A# show security zone 1 detail     
===============================================================================
Security Zone
===============================================================================
Zone Id          : 1                                State          : Committed
Name             : Service Inbound Zone
Description      : NAT on public
Type             : IES                              Service Id     : 100
Policy           : Inbound Policy                   Bypass         : No
Log              : SecurityLog11                    
Last Commit      : 10/22/2015 01:07:57              
===============================================================================
===============================================================================
Interfaces
===============================================================================
Name                              IP-Address      Type    Bypass Filtering
-------------------------------------------------------------------------------
ies-100-10.30.10.1                10.30.10.1      IES     No     Active
-------------------------------------------------------------------------------
Num of Interfaces: 1
===============================================================================
===============================================================================
Zone Queue Statistics
===============================================================================
Rx Queue CTL                                     Packets                 Octets
  Forwarded :                                      24852               54632962
  Dropped   :                                          0                      0
===============================================================================
===============================================================================
Zone Policy Statistics
===============================================================================
                                                 Inbound               Outbound
-------------------------------------------------------------------------------
Total Sessions Created                                 4                      3
  Action: Forward                                      0                      0
          NAT                                          4                      3
          Drop                                         0                      0
                                                          
Policy Discards                                           
  Reject Action                                        0                      0
  No Rule Matched                                      0                  12400
===============================================================================
===============================================================================
Zone Active Session Summary
===============================================================================
                                                  Active                  Limit
-------------------------------------------------------------------------------
Inbound                                                4  
  TCP                                                  1                   None
  UDP                                                  2                   None
  ICMP                                                 1                   None
  Other                                                0                   None
Outbound                                               3  
  TCP                                                  1                   None
  UDP                                                  2                   None
  ICMP                                                 0                   None
  Other                                                0                   None
===============================================================================
*A:7705:Dut-A# 
*A:7705:Dut-A# show security zone 1 statistics 
===============================================================================
Zone Queue Statistics
===============================================================================
Rx Queue CTL                                     Packets                 Octets
  Forwarded :                                      24732               54368782
  Dropped   :                                          0                      0
===============================================================================
===============================================================================
Zone Policy Statistics
===============================================================================
                                                 Inbound               Outbound
-------------------------------------------------------------------------------
Total Sessions Created                                 4                      3
  Action: Forward                                      0                      0
          NAT                                          4                      3
          Drop                                         0                      0
                                                          
Policy Discards                                           
  Reject Action                                        0                      0
  No Rule Matched                                      0                  12340
===============================================================================
===============================================================================
Zone Active Session Summary
===============================================================================
                                                  Active                  Limit
-------------------------------------------------------------------------------
Inbound                                                4  
  TCP                                                  1                   None
  UDP                                                  2                   None
  ICMP                                                 1                   None
  Other                                                0                   None
Outbound                                               3  
  TCP                                                  1                   None
  UDP                                                  2                   None
  ICMP                                                 0                   None
  Other                                                0                   None
===============================================================================
*A:7705:Dut-A#

nat pool

Syntax 
nat pool [pool-id | pool-name] [detail]
Context 
show>security>zone
Description 

This command displays NAT pool information.

Parameters 
pool-id—
displays detailed information for the specified zone pool ID
Values—
1 to 100

 

pool-name—
displays information for the specified zone pool name
Values—
1 to 32 characters (must start with a letter)

 

detail—
displays detailed information on the specified pool ID
Output 

The following output is an example of zone pool information.

Output Example
*A-ALU-1# show security zone 1 nat pool 1 detail 
===============================================================================
Security Zone
===============================================================================
Zone Id          : 1                                State          : Committed
Name             : Service Inbound Zone
===============================================================================
             
===============================================================================
NAT Pool
===============================================================================
Pool Id          : 1                               Direction          : Inbound
Type             : source-nat
Name             : (Not Specified)
Description      : Pool 1:
-------------------------------------------------------------------------------
Entry Id         : 1                               Direction          : Inbound
IP Address       : ies-10010.30.10.1               Port               : Any  
 
-------------------------------------------------------------------------------
Num of Entries   : 1
===============================================================================
*A-ALU-1# 

policy

Syntax 
policy [entry entry-id] [detail] [statistics]
Context 
show>security>zone
Description 

This command displays security zone policy information.

Parameters 
entry-id—
displays detailed information for the specified entry ID
Values—
1 to 65535

 

detail—
displays detailed information on the zone policy
statistics—
displays statistics for the zone policy
Output 

The following output is an example of zone policy information.

Output Example
*A-ALU-1# show security zone 1 policy statistics 
===============================================================================
Security Zone
===============================================================================
Zone Id          : 1                                State          : Committed
Name             : Service Inbound Zone
===============================================================================
             
===============================================================================
Policy
===============================================================================
Pool Id          : 1                               Direction          : Inbound
Type             : source-nat
Name             : (Not Specified)
Description      : Pool 1:
-------------------------------------------------------------------------------
Entry            : 1                               Active             : yes
Active Matches   : 1                               Session Limit      : Any
Total Matches    : 1                               
Entry            : 2                               Active             : yes
Active Matches   : 1                               Session Limit      : None
Total Matches    : 1                               
-------------------------------------------------------------------------------
Num of Entries   : 2
===============================================================================
*A-ALU-1# 

session

Syntax 
session [inbound | outbound] [forward | nat]
session [session-id] [detail]
session [session-id] [statistics]
Context 
show>security>zone
Description 

This command displays security zone session information.

Parameters 
session-id—
displays detailed information for the specified session ID
Values—
1 to 16383

 

inbound—
displays zone inbound sessions
outbound—
displays zone outbound sessions
forward—
displays forwarded packets
nat—
displays packets that have had NAT applied to them
detail—
displays detailed information on the zone policy
statistics—
displays statistics for the zone policy
Output 

The following output is an example of zone session information.

Output Example
*A-ALU-1# show security zone 1 session 
===============================================================================
Security Zone
===============================================================================
Zone Id          : 1                                State          : Committed
Name             : Service Inbound Zone
===============================================================================
             
===============================================================================
Inbound Sessions
===============================================================================
Sess-Id                    Source                  Outside NAT Mapping          
Proto      Action From     Destination
-------------------------------------------------------------------------------
00000001    NAT            <Base> 10.100.0.2:161   -->10.30.10.1:5000       
udp                        30.100.0.2:161                 
00000002    NAT            <Base> 10.100.0.2:21    -->10.30.10.1:5000       
udp                        30.100.0.2:21                 
-------------------------------------------------------------------------------
Num of Sessions   : 2
===============================================================================
             
===============================================================================
Outbound Sessions
===============================================================================
Sess-Id                    Source                  Outside NAT Mapping          
Proto      Action To       Destination
-------------------------------------------------------------------------------
No Outbound Sessions   
===============================================================================
*A-ALU-1# 
Output Example
*A-ALU-1# show security zone 1 session 1 statistics
===============================================================================
Security Zone
===============================================================================
Zone Id          : 1                                State          : Committed
Name             : Service Inbound Zone
===============================================================================
             
===============================================================================
Session 1 Traffic Statistics
===============================================================================
                           Forward                    Reverse                  
-------------------------------------------------------------------------------
Passed                                                              
  Packets                  2042929                    2042589             
  Octets                   216550474                  224684790             
===============================================================================
*A-ALU-1# 

5.7.2.3. Clear Commands

ip

Syntax 
ip ip-filter-id [entry entry-id] [ingress | egress]
Context 
clear>filter
Description 

This command clears the counters associated with the IPv4 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default 

clears all counters associated with the IPv4 filter policy entries

Parameters 
ip-filter-id—
the IPv4 filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be cleared
Values—
1 to 64

 

ingress—
only the ingress counters will be cleared
egress—
only the egress counters will be cleared

ipv6

Syntax 
ipv6 ipv6-filter-id [entry entry-id] [ingress | egress]
Context 
clear>filter
Description 

This command clears the counters associated with the IPv6 filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default 

clears all counters associated with the IPv6 filter policy entries

Parameters 
ipv6-filter-id—
the IPv6 filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be cleared
Values—
1 to 64

 

ingress—
only the ingress counters will be cleared
egress—
only the egress counters will be cleared

log

Syntax 
log log-id
Context 
clear>filter
Description 

This command clears the entries associated with the specified filter log. The clear command applies only to logs whose destination is to memory.

Parameters 
log-id—
the filter log ID destination expressed as a decimal integer
Values—
101 to 199

 

mac

Syntax 
mac mac-filter-id [entry entry-id] [ingress | egress]
Context 
clear>filter
Description 

This command clears the counters associated with the MAC filter policy.

By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.

Default 

clears all counters associated with the MAC filter policy entries

Parameters 
mac-filter-id—
the MAC filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be cleared
Values—
1 to 64

 

ingress—
only the ingress counters will be cleared
egress—
only the egress counters will be cleared (currently not supported on the 7705 SAR)

session

Syntax 
session [session-id] [statistics]
Context 
clear>security
Description 

This command clears the specified sessions and can also clear the associated session statistics.

Parameters 
session-id—
clears the sessions associated with the specified session ID
Values—
1 to 16383

 

statistics—
clears statistics for the specified session ID

zone

Syntax 
zone [zone-id | zone-name]
zone [zone-id | zone-name] sessions [inbound | outbound | all]
zone [zone-id | zone-name] statistics
Context 
clear>security
Description 

This command clears security zone information.

Parameters 
zone-id—
specifies the zone ID
Values—
1 to 65534

 

zone-name—
specifies the zone name
Values—
1 to 32 characters (must start with a letter)

 

sessions—
removes sessions associated with the specified zone ID
inbound—
removes inbound sessions associated with the specified zone ID
outbound—
removes outbound sessions associated with the specified zone ID
all—
removes all sessions associated with the specified zone ID
statistics—
clears statistics for the specified zone ID

5.7.2.4. Monitor Commands

filter

Syntax 
filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context 
monitor
Description 

This command monitors the counters associated with the IPv4 filter policy.

Parameters 
ip-filter-id—
the IPv4 filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be monitored
Values—
1 to 64

 

seconds—
configures the interval for each display in seconds
Values—
3 to 60

 

Default—
5
repeat—
configures how many times the command is repeated
Values—
1 to 999

 

Default—
10
absolute—
the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.
rate—
the rate per second for each statistic is displayed instead of the delta

filter

Syntax 
filter ipv6 ipv6-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context 
monitor
Description 

This command monitors the counters associated with the IPv6 filter policy.

Parameters 
ipv6-filter-id—
the IPv6 filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be monitored
Values—
1 to 64

 

seconds—
configures the interval for each display in seconds
Values—
3 to 60

 

Default—
5
repeat—
configures how many times the command is repeated
Values—
1 to 999

 

Default—
10
absolute—
the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.
rate—
the rate per second for each statistic is displayed instead of the delta

filter

Syntax 
filter mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
Context 
monitor
Description 

This command monitors the counters associated with the MAC filter policy.

Parameters 
mac-filter-id—
the MAC filter policy ID or filter name
Values—
1 to 65535 or filter-name (up to 64 characters)

 

entry-id—
only the counters associated with the specified filter policy entry will be monitored
Values—
1 to 64

 

seconds—
configures the interval for each display in seconds
Values—
3 to 60

 

Default—
5
repeat—
configures how many times the command is repeated
Values—
1 to 999

 

Default—
10
absolute—
the raw statistics are displayed without processing. No calculations are performed on the delta or rate statistics.
rate—
the rate per second for each statistic is displayed instead of the delta