4.4. Filter Configuration Command Reference

This command creates a text description stored in the configuration file for a configuration context.

The no form of the command removes any description string from the context.

This command creates a configuration context for the specified IPv4 exception filter.

The no form of the command deletes the IPv4 exception filter.

This command creates a configuration context for the specified IPv4 filter policy.

The no form of the command deletes the IPv4 filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.

This command chains this filter to a currently active system filter. When the filter is chained to the system filter, the system filter rules are executed first, and the filter rules are only evaluated if no match on the system filter was found.

The no form of the command detaches this filter from the system filter.

Operational note:

If no system filter is currently active, the command has no effect.

This command defines the default action to be applied to packets not matching any entry in this ACL filter policy or to packets for that match a PBF/PBR filter entry for which the PBF/PBR target is down and pbr-down-action-override per-entry is set to filter-default-action.

This command embeds a previously defined IPv4, IPv6, or MAC embedded filter policy or Hybrid OpenFlow switch instance into this exclusive, template, or system filter policy at the specified offset value. Rules derived from the BGP FlowSpec can also be embedded into template filter policies only.

Note: For MAC filters, embedding is supported for VSD filters or filter entries only.

The embed-filter open-flow ofs-name form of this command enables OpenFlow (OF) in GRT either by embedding the specified OpenFlow switch (OFS) instance with switch-defined-cookie disabled, or by embedding rules with sros-cookie:type “grt-cookie”, value 0, from the specified OFS instance with switch-defined-cookie enabled. The embedding filter can only be deployed in GRT context or be unassigned.

The embed-filter open-flow ofs-name system form of this command enables OF in system filters by embedding rules with sros-cookie:type “system-cookie”, value 0, from the specified OFS instance with switch-defined-cookie enabled. The embedding filter can only be of scope system.

The embed-filter open-flow ofs-name service {service-id | service-name} form of this command enables OF in VPRN/VPLS filters by embedding rules with sros-cookie:type “service-cookie”, value service-id, from the specified OFS instance with switch-defined-cookie enabled—per service rules. The embedding filter can only be deployed in the specified VPRN/VPLS service. A single VPLS service can only support OF rules per SAP or per service.

The embed-filter open-flow ofs-name sap sap-id form of this command enables OF in VPLS SAP filters by embedding rules with sros-cookie:type “service-cookie”, value service-id and flow match conditions specifying the sap-id from the specified OFS instance with switch-defined-cookie enabled—per SAP OF rules. The embedding filter must be of type exclusive and can only be deployed on the specified SAP in the context of the specified VPLS service. A single VPLS service can only support OF rules per SAP or per service.

The no embed-filter open-flow ofs-name form of this command removes the OF embedding for the GRT context.

The embed-filter flowspec form of this command enables the embedding of rules derived from BGP FlowSpec routes into the filter policy that is being configured. The optional group parameter specifies that only FlowSpec routes tagged with an interface-set extended community containing this group ID should be selected for embedding. The optional router parameter specifies the routing instance source of the BGP FlowSpec routes; if the parameter is not specified, the routing instance is derived automatically from the context in which the filter policy is applied. FlowSpec rules associated with one routing instance cannot be embedded in a filter applied to an interface of a different routing instance. After FlowSpec rules associated with one routing instance are embedded into a filter, that filter policy cannot be applied to an interface of a different routing instance.

The no embed-filter flowspec form of this command removes the FlowSpec filter embedding from this filter policy.

The embed-filter vsd vsd-filter-id command refers to the VSD filter ID encoded _tmnx_vsd_filter-id. The filter is created dynamically and managed exclusively using the Python script, so rules can be inserted and removed in the correct VSD filters. The command is supported with IP, IPv6, and MAC filters. For more information about VSD filter provisioning, automation, and the Python script, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN.

The no embed-filter vsd vsd-filter-id form of this command removes the VSD filter embedding from this filter policy.

The no embed-filter filter-id form of this command removes the embedding from this filter policy.

See the description of embedded filter policies in this guide for further operational details.

This command creates or edits an IPv4, IPv6, MAC, IP exception filter, or IPv6 exception filter entry. Multiple entries can be created using unique entry-id numbers within the filter. Entries must be sequenced from most to least explicit.

An entry may not have any match criteria defined (in which case everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and hence will be rendered inactive.

The no form of the command removes the specified entry from the filter. Entries removed from the filter are immediately removed from all services or network ports where that filter is applied.

This command enters the context to configure a primary (no option specified) or secondary (secondary option specified) action to be performed on packets matching this filter entry. An ACL filter entry remains inactive (is not programmed in hardware) until a specific action is configured for that entry.

A primary action supports any filter entry action, a secondary action is used for redundancy and defines a redundant Layer 3 PBR action for an Layer 3 PBR primary action or a redundant L2 PBF action for a Layer 2 PBF primary action.

The no form of this command removes the specific action configured in the context of the action command. The primary action cannot be removed if a secondary action exists.

This command configures the drop action for the traffic that matches this filter entry.

Traffic can, also, be dropped based on pkt-length, packet-length range, ttl, ttl range, or a pattern of conditional match criteria.

Packets that match the filter entry match criteria, and not the conditional match criteria value, are implicitly forwarded with no further match in the following filter entries.

For pattern match:

This command specifies that a packet matching this filter entry is dropped if extracted to the CPM. Packets matching the filter entry match criteria and not extracted to the CPM are forwarded with no further match in the following filter entries.

This command enables the context to configure an extended action for a filter entry's PBR action (configured under config>filter>ip-filter>entry>action and config>filter>ipv6-filter>entry>action contexts). The extended action is executed in addition to the configured PBR action.

The no form of the command removes the extended action.

This command enables and configures the remarking of the DiffServ Code Points of packets matching the criteria of the IPv4/IPv6 filter policy entry, in conjunction with a PBR action. Packets are remarked regardless of QoS-based in-profile or out-of-profile classification. QoS-based DSCP remarking is overridden. If the status of the PBR target is tracked and it is down, the extended action will not be executed; otherwise, the extended action will be performed.

This command assigns a forwarding class to packets matching the filter entry.

The no version of this command removes the forwarding class marking action.

This command sets the context for specific forward commands to be performed.

This command configures the forward-when action for the traffic that matches this filter entry.

This command specifies the filter entry action to gtp-local-breakout.

This command sets the filter entry action to http-redirect.

This command sets the filter entry action to ignore-match, as a result this filter entry is ignored and not programmed in hardware.

This command enables bypassing NAT for packets pertaining to L2-Aware hosts and matching this entry. This action is only applicable to L2-Aware NAT subscribers and it must be configured together with action forward. Traffic identified in the match condition bypasses L2-Aware NAT. A common use case is to bypass NAT for on-net destinations (within the customer network).

Traffic that is not classified for bypass is automatically diverted to L2-Aware NAT, unless it is explicitly configured in the IP filter to be dropped.

For selective NAT bypass to take effect, in addition to the IP filter configuration, the L2-Aware NAT subscriber must be specifically enabled for selective bypass via the allow-bypass configuration option in the NAT CLI node in the SLA profile.

The no form of this command automatically diverts traffic to L2-Aware NAT, unless it is explicitly configured in the IP filter to be dropped.

This command enables NAT traffic diversion based on IPv4 filters (LSN44) or IPv6 filters (DS-Lite, NAT64). The filter contains a matching condition based on any combination of the 5 tuple. Traffic is diverted to NAT based on such defined matching condition. Filter fields outside of the 5 tuples are not valid and it will be ignored in filter based traffic diversion to NAT.

The pool selection for the outside IP address and port along with other mapping characteristics can be specified by the means on the NAT policy.

This command sets the rate limit value for traffic matching this filter entry.

Traffic can, also, be rate-limited based on pkt-length, packet-length range, ttl, ttl range, or a pattern of conditional match criteria.

Packets that match the filter entry match criteria, but do not match the conditional match criteria value, are implicitly forwarded with no further match in the following filter entries.

For pattern match:

This command sets the filter entry action to reassemble.

This command activates adjustment of maximum segment size (MSS) option of TCP packets matching the entry.

This command specifies that the configured PBR action is applicable to egress processing. The command should only be enabled in ACL policies used by residential subscribers. Enabling egress-pbr on filters not deployed for residential subscribers is not blocked but may lead to unexpected behavior and should be avoided.

The no form of this command removes the egress-pbr designation of the filter entry's action.

This command enables cflowd sampling for packets matching this filter entry.

If the cflowd is either not enabled or set to cflowd interface mode, this command is ignored.

The no form disables the cflowd sampling using this filter entry.

This command disables cflowd sampling for packets matching this filter entry, for the IP interface set to cflowd interface mode. This allows the option to not sample specific types of traffic when interface sampling is enabled.

If the cflowd is either not enabled or set to cflowd acl mode, this command is ignored.

The no form of this command enables sampling.

This command associates a filter log to the current filter policy entry and therefore enables logging for that filter entry.

The filter log must exist before a filter entry can be enabled to use the filter log.

The no form of the command disables logging for the filter entry.

This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry. More precisely, the command can be entered multiple times but this only results in modifying the protocol-id. and does not affect the underlying match criteria configuration.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none (keyword). As per above, match protocol none is however not equivalent to no match.

This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the protocol command can be entered multiple times but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the protocol-list match criteria in an IP filter policy.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match protocol none is not equivalent to no match.

This command configures the BGP destination-class value match criterion. Filtering egress traffic on destination-class requires the destination-class-lookup command to be enabled on the interface that the packet ingresses on.

The no form of the command removes the destination-class value match criterion.

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of the command removes the DSCP match criterion.

This command configures a destination address range to be used as a filter policy match criterion.

To match on the destination address, specify the address and its associated mask, e.g., 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 can also be used for IPv4.

The no form of this command removes the destination IPv4 or IPv6 address match criterion.

This command configures a destination TCP, UDP, or SCTP port number or port range for an IP filter or IP exception match criterion. An entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. Similarly an entry containing the “dst-port eq 0” match criterion, may match non-initial fragments when the destination port value is not present in a packet fragment and other match criteria are also met.

The no form of the command removes the destination port match criterion.

This command specifies match criterion for fragmented packets.

Matches can be based on the presence of a fragmented packet (or otherwise) on the ingress or egress interface.

Matches can also be based on the presence of the first fragment of a packet, or on the presence of a fragment that is not the first fragment on the ingress interface.

The no form of the command removes the match criterion.

Configures matching on /ICMPv6 code field in the /ICMPv6 header of an IPv4 or IPv6 packet as a filter match criterion or configures matching on the code field in the header of an IPv4 packet as an exception filter match criterion. An entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc.) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. Similarly an entry containing "-code 0" match criterion, may match non-initial fragments when the Layer 4 header is not present in a packet fragment and other match criteria are also met.

The no form of the command removes the criterion from the match entry.

This command configures matching on the /ICMPv6 type field in the /ICMPv6 header of an IPv4 or IPv6 packet as a filter match criterion or configures matching on the type field in the header of an IPv4 packet as an exception filter match criterion. An entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, etc.) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. Similarly an entry containing "-type 0" match criterion, may match non-initial fragments when the Layer 4 header is not present in a packet fragment and other match criteria are also met.

The no form of the command removes the criterion from the match entry.

This command configures matching packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion.

The option-type octet contains 3 fields:

1 bit copied flag (copy options in all fragments)

2 bits option class

5 bits option number

The no form of the command removes the match criterion.

This command configures matching packets that contain one or more than one option fields in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.

This command configures matching packets that contain any IP options in the IP header as an IP filter match criterion.

The no form of the command removes the checking of IP options in the IP header as a match criterion.

This command configures the IPv4 packet length value match criterion. The IPv4 packet length represents the total packet length including the IPv4 header and the payload.

This command configures a TCP/UDP/SCTP source or destination port match criterion in IPv4 and IPv6 CPM (SCTP not supported) and/or ACL filter policies. A packet matches this criterion if the packet TCP/UDP/SCTP (as configured by protocol/next-header match) source OR destination port matches either the specified port value or a port in the specified port range or port-list.

Operational Note: This command is mutually exclusive with src-port and dst-port commands. Configuring "port eq 0", may match non-initial fragments where the source/destination port values are not present in a packet fragment if other match criteria are also met.

The no form of this command deletes the specified port match criterion.

This command configures a source IPv4 or IPv6 address range to be used as an IP filter or IP exception match criterion.

To match on the source IPv4 or IPv6 address, specify the address and its associated mask, for example, 10.1.0.0/16 for IPv4. The conventional notation of 10.1.0.0 255.255.0.0 may also be used for IPv4.

The no form of the command removes the source IP address match criterion.

This command configures a source TCP, UDP, or SCTP port number, port range, or port match list for an IP filter or IP exception match criterion. An entry containing Layer 4 non-zero match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. Similarly an entry containing "src-port eq 0" match criterion, may match non-initial fragments when the source port value is not present in a packet fragment and other match criteria are also met.

The no form of the command removes the source port match criterion.

This command enables source route option match conditions. When enabled, this filter should match if a (strict or loose) source route option is present/not present at any location within the IP header, as per the value of this object. The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Acknowledgment (ACK) TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Congestion Window Reduced (CWR) TCP Flag bit, defined in RFC 3168, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the ECN-Echo (ECE) TCP Flag bit, defined in RFC 3168, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the FIN TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Nonce Sum (NS) TCP Flag bit, defined in RFC 3540, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Push (PSH) TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Reset (RST) TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Synchronize (SYN) TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command configures an IP filter match criterion based on the Urgent (URG) TCP Flag bit, defined in RFC 793, as being set or not in the TCP header of an IP packet.

The no form of the command removes the criterion from the match entry.

This command allows overriding the default action that is applied for entries with PBR/PBF action defined, when the PBR/PBF target is down.

The no form of the command preserves default behavior when PBR/PBF target is down.

This command configures sticky destination behavior for redundant PBR/PBF actions. Configuring sticky destination has an effect on PBR/PBF actions whether a secondary action is configured.

The hold-time-up parameter allows the operator to delay programming of a PBR/PBF action for a specified amount of time. The timer is only started when transitioning from all configured targets being down (that is, the primary target if no secondary target is configured, or both the primary and secondary targets when both are configured) to at least one target being up.

When the timer expires, the primary PBR/PBF action is programmed if its target is up. If the primary PBR/PBF target is down and a secondary PBR/PBF action has been configured and its target is up, then this secondary PBR/PBF action is programmed. In all other cases, no specific programming occurs when the timer expires.

When sticky destination is configured and the secondary PBR/PBF target is up and its associated action is programmed, it is not automatically replaced by the primary PBR/PBF action when its target transitions from down to up. In this situation, programming the primary PBR/PBF action can be forced using the activate-primary-action tools command.

Changing the value of the timer while the timer is running takes effect immediately (that is, the timer is restarted immediately using the new value).

The no form of the command disables sticky destination behavior.

This command groups automatically-inserted entries.

This command renumbers existing MAC, IPv4/IPv6, IP exception filter, or IPv6 exception filter entries to properly sequence filter entries.

This may be required in some cases since the OS exits when the first match is found and executes the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

This command configures the filter policy scope as exclusive, template, embedded or system.

The scope of the policy cannot be changed when:

Changing the scope to/from system is only allowed when a policy is not active and the policy has no entries configured.

The no form of the command sets the scope of the policy to the default of template.

This command configures the low and high watermark for the number of RADIUS shared filters reporting

This command inserts point information for credit control for the filter.

The no form of the command reverts to the default.

This command inserts point information for RADIUS for the filter.

The no form of the command reverts to the default.

This command defines the range of filter and QoS policy entries that are reserved for shared entries received in Flow-Information AVP via Gx interface (PCC rules – Policy and Charging Control). The no form of this command disables the insertion, which will result in a failure of PCC rule installation.

This command configures the insert point for shared host rules from RADIUS.

This command configures the low and high watermark percentage for inserted filter entry usage reporting.

The no form of the command reverts to the default.

This command configures the filter policy type. The policy type defines the list of match criteria supported in a filter policy.

This command creates a configuration context for the specified IPv6 exception filter.

The no form of the command deletes the IPv6 exception filter.

This command enables the context to enter match criteria for the IPv6 filter exception. When the match criteria have been satisfied, the action associated with the match criteria is executed.

The no form of the command removes all the match criteria from the IPv6 filter exception.

This command creates a configuration context for the specified IPv6 filter policy.

The no form of the command deletes the IPv6 filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.

This command configures the drop action for the traffic that matches this filter entry.

Traffic can, also, be dropped based on payload-length, payload-length range, hop-limit, hop-limit range, or a pattern of conditional match criteria.

Packets that match the filter entry match criteria, but do not match the conditional match criteria value, are implicitly forwarded with no further match in the following filter entries.

For pattern match:

This command enables NAT traffic diversion based on IPv4 filters (LSN44) or IPv6 filters (DS-Lite, NAT64). The filter contains a matching condition based on any combination of the 5 tuple. Traffic will be diverted to NAT based on such defined matching condition. Filter fields outside of the 5 tuples are not valid and it will be ignored in filter based traffic diversion to NAT.

The pool selection for the outside IP address and port along with other mapping characteristics can be specified by the means on the NAT policy.

This command sets the rate limit value for traffic matching this filter entry.

Traffic can, also, be rate-limited based on payload-length, payload-length range, hop-limit, hop-limit range, or a pattern of conditional match criteria.

Packets that match the filter entry match criteria, but do not match the conditional match criteria value, are implicitly forwarded with no further match in the following filter entries.

For pattern match:

This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the next-header command can be entered multiple times, but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the next-header-list match criteria.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match next-header none is not equivalent to no match.

This command enables match on existence of AH Extension Header in the IPv6 filter policy.

The no form of this command ignores AH Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.

This command enables match on existence of ESP Extension Header in the IPv6 filter policy.

The no form of this command ignores ESP Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.

This command configures the flow-label and optional mask match condition.

The no form of the command reverts to the default.

This command enables match on existence of Hop-by-Hop Options Extension Header in the IPv6 filter policy.

The no form of this command ignores Hop-by-Hop Options Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.

This command configures the IPv6 packet length value match criterion. The IPv6 packet length represents the total packet length including the IPv6 header and the payload.

This command enables match on existence of Routing Type Extension Header type 0 in the IPv6 filter policy.

The no form of this command ignores Routing Type Extension Header type 0 presence/absence in a packet when evaluating match criteria of a given filter policy entry.

This command, creates a configuration context for the specified MAC filter policy.

The no form of the command deletes the MAC filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.

This command sets the MAC filter entry action to drop.

This command sets the context for specific forward commands to be performed.

This command sets the MAC filter entry action to HTTP redirect.

This command sets the rate limit for the traffic matching both the filter entry match criteria and the packet-length-value defined in the rate-limit action statement.

Packets matching the filter entry match criteria and not matching the packet-length-value defined in the rate-limit action statement are implicitly forwarded with no further match in subsequent filter entries.

Rate limit packets matching both the filter entry match criteria and the ttl-value are defined in the action rate-limit statement.

Packets matching the filter entry match criteria and not matching the ttl-value defined in the rate-limit action statement are implicitly forwarded with no further match in the following filter entries.

This command creates the context for entering/editing match criteria for the filter entry and specifies an Ethernet frame type for the entry.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion.

When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.

The no form of the command removes the criterion from the match entry.

Egress dot1p value matching will only match if the customer payload contains the 802.1p bits. For example, if a packet ingresses on a null encapsulated SAP and the customer packet is IEEE 802.1Q or 802.1p tagged, the 802.1p bits will be present for a match evaluation. On the other hand, if a customer tagged frame is received on a dot1p encapsulated SAP, the tag will be stripped on ingress and there will be no 802.1p bits for a MAC filter match evaluation; in this case, any filter entry with a dot1p match criterion specified will fail.

Configures an Ethernet 802.2 LLC DSAP value or range for a MAC filter match criterion.

This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.

Use the no form of the command to remove the dsap value as the match criterion.

Configures a destination MAC address or range to be used as a MAC filter match criterion.

The no form of the command removes the destination mac address as the match criterion.

Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.

The no form of the command removes the previously entered etype field as the match criteria.

This command configures the matching of the second tag that is carried transparently through the service. The inner-tag on ingress is the second tag on the frame if there are no service delimiting tags. Inner tag is the second tag before any service delimiting tags on egress but is dependent in the ingress configuration and may be set to 0 even in cases where additional tags are on the frame. This allows matching VLAN tags for explicit filtering or QoS setting when using default or null encapsulations.

The inner-tag is not applicable in ingress on dot1Q SAPs. The inner-tag may be populated on egress depending on the ingress SAP type.

On QinQ SAPs of null and default that do not strip tags inner-tag will contain the second tag (which is still the second tag carried transparently through the service.) On ingress SAPs that strip any tags, inner-tag will contain 0 even if there are more than 2 tags on the frame.

The optional vid-mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value and vid-mask) = = (tag and vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

For QoS the VID type cannot be specified on the default QoS policy.

The default vid-mask is set to 4095 for exact match.

This command configures an ISID value or a range of ISID values to be matched by the mac-filter parent. The pbb-etype value for the related SAP (inherited from the ethernet port configuration) or for the related SDP binding (inherited from SDP configuration) will be used to identify the ISID tag.

The no form of this command removes the ISID match criterion.

This command configures the matching of the first tag that is carried transparently through the service. Service delimiting tags are stripped from the frame and outer tag on ingress is the first tag after any service delimiting tags. Outer tag is the first tag before any service delimiting tags on egress. This allows matching VLAN tags for explicit filtering or QoS setting when using default or null encapsulations.

On dot1Q SAPs outer-tag is the only tag that can be matched. On dot1Q SAPs with exact match (sap 2/1/1:50) the outer-tag will be populated with the next tag that is carried transparently through the service or 0 if there is no additional VLAN tags on the frame.

On QinQ SAPs that strip a single service delimiting tag, outer-tag will contain the next tag (which is still the first tag carried transparently through the service.) On SAPs with two service delimiting tags (two tags stripped) outer-tag will contain 0 even if there are more than 2 tags on the frame.

The optional vid-mask is defaulted to 4095 (exact match) but may be specified to allow pattern matching. The masking operation is ((value & vid-mask) = = (tag & vid-mask)). A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

For QoS the VID type cannot be specified on the default QoS policy.

The default vid-mask is set to 4095 for exact match.

This command configures an IEEE 802.3 LLC SNAP Ethernet Frame OUI zero or non-zero value to be used as a MAC filter match criterion.

The no form of the command removes the criterion from the match criteria.

Configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion.

This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.

The snap-pid match criterion is independent of the OUI field within the SNAP header. Two packets with different three-byte OUI fields but the same PID field will both match the same filter entry based on a snap-pid match criteria.

The no form of the command removes the snap-pid value as the match criteria.

Configures a source MAC address or range to be used as a MAC filter match criterion.

The no form of the command removes the source mac as the match criteria.

This command configures an Ethernet 802.2 LLC SSAP value or range for a MAC filter match criterion.

This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.

The no form of the command removes the ssap match criterion.

This command configures the MAC Filter Policy type as being either normal, ISID or VID.

This command enables the context to configure a GRE tunnel template parameters to be used to tunnel associated traffic.

The no form of this command removes the GRE tunnel template from the configuration.

This command enables the context to configure GRE tunnel template IPv4 parameters.

This command defines one or more destinations for the GRE IP header used to encapsulate the matching IPv4/IPv6 packet.

Traffic matching the associated IPv4 or IPv6 filter are hashed across all available destination address. If no destination address is available, then matching traffic follows the configured pbr-down-action-override action, if configured.

The no form of this command removes the specified destination IP address configuration from the associated GRE tunnel template.

This command enables the population of the GRE key field in the GRE header sent with the encapsulated IP packet.

The no form of this command disables the population of the optional GRE key field when the matching IP packet is sent encapsulated in a GRE tunnel.

This command enables an option to not decrement the TTL of the IP packet matching the IPv4/IPv6 filter, when it is encapsulated into the GRE tunnel header.

The no form of this command disables this option (default). This results in the matching of IP packet’s TTL field to be decremented before it is encapsulated in the GRE tunnel header.

This command defines the source IPv4 address to be used in the GRE IP header used to encapsulate the matching IPv4/IPv6 packet. This IP address can be configured as any value and is not validated against a local IP address. The source-address command must be configured for the template to be valid.

The no form of this command removes the source IP address configuration from the associated GRE tunnel template.

This command enables the context to activate system filter policies.

This command activates an IPv4 system filter policy. Once activated, all IPv4 ACL filter policies that chain to the system filter (config>filter>ip-filter>chain-to-system-filter) will automatically execute system filter policy rules first.

The no form of the command deactivates the system filter policy.

This command activates an IPv6 system filter policy. Once activated, all IPv6 ACL filter policies that chain to the system filter (config>filter>ipv6-filter>chain-to-system-filter) will automatically execute system filter policy rules first.

The no form of the command deactivates the system filter policy.

This command configures filter-name attribute of a given filter. filter-name, when configured, can be used instead of filter ID to reference the given policy in the CLI.

This command, creates a configuration context for the specified redirect policy.

The no form of the command removes the redirect policy from the filter configuration only if the policy is not referenced in a filter and the filter is not in use (applied to a service or network interface).

This command defines a destination in a redirect policy. More than one destination can be configured. Whether a destination IPv4/IPv6 address will receive redirected packets depends on the effective priority value after evaluation.

The most preferred destination is programmed in hardware as action forward next-hop. If all destinations are down (as determined by the supported tests), action forward is programmed in hardware. All destinations within a given policy must be either IPv4 or (exclusive) IPv6. The redirect policy with IPv4 destinations configured can only be used by IPv4 filter policies. The redirect policy with IPv6 destinations configured can only be used by IPv6 filter policies.

This command configures parameters to perform connectivity ping tests to validate the ability for the destination to receive redirected traffic.

This command specifies the number of consecutive requests that must fail for the destination to be declared unreachable and the time to hold destination unreachable before repeating tests.

This command specifies the amount of time, in seconds, between consecutive requests sent to the far end host.