The supported IPv4 and IPv6 match criteria are shown in the following tables.
Table: Basic Layer 3 match criteria lists the basic Layer 3 match criteria.
Criteria | Description |
---|---|
dscp |
Matches the specified DSCP value against the DSCP/Traffic Class field in the IPv4 or IPv6 packet header. |
src-ip/dst-ip |
Matches the specified source/destination IPv4/IPv6 address prefix/mask against the source/destination IPv4/IPv6 address field in the IP packet header. Optionally, operators can match a list of IP addresses defined in filter match-list ip-prefix-list or match-list ipv6-prefix-list. The prefix-list can be defined statically or using the apply-path command to automatically populate using configured BGP peers defined in the base router or VPRN services. For more details on filter match-list configuration and capabilities, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide, "Match list for filter policies". |
fragment |
For IPv4, match against the MF bit or Fragment Offset field to determine if the packet is a fragment. For IPv6 match against the next-header field or Fragment Extension Header value to determine whether the packet is a fragment. Up to six extension headers are matched against to find the Fragmentation Extension Header. |
Table: IPv4 options match criteria lists the IPv4 options match criteria.
Criteria | Description |
---|---|
ip-option |
Matches the specified option value in the first option of the IPv4 packet. Optionally, operators can configure a mask to be used in a match. |
option-present |
Matches the presence of IP options in the IPv4 packet. Padding and EOOL are also considered as IP options. Up to six IP options are matched against. |
multiple-option |
Matches the presence of multiple IP options in the IPv4 packet. |
Table: IPv6 next-header match criteria lists the IPv6 next-header match criteria.
Criteria | Description |
---|---|
hop-by-hop-opt |
Matches for the presence of hop-by-hop options extension header in the IPv6 packet. This match criterion is supported on ingress only. Up to six extension headers are matched against. |
Table: Upper-layer protocol match criteria lists the upper-layer protocol match criteria.
Criteria | Description |
---|---|
next-header |
Matches the specified upper-layer protocol (such as TCP or UDP) against the next-header field of the IPv6 packet header. ‟*” can be used to specify TCP or UDP upper-layer protocol match (logical OR). Next-header matching also allows matching on the presence of a subset of IPv6 extension headers. See the CLI section for information about which extension header match is supported. |
protocol |
Matches the specified protocol against the Protocol field in the IPv4 packet header (for example, TCP, UDP, or IGMP) of the outer IPv4. ‟*” can be used to specify TCP or UDP upper-layer protocol match (logical OR). |
icmp-code |
Matches the specified value against the Code field of the ICMP/ICMPv6 header of the packet. This match is supported only for entries that also define protocol/next-header match for ICMP/ICMPv6 protocol. |
icmp-type |
Matches the specified value against the Type field of the ICMP or ICMPv6 header of the packet. This match is supported only for entries that also define protocol/next-header match for ‟ICMP” or ‟ICMPv6” protocol. |
src-port/dst-port/port |
Matches the specified port value (with or without mask), port list, or port range against the Source Port Number/Destination Port Number of the UDP/TCP packet header. An option to match either source or destination port or both (logical OR) using a single filter policy entry is supported by using a directionless port command. Source/destination match is supported only for entries that also define protocol/next-header match for ‟TCP”, ‟UDP” or ‟TCP or UDP” protocols. A non-initial fragment does not match an entry with non-zero port criteria specified. |
tcp-ack/tcp-syn |
Matches the presence or absence of the TCP flags in the TCP header of the packet. This match criteria also requires defining the protocol/next-header match as ‟TCP”. |
Table: Router instance match criteria lists the router instance match criteria.
Criteria | Description |
---|---|
router |
Matches the router instance packets that are ingressing from for this filter entry. |