Create a Policy Rule Match for a Device

About this task

When you create a policy rule match, you select all parts of a packet header that you want to target and then select the action to perform on the targeted items. These selections are the rules in your match. The match can then be associated with ingress or egress policies. A policy rule match can contain one or more rules.

Note

Note

A policy rule match is a device-specific feature. If you have UDAs configured for a device, UDA-related fields are displayed in the Create Match page. These fields are not described in this procedure.

XCO supports a maximum of 6000 IPv4, 2000 IPv6, and 1500 L2/MAC matches for 9920.

To create a policy rule match in the library, see Create a Policy Rule Match in the Library.

Procedure

  1. In the Navigation menu, select Device Inventory.
  2. In the Devices page, click anywhere in the required device row except the Actions column (Actions column icon) to proceed to the device Overview page.
  3. In the Device Config menu, select Policies and Configuration > Policy Rule Matches > Add Policy Rule Match.
  4. In the Name field, enter a unique name for the match.
    • Alphanumeric characters, dashes, and underscores are allowed in the Name field.
    • The name, all is a reserved keyword on 9920 and cannot be used.
  5. In the Type field, select whether the match applies to IPv4, IPv6, L2, or UDA.
    If you selected UDA on an SLX device, proceed to the next step. Else, go to step 7.
  6. In the UDA field, select a profile.
  7. (SLX only) In the Sub Type field, select the appropriate match.
    • Standard: Matches the source address information
    • Extended: Matches the source and destination address information
  8. In the Match section, complete the applicable fields to identify the packets of interest.
    Note

    Note

    All fields are not mandatory. You can leave the fields blank unless noted.

    The items in this section vary by your selection in the Protocol field. The following list describes all possible selections.

    • Protocol: The protocol that you want to target. If the protocol you want is not in the list, select None and provide the ID of the protocol you want in the Protocol ID field. Every protocol has a numeric value that is defined by the IETF.
    • Sequence: The order in which this rule is performed in the match.
    • Protocol ID: The ID of a protocol that you want to target. Use only when the protocol you want is not available in the Protocol field.
    • Source IP: The IPv4 or IPv6 address of the device that sends the packets.
    • Source Mask: The mask for the source IP address, in the following format: 255.255.255.255 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
    • Destination IP: The IPv4 or IPv6 address of the device that is to receive the packets.
    • Destination Mask: The mask for the destination IP address, in the following format: 255.255.255.255 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
    • Source Mac: The MAC address of the device that sends the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Source Mac Mask: The mask for the source MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Destination Mac: The MAC address of the device that is to receive the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Destination Mac Mask: The mask for the destination MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Source Port: The port through which packets enter the device.
    • Source Port End: The last port in the range of ports through which packets enter the device.
    • Destination Port: The port through which packets leave the device. Valid values range from 1 through 65535.
    • Destination Port End: The last port in the range of ports through which packets leave the device. Valid values range from 1 through 65535.
    • IP Payload Length: The length of the IP packets that you want to target, or the size of the IP payload. Valid values range from 64 through 9000.
    • IP Payload Length End: The last acceptable value of the IP payload. Valid values range from 65 through 9000.
    • DSCP: The value of the Differentiated Services Code Point in the Type of Service field in the header. Valid values range from 0 through 63.
    • VLAN: The VLAN ID. The valid value ranges are as follows:
      • 9920: 0 through 4095
      • SLX and MLX: 0 through 4091
    • EtherType: Identifies the protocol that is encapsulated in the payload. For example, the EtherType value for IPv4 is 0x0800. Valid values range from 1536 through 65536 (numerical), or 0x0600 through 0xffff (hexadecimal), or are one of the following: ARP, IPv4, or IPv6.
    • PCP: The Priority Code Point, a 3-bit field in a VLAN header. Valid values range from 0 through 7.
    • Tunnel ID: The ID number of the tunnel. Valid values range from 1 through 16777215.
    • MATCH0, MATCH1, MATCH2, MATCH3: Specifies the UDA Hexadecimal. SLX presents these as specific header fields such as NEXT_HEADER.
      Note

      Note

      • MLX UDA requires a match and mask for all fields.
      • Use a mask of all zeros to make the any value for a field.
    • MASK0, MASK1, MASK2, MASK3: Specifies the UDA Hexadecimal value used to mask the MATCH values. Use 0 bits for any value. A bit value of 1 must be matched.
  9. In the Fragmentation sub-section, select one of the following.

    The items in this section vary by your selection in the Type, Sub Type and Protocol fields. The following list describes all possible selections.

    • Fragmented: Targets target fragmented packets.
    • Non Fragmented: Targets non-fragmented packets.
    • None: Targets packets in which the DF (Don't Fragment) flag is set in the IP header.
  10. In the Options sub-section, select one or more of the following:

    The items in this section vary by your selection in the Type, Sub Type and Protocol fields, in particular selection of a Layer4 protocol such as UDP, TCP, or STCP. The following list describes all possible selections.

    • Acknowledgment: Targets packets in which the ACK flag is set in the TCP header.
    • Congestion: Targets packets in which the CWR flag is set in the TCP header.
    • ECN-Echo: Targets packets in which the ECE flag is set in the TCP header.
    • Last Packet: Targets packets in which the FIN flag is set in the TCP header.
    • Push: Targets packets in which the PSH flag is set in the TCP header.
    • Reset: Targets packets in which the RST flag is set in the TCP header.
    • Synchronize: Targets packets in which the SYN flag is set in the TCP header.
    • Urgent: Targets packets in which the URG flag is set in the TCP header.
  11. In the Action section, select one or more actions to perform on the targeted items.
    • Drop to deny packets.
    • Count to keep track of the number of packets that match the policy rule.
    • Log to add the transaction to the XCO log.
    • Hard Drop to discard packets.
    • Bi Directional to cover traffic in both directions (source to destination and destination to source) in a single rule.
  12. Select Add.
    The match parameters (the new rule) appear in the pane on the right.
  13. Repeat steps 8 through 12 until you have added all the rules you need.
  14. Select Save.