Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Understanding the Filter Rule Definition Dialog

Define filter rules from the Filter Rule Definition Dialog. This dialog displays when you click Add or Edit from the Rules tab or from the Custom AP Rules tab.

Click to expand in new window
Filter Rule Definition Dialog
Graphics/Filter_rule_definition.png
Click to expand in new window

Filter Rule Definition Dialog - Fields and Buttons

Field/Button Description
Classification Select Layers 2-4 to display configuration options for the data link, routing, and transport layers.

Select Layer 7 to configure options related to the application layer. For more information, see Layer 7 configuration.
Direction  
In Filter In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic flowing from the station to the network. Options include:
  • Destination (dest)
  • Source (src) - available in Advanced Filtering Mode only
  • None
  • Both - available in Advanced Filtering Mode only
Out Filter In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic flowing from the network to the station. Options include:
  • Destination (dest)
  • Source (src) - available in Advanced Filtering Mode only
  • None
  • Both - available in Advanced Filtering Mode only

The role for outbound traffic rules may be impacted by the selection (mode) for Egree Filtering. For more information, see Configuring Egress Filtering Mode.
Classification - Layer 2, 3, 4
Ethertype Select a matching Ethertype filter for the selected policy rule.
Note: You cannot configure Captive Portal Redirection using IPv6 classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 .
Mac Address Select Any MAC or User Defined and provide the Mac Address.
Priority Select a Priority from the drop-down list.
IP/subnet Select one of the following:
  • User Defined, then type the destination IP address and mask. Use this option to explicitly define the IP/subnet aspect of the rule.
  • IP - select to map the rule to the associated Topology IP address.
  • Subnet - select to map the rule to the associated Topology segment definition (IP address/mask).
Note:
Port From the Port drop-down list, select one of the following:

User Defined, then type the port number.

Use this option to explicitly specify the port number.

A specific port type. The appropriate port number or numbers are added to the Port text field.
Protocol In the Protocol drop-down list, click the applicable protocol. The default is N/A.
ToS/DSCP Select the ToS/DSCP value to match, if any, to define the Layer 3, 4 ToS/DSCP bits. Enter a hexadecimal value in the 0x (DSCP:) field.
Select Click the Select button to open the ToS/DSCP Configuration dialog. For more information, see Priority and ToS/DSCP Marking.
Mask This is a mask for the ToS/DSCP field match. The mask allows the match to be based on specific bits in the ToS/DSCP match value. Enter a hexadecimal value.
Application
Application Select from one of the following pre-defined IDs to support L5+ filtering:
  • None
  • Link Local Multicast Name Resolution Query
  • Link Local Multicast Name Resolution Response
  • Simple Service Discovery Protocol Query
  • Simple Service Discovery Protocol Unsolicited Announcement
  • mDNS-SD Query
  • mDNS-SD Response
Action
Access Control Select from one of the following:
  • None - No role defined.
  • Allow - Packets contained to role's default action's VLAN (Virtual LAN)/topology.
  • Deny - Any packet not matching a rule in the policy is dropped.
  • Containment VLAN - A topology to use when a VNS is created using a role that does not specify a topology.
  • HTTP Redirect - Indicates redirect action.

    Rule-based Redirection is explicit when the redirection flag is enabled and a rule is defined for redirection. The redirection destination can be defined on the role or as part of a WLAN Service configuration. If a redirection destination is not configured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port.

    For more information about Rule-based Redirection, see Rule-Based Redirection.

Note: Access control option “Contain to VLAN” and "Redirect" are not supported for L7 rules.
Class of Service Select an existing class of service from the drop-down list.

For information about how to configure a Class of Service, go to Configuring Roles.
Traffic Mirror When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis.You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netflow/MirrorN Configuration.
Valid values for Filter Rule and Role are:
  • None - No traffic mirroring
  • Enable - Traffic mirroring enabled. Traffic is copied if the filter rule matches or the role is applied.
  • Prohibited - Traffic mirroring is prohibited for this role. Traffic is not copied when the filter rule matches or the role is applied.
OK Click to add the rule to the filter group. The information is displayed in the role rule table.
Cancel Click Cancel to discard your changes.

Related Topics

L7 Configuration
Rule-Based Redirection
Configuring Policy Rules
Configuring a Captive Portal on an AP
Published May 2017prev | next

Email this topicEmail this topic

Print this pagePrint this page