Create a Policy Rule Match in the Library

Policy rule matches in the library can be imported to a device.

About this task

To create a policy rule match for a specific device, see Create a Policy Rule Match for a Device.

Procedure

  1. In the Navigation menu, select Library > Matches > Add Match.
  2. In the Name field, enter a unique name for the match.
    • Alphanumeric characters, dashes, and underscores are allowed in the Name field.
    • The name, all is a reserved keyword on 9920 and cannot be used.
  3. In the Device Type field, select the required device type.
    • 9900
    • MLX
    • SLX
  4. In the Type field, select whether the match applies to IPv4, IPv6, L2, or UDA.
    If you selected UDA on an SLX device, proceed to the next step. Else, go to step 7.
  5. In the Sub Type field, select the appropriate match.
    • Standard: Matches the source address information
    • Extended: Matches the source and destination address information
  6. In the UDA field, select a profile.
  7. In the Match section, complete the following fields to identify the packets of interest.
    Note

    Note

    All fields are not mandatory. You can leave the fields blank unless noted.
    The items that you can select vary by your selection in the Protocol field. The following describes all possible selections.
    • Protocol: The protocol that you want to target. If the protocol you want is not in the list, select None and provide the ID of the protocol you want in the Protocol ID field. Every protocol has a numeric value that is defined by IETF.
    • Sequence: The order in which this rule is performed in the match.
    • Protocol ID: The ID of a protocol that you want to target. Use only when the protocol you want is not available in the Protocol field.
    • Source IP: The IPv4 or IPv6 address of the device that sends the packets.
    • Source Mask: The mask for the source IP address, in the following format: 255.255.255.255.
    • Destination IP: The IPv4 or IPv6 address of the device that is to receive the packets.
    • Destination Mask: The mask for the destination IP address, in the following format: 255.255.255.255.
    • Source Mac: The MAC address of the device that sends the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Source Mac Mask: The mask for the source MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Destination Mac: The MAC address of the device that is to receive the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Destination Mac Mask: The mask for the destination MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Source Port: The port through which packets enter the device.
    • Source Port End: The last port in the range of ports through which packets enter the device.
    • Destination Port: The port through which packets leave the device. Valid values range from 1 through 65535.
    • Destination Port End: The last port in the range of ports through which packets leave the device. Valid values range from 1 through 65535.
    • IP Payload Length: The length of the IP packets that you want to target, or the size of the IP payload. Valid values range from 64 through 9000.
    • IP Payload Length End: The last acceptable value of the IP payload. Valid values range from 65 through 9000.
    • DSCP: The value of the Differentiated Services Code Point in the Type of Service field in the header. Valid values range from 0 through 63.
    • VLAN: The VLAN ID. Valid values range from 0 through 4095.
    • EtherType: Identifies the protocol that is encapsulated in the payload. For example, the EtherType value for IPv4 is 0x0800. Valid values range from 1536 through 65536 (numerical), or 0x0600 through 0xffff (hexadecimal), or are one of the following: ARP, IPv4, or IPv6.
    • PCP: The Priority Code Point, a 3-bit field in a VLAN header. Valid values range from 0 through 7.
    • Tunnel ID: The ID number of the tunnel. Valid values range from 1 through 16777215.
    • MATCH0, MATCH1, MATCH2, MATCH3: Specifies the UDA Hexadecimal. SLX presents these as specific header fields such as NEXT_HEADER.
      Note

      Note

      • MLX UDA requires a match and mask for all fields.
      • Use a mask of all zeros to make the any value for a field.
    • MASK0, MASK1, MASK2, MASK3: Specifies the UDA Hexadecimal value used to mask the MATCH values. Use 0 bits for any value. A bit value of 1 must be matched.
  8. In the Fragmentation section, select one or more of the following.

    The items in this section vary by your selection in the Type, Sub Type and Protocol fields. The following list describes all possible selections.

    • Fragmented: Targets target fragmented packets.
    • Non Fragmented: Targets non-fragmented packets.
    • None: Targets packets in which the DF (Don't Fragment) flag is set in the IP header.
  9. In the Options sub-section, select one or more of the following:

    The items in this section vary by your selection in the Type, Sub Type and Protocol fields, in particular selection of a Layer4 protocol such as UDP, TCP, or STCP. The following list describes all possible selections.

    • Acknowledgment: Targets packets in which the ACK flag is set in the TCP header.
    • Congestion: Targets packets in which the CWR flag is set in the TCP header.
    • ECN-Echo: Targets packets in which the ECE flag is set in the TCP header.
    • Last Packet: Targets packets in which the FIN flag is set in the TCP header.
    • Push: Targets packets in which the PSH flag is set in the TCP header.
    • Reset: Targets packets in which the RST flag is set in the TCP header.
    • Synchronize: Targets packets in which the SYN flag is set in the TCP header.
    • Urgent: Targets packets in which the URG flag is set in the TCP header.
  10. In the Action section, select one or more actions to perform on the targeted items.

    The items in this section vary by your selection in the Protocol field. The following list describes all possible selections.

    • Drop to deny packets.
    • Count to keep track of the number of packets that match the policy rule
    • Log to add the transaction to the log.
    • Hard Drop to drop packets.
    • Bi Directional to cover traffic in both directions (source to destination and destination to source) in a single rule.
  11. Select Add.
    The match parameters (the new rule) appear in the pane on the right.
  12. Repeat steps 7 through 11 until you have added all the rules you need.
  13. Select Save.