Create a Policy Rule Match for a Device

A policy rule match identifies the parts of a packet header that a rule targets, such as the source port or the payload length.

About this task

When you create a policy rule match, you select all parts of a packet header that you want to target and then select the action to perform on the targeted items. These selections are the rules in your match. The match can then be associated with ingress or egress policies. A policy rule match can contain one or more rules.

Note

Note

A policy rule match is a device-specific feature. If you have ACLs configured for a device, ACL-related fields are displayed in the Create Match page. These fields are not specified in this procedure.

Procedure

  1. In the Navigation menu, select Configure.
  2. In the Devices panel, select the device for which you want to add a policy rule match.
  3. Select the Configuration tab.
  4. In the Device Config menu, select Add Policy Rule Match.
  5. In the Name field, enter a name for the match.
  6. In the Type field, select whether the match applies to IPv4, IPv6, or L2.
  7. In the Match section, complete the following fields to identify all parts of the packet header that you want to target with the actions you select in step 9.
    The items that you can select vary by your selection in the Protocol field. The following describes all possible selections.
    • Protocol: The protocol that you want to target. If the protocol you want is not in the list, select None and provide the ID of the protocol you want in the Protocol ID field. Every protocol has a numeric value that is defined by IETF.
    • Sequence: The order in which this rule is performed in the match.
    • Protocol ID: The ID of a protocol that you want to target. Use only when the protocol you want is not available in the Protocol field.
    • Source IP: The IP address of the device that sends the packets, in CIDR format.
    • Source Mask: The mask for the source IP address, in the following format: 255.255.255.255.
    • Destination IP: The IP address of the device that is to receive the packets, in CIDR format.
    • Destination Mask: The mask for the destination IP address, in the following format: 255.255.255.255.
    • Source Mac: The MAC address of the device that sends the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Source Mac Mask: The mask for the source MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Destination Mac: The MAC address of the device that is to receive the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Destination Mac Mask: The mask for the destination MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Source Port: The port through which packets enter the device.
    • Source Port End: The last port in the range of ports through which packets enter the device.
    • Destination Port: The port through which packets leave the device. Valid values range from 1 through 65535.
    • Destination Port End: The last port in the range of ports through which packets leave the device. Valid values range from 1 through 65535.
    • IP Payload Length: The length of the IP packets that you want to target, or the size of the IP payload. Valid values range from 64 through 9000.
    • IP Payload Length End: The last acceptable value of the IP payload. Valid values range from 65 through 9000.
    • DSCP: The value of the Differentiated Services Code Point in the Type of Service field in the header. Valid values range from 0 through 63.
    • VLAN: The VLAN ID. Valid values range from 0 through 4095.
    • EtherType: Identifies the protocol that is encapsulated in the payload. For example, the EtherType value for IPv4 is 0x0800. Valid values range from 1536 through 65536 (numerical), or 0x0600 through 0xffff (hexadecimal), or are one of the following: ARP, IPv4, or IPv6.
    • PCP: The Priority Code Point, a 3-bit field in a VLAN header. Valid values range from 0 through 7.
    • Tunnel ID: The ID number of the tunnel. Valid values range from 1 through 16777215.
  8. In the Fragmentation section, select one or more of the following.

    The items that you can select vary by your selection in the Protocol field. The following describes all possible selections.

    • Fragmented: Targets target fragmented packets.
    • Non Fragmented: Targets non-fragmented packets.
    • None: Targets packets in which the DF (Don't Fragment) flag is set in the IP header.
    • Acknowledgment: Targets packets in which the ACK flag is set in the TCP header.
    • Congestion: Targets packets in which the CWR flag is set in the TCP header.
    • ECN-Echo: Targets packets in which the ECE flag is set in the TCP header.
    • Last Packet: Targets packets in which the FIN flag is set in the TCP header.
    • Push: Targets packets in which the PSH flag is set in the TCP header.
    • Reset: Targets packets in which the RST flag is set in the TCP header.
    • Synchronize: Targets packets in which the SYN flag is set in the TCP header.
    • Urgent: Targets packets in which the URG flag is set in the TCP header.
  9. In the Action section, select one or more actions to perform on the targeted items.
    • Drop to drop the packet
    • Count to keep track of the number of packets that match the policy rule
    • Log to add the transaction to the Visibility Manager log.
  10. Select Add.
    The match parameters (the new rule) appear in the pane on the right.
  11. Repeat steps 7 through 10 until you have added all the rules you need.
  12. To remove a rule from the match, select Delete for that rule in the Rules panel on the right.
  13. To change a rule, select Edit for that rule in the Rules panel and make your changes.
  14. Save () your selections.
9037082-00 Rev AA