Create a Policy Rule Match in the Library

Policy rule matches in the library can be imported to a device.

About this task

This topic does not describe the process for creating matches for SLX and MLX UDAs. For more information, see Create an SLX UDA Match in the Library and Create an MLX UDA Match in the Library.

Procedure

  1. In the Navigation menu, select Library > Match.
  2. Select Add Match.
  3. In the Name field, enter a unique name for the match.
  4. In the Type field, select whether the match applies to IPv4, IPv6, or L2.
  5. In the Match section, complete the following fields to identify all parts of the packet header that you want to target with the actions you select in step 7.
    The items that you can select vary by your selection in the Protocol field. The following describes all possible selections.
    • Protocol: The protocol that you want to target. If the protocol you want is not in the list, select None and provide the ID of the protocol you want in the Protocol ID field. Every protocol has a numeric value that is defined by IETF.
    • Sequence: The order in which this rule is performed in the match.
    • Protocol ID: The ID of a protocol that you want to target. Use only when the protocol you want is not available in the Protocol field.
    • Source IP: The IPv4 or IPv6 address of the device that sends the packets.
    • Source Mask: The mask for the source IP address, in the following format: 255.255.255.255.
    • Destination IP: The IPv4 or IPv6 address of the device that is to receive the packets.
    • Destination Mask: The mask for the destination IP address, in the following format: 255.255.255.255.
    • Source Mac: The MAC address of the device that sends the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Source Mac Mask: The mask for the source MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Destination Mac: The MAC address of the device that is to receive the packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11. Any alpha characters in the address must be lowercase.
    • Destination Mac Mask: The mask for the destination MAC address, in the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha characters in the mask must be lowercase.
    • Source Port: The port through which packets enter the device.
    • Source Port End: The last port in the range of ports through which packets enter the device.
    • Destination Port: The port through which packets leave the device. Valid values range from 1 through 65535.
    • Destination Port End: The last port in the range of ports through which packets leave the device. Valid values range from 1 through 65535.
    • IP Payload Length: The length of the IP packets that you want to target, or the size of the IP payload. Valid values range from 64 through 9000.
    • IP Payload Length End: The last acceptable value of the IP payload. Valid values range from 65 through 9000.
    • DSCP: The value of the Differentiated Services Code Point in the Type of Service field in the header. Valid values range from 0 through 63.
    • VLAN: The VLAN ID. Valid values range from 0 through 4095.
    • EtherType: Identifies the protocol that is encapsulated in the payload. For example, the EtherType value for IPv4 is 0x0800. Valid values range from 1536 through 65536 (numerical), or 0x0600 through 0xffff (hexadecimal), or are one of the following: ARP, IPv4, or IPv6.
    • PCP: The Priority Code Point, a 3-bit field in a VLAN header. Valid values range from 0 through 7.
    • Tunnel ID: The ID number of the tunnel. Valid values range from 1 through 16777215.
  6. In the Fragmentation section, select one or more of the following.

    The items that you can select vary by your selection in the Protocol field. The following list describes all possible selections.

    • Fragmented: Targets target fragmented packets.
    • Non Fragmented: Targets non-fragmented packets.
    • None: Targets packets in which the DF (Don't Fragment) flag is set in the IP header.
    • Acknowledgment: Targets packets in which the ACK flag is set in the TCP header.
    • Congestion: Targets packets in which the CWR flag is set in the TCP header.
    • ECN-Echo: Targets packets in which the ECE flag is set in the TCP header.
    • Last Packet: Targets packets in which the FIN flag is set in the TCP header.
    • Push: Targets packets in which the PSH flag is set in the TCP header.
    • Reset: Targets packets in which the RST flag is set in the TCP header.
    • Synchronize: Targets packets in which the SYN flag is set in the TCP header.
    • Urgent: Targets packets in which the URG flag is set in the TCP header.
  7. In the Action section, select one or more actions to perform on the targeted items.
    • Drop to drop the packet
    • Count to keep track of the number of packets that match the policy rule
    • Log to add the transaction to the Visibility Manager log.
  8. Select Add.
    The match parameters (the new rule) appear in the pane on the right.
  9. Repeat steps 7 through 10 until you have added all the rules you need.
  10. To remove a rule from the match, select Delete for that rule in the Rules panel on the right.
  11. To change a rule, select Edit for that rule in the Rules panel and make your changes.
  12. Save () your selections.
9037155-00 Rev AA