A policy rule match identifies the parts
of a packet header that a rule targets, such as the source port or the payload
length.
About this task
When you create a policy rule match, you select all parts of a packet header that you want to
target and then select the action to perform on the targeted items. These selections
are the rules in your match. The match can then be associated with ingress or egress
policies. A policy rule match can contain one or more rules.
Note
A policy rule match is a device-specific
feature. If you have ACLs configured for a device, ACL-related fields are displayed
in the Create Match page. These fields are not described in this procedure.
This topic does not describe the process for creating matches for SLX and MLX UDAs. For more
information, see Create an SLX UDA Match for a Device and Create an MLX UDA Match for a Device.
Procedure
-
In the Navigation menu, select
Configure.
-
In the Devices panel, select the device for which you want to add a policy rule
match.
-
Select the Configurations
tab.
-
In the Device Config menu,
select Add Policy Rule
Match.
-
In the Name field, enter
a unique name for the match.
-
In the Type field,
select whether the match applies to IPv4, IPv6, or L2.
-
In the Match section, complete
the following fields to identify all parts of the packet header that you want to
target with the actions you select in step 9.
The items in this section vary by your selection in the
Protocol field. The following list describes all
possible selections.
- Protocol: The
protocol that you want to target. If the protocol you want is not in the
list, select None and provide the ID of the protocol you want in the
Protocol
ID field. Every protocol has a numeric value that is
defined by the IETF.
- Sequence: The order in which this rule is performed in
the match.
- Protocol
ID: The ID of a protocol that you want to target. Use
only when the protocol you want is not available in the Protocol
field.
- Source IP: The IPv4
or IPv6 address of the device that sends the packets.
- Source
Mask: The mask for the source IP address, in the
following format: 255.255.255.255.
- Destination IP: The
IPv4 or IPv6 address of the device that is to receive the packets.
- Destination
Mask: The mask for the destination IP address, in the
following format: 255.255.255.255.
- Source
Mac: The MAC address of the device that sends the
packets, in the following format: 1111.1111.1111 or 11:11:11:11:11:11.
Any alpha characters in the address must be lowercase.
- Source Mac
Mask: The mask for the source MAC address, in the
following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha
characters in the mask must be lowercase.
- Destination
Mac: The MAC address of the device that is to receive
the packets, in the following format: 1111.1111.1111 or
11:11:11:11:11:11. Any alpha characters in the address must be
lowercase.
- Destination
Mac Mask: The mask for the destination MAC address, in
the following format: ffff.ffff.ffff or ff:ff:ff:ff:ff:ff. Any alpha
characters in the mask must be lowercase.
- Source
Port: The port through which packets enter the device.
- Source Port
End: The last port in the range of ports through which
packets enter the device.
- Destination
Port: The port through which packets leave the device.
Valid values range from 1 through 65535.
- Destination
Port End: The last port in the range of ports through
which packets leave the device. Valid values range from 1 through
65535.
- IP Payload
Length: The length of the IP packets that you want to
target, or the size of the IP payload. Valid values range from 64
through 9000.
- IP Payload
Length End: The last acceptable value of the IP payload.
Valid values range from 65 through 9000.
- DSCP: The value of the Differentiated Services Code
Point in the Type of Service field in the header. Valid values range
from 0 through 63.
- VLAN: The VLAN ID. Valid values range from 0 through
4095.
- EtherType: Identifies the protocol that is encapsulated
in the payload. For example, the EtherType value for IPv4 is 0x0800.
Valid values range from 1536 through 65536 (numerical), or 0x0600
through 0xffff (hexadecimal), or are one of the following: ARP, IPv4, or
IPv6.
- PCP: The Priority Code Point, a 3-bit field in a VLAN
header. Valid values range from 0 through 7.
- Tunnel
ID: The ID number of the tunnel. Valid values range from
1 through 16777215.
-
In the Fragmentation section,
select one or more of the following.
The items in this section vary by your selection in the
Protocol field. The following list describes all
possible selections.
- Fragmented: Targets
target fragmented packets.
- Non Fragmented:
Targets non-fragmented packets.
- None: Targets
packets in which the DF (Don't Fragment) flag is set in the IP
header.
- Acknowledgment: Targets packets in which the ACK flag is set in
the TCP header.
- Congestion: Targets packets in which the CWR flag is set in the
TCP header.
- ECN-Echo: Targets packets in which the ECE flag is set in the TCP
header.
- Last Packet: Targets packets in which the FIN flag is set in the
TCP header.
- Push: Targets packets in which the PSH flag is set in the TCP
header.
- Reset: Targets packets in which the RST flag is set in the TCP
header.
- Synchronize: Targets packets in which the SYN flag is set in the
TCP header.
- Urgent: Targets packets in which the URG flag is set in the TCP
header.
-
In the Action section, select
one or more actions to perform on the targeted items.
The items in this section vary by your selection in the
Protocol field. The following list describes all
possible selections.
- Drop to drop the packet
- Count to keep track of the number of packets that match
the policy rule
- Log to add the
transaction to the Visibility Manager
log.
-
Select Add.
The match parameters (the new rule)
appear in the pane on the right.
-
Repeat steps 7 through 10 until you have added all the rules you need.
-
To remove a rule from the match,
select Delete for that rule in the Rules panel on the right.
-
To change a rule, select
Edit
for that rule in the Rules panel and make your changes.
-
Save (✔) your
selections.
