Creating and Managing Wired Filter Profiles

This topic describes:

Managing Wired Filter Profiles

• Create a new wired Filter profile by clicking Add. For directions, see Creating a Wired Filter Profile.
• Modify an existing wired Filter profile by selecting it and clicking Edit.
• View information about a wired Filter profile, including the associated interfaces, by either clicking the profile name or by selecting the profile and clicking Details.
• Delete a wired Filter profile by selecting the profile and clicking Delete.

  Note: You cannot delete profiles that are in use—that is, profiles assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.

• Clone a wired Filter profile by selecting a profile and clicking Clone.

Table 117 describes the information provided about wired Filter profiles on the Manage Filter Profiles page. This page lists all Filter profiles defined for your network, regardless of the scope you selected in the network view.

Creating a Wired Filter Profile

To create a wired Filter profile, you must provide a filter name and configure at least one term. A term is a collection of one or more match conditions, and actions that the system takes when match conditions are met. A term must have at least one match condition.

Procedure

1. Click in the Network Director banner.
2. Under Views, select one of these options: Logical View, Location View, Device View or Custom Group View.

   Note: Do not select Dashboard View, Datacenter View, or Topology View.

3. From the Tasks pane, expand Wired, expand System, and then select Filter.
4. Click Add to add a new profile.

   Network Director opens the Device Family Chooser window.

5. From the Device Family Chooser, select the wired device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), and Data Center Switching .
6. Click OK.

   The Create Filter Profile wizard for the selected device family is displayed.

7. Specify the filter settings by following these directions:
   • For EX Series switches, specify the settings as described in both the online help and in Specifying Settings for an EX Series Switch Filter Profile.
   • For Campus Switching ELS, specify the settings as described in both the online help and in Specifying Settings for a Campus Switching ELS Switch Filter Profile.
   • For Data Center Switching Non-ELS, specify the settings as described in both the online help and in Specifying Settings for Creating a Data Center Switching Non-ELS Filter Profile.
   • For Data Center Switching ELS, specify the settings as described in both the online help and in Specifying Settings for a Data Center Switching ELS Filter Profile.
8. Click Done to save the Filter profile.

   The system saves the Filter profile and displays the Manage Filter Profiles page. Your new or modified Filter profile is listed in the table of Filter profiles.

Specifying Settings for an EX Series Switch Filter Profile

A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models do accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:

• The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the action specified for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
• If a packet does not match all conditions in the first term, the packet is then evaluated against the conditions in the second term. This process continues until either the packet matches all conditions in a term or there are no more terms in the filter. Whenever a match occurs, the term’s corresponding action is taken and evaluation ends—subsequent terms in the filter are not evaluated.
• If a packet passes through all the terms in the filter without a match, the packet is discarded.

Procedure

1. Specify a filter name and description for the Filter profile.
2. Select the switch filter family for which you want to create the profile:
   • If you want to create a Layer 2 based filter, select Ethernet switching.
   • If you want to create a Layer 3 based filter for IPv4, select INET.
   • If you want to create a Layer 3 based filter for IPv6, select INET6.
3. Under Terms, click Add to add one or more terms with match condition(s) for this filter.

   The Create Term window opens, displaying a section for each type of term you can create, Source and Destination Parameters, Protocols, DSCP Settings, TCP Settings, and ICMP Settings. The Action section applies to all of those types.

   Note: The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which terms are listed.

4. Enter a name for the filter term.
5. Specify the match condition(s) for the filter term as described in Table 118. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

   Table 118: Create Term Fields for EX Switching

   Task	Description
   Source and Destination Parameters You can specify match conditions for either packets’ origin (source) or packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter term.
   Add Source Parameters and Destination Parameters	Procedure To add source and destination parameters to the named filter term: Click Add to the right of the Destination Parameters list. The Add Source/Destination Parameter window appears. Select either Source (default) or Destination from the Add Source/Destination Parameter page. Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information: Tip: Available parameter types vary. IP Address—also provide the IP address of the source or destination device MAC Address—also provide the MAC address of the source or destination device Port—also provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger (protocol), or FTP. Note: If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select Other and enter a port number. Click OK The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
   Protocols and EtherTypes For either INET family, you can apply a filter term based on protocols being used by packets. For the Ethernet-switching family, you can apply a filter term based on either the protocols being used by packets or on the EtherTypes being used by packets. EtherType indicates a protocol that is encapsulated in the payload of an Ethernet Frame. Expand the Protocols section to see the configuration.
   Add a Protocol Match Condition (Ethernet-switching family or INET family)	Procedure To add a protocol match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under Protocols. The Select Protocols window opens, displaying a list of protocols. From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, ICMP6, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP. Click OK. The protocols are added to the Protocols list.
   Add an EtherType Match Condition (Ethernet-switching family)	Procedure To add an EtherType match condition to the named filter Ethernet-switching family term: Expand the Protocols and EtherTypes section. Click Add under EtherTypes. The Select EtherTypes window opens, displaying a list of protocols. From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, IPv4, IPv6, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA. Click OK. The EtherTypes are added to the EtherTypes list.
   DSCP Settings Expand this section to see the DSCP term settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers. Note: With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
   Add a DSCP Match Condition	Procedure To add a DSCP match condition to the named filter term: Note: A DSCP IP match condition and a precedence match condition cannot be both specified for the same term. Click Add in the DSCP section to see a list of match conditions. The Select DSCP list appears. Select one or more of the following DSCP types from the list: AF11—Assured forwarding class 1, low drop precedence AF12—Assured forwarding class 1, medium drop precedence AF21—Assured forwarding class 2, low drop precedence AF22—Assured forwarding class 2, medium drop precedence AF23—Assured forwarding class 2, high drop precedence AF31—Assured forwarding class 3, low drop precedence AF32—Assured forwarding class 3, medium drop precedence AF33—Assured forwarding class 3, high drop precedence AF41—Assured forwarding class 4, low drop precedence AF42—Assured forwarding class 4, medium drop precedence AF43—Assured forwarding class 4, high drop precedence BE—Best effort (default) EF-Expedited forwarding CS0—Class selector 0 CS1—Class selector 1 CS2—Class selector 2 CS3—Class selector 3 CS4—Class selector 4 CS5—Class selector 5 CS6—Class selector 6 CS7—Class selector 7 Click OK. The DSCP code term for the named filter is added to the DSCP list.
   Add a Precedence match condition	You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic. Note: The two match conditions IP Precedence and DSCP cannot be simultaneously applied to a term. Procedure To apply an IP precedence value match condition to the named term: Click Add in the Precedence section. The Select Precedence list appears. Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive). Click OK. The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
   TCP Settings Expand this section to see the TCP term settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
   Enable TCP Initial flag match condition	Select to use the TCP initial flag for a match condition. The TCP flags option becomes unavailable as a result.
   Enable other TCP flag match conditions	If you are not using the TCP initial flag for a match condition, select one of the TCP flags from the list—RST, ACK, SYN, Urgent, Push, FIN, None. These flags have the following meaning: RST—Reset flag indicates that the TCP connection will be reset. ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK. SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server. Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte. Push—Push flags request that buffered data to the receiving application be sent now. FIN—The final flag indicates that no more data will be sent.
   ICMP Settings Expand the ICMP Settings section to select an ICMP code value for the filter item’s match condition. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
   Add an ICMP Code match condition	Procedure To apply an ICMP code match condition to the named term: Click Add in the ICMP Codes section. The Select ICMP Code list appears. Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected. Click OK. The ICMP code match condition is listed in the ICMP Code list and added to the named term. Note: ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify an ICMP type along with an ICMP code. The keywords are grouped by the ICMP type with which they are associated.
   Add an ICMP Type match condition	Note: ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port. ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify an ICMP type along with the ICMP code. The keywords are grouped by the ICMP type with which they are associated. Procedure To apply an ICMP type match condition to the named term: Click Add in the ICMP Type section. The Select ICMP Type list appears. Select one or more ICMP types from the list. Options vary, depending on which Filter Family you selected. Click OK. The ICMP type match condition is listed in the ICMP Type list and is added to the named term.
   Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard a packet that matches the filter term’s conditions.
   Action	Select either Discard or Accept to indicate what the filter term does with a packet when a match is made. Note: The remaining fields in this section are enabled only if you select Accept as the action.
   Counter Name	When Accept is the action, specify a counter name.
   Loss Priority	When Accept is the action, specify the packet loss priority, Low, High, or None. Note: Forwarding class and loss priority must be specified together for the same term.
   Policer	When you create a Filter profile, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references. You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition. To select a policer from an existing list of policers, click Select. The Select Policer page appears. Select the policer that you want to use for the term and click OK. The system displays the selected policer in the Policer field in the Create Term page.
   	To create a new policer: Procedure Click Create. The Create Policer page appears. Type a name for the policer—you can use this policer again in the future. Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer. If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate. Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level. Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate. Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size. Note: The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create. Configure these fields for a single-rate-two-color policer: Bandwidth Limit—Specify the traffic rate in bits per second, 1000 through 102,300,000,000 (102.3g) bps. Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Action—Select either Discard or None. Loss Priority—Select either High or None. Configure these fields for a single-rate-three-color policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Configure these fields for a three-color two-rate policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 32,000 through 40,000,000,000 bps. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Click OK. The policer is added to the list of applied policers and the list of available policers.
   Forwarding Class	When Accept is the action, specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can create a new forwarding class or select from a list of available forwarding classes. To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
   	Procedure To create a new forwarding class: Click Create. The Create Forwarding Class page appears. Type a name for the forwarding class—you can use this forwarding class again in the future. Select a queue number from the list, and then click OK. The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.

   Click OK to save the term and return to the Create Filter Profile page.

Specifying Settings for a Campus Switching ELS Switch Filter Profile

A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:

• The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the corresponding action for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
• If the packet does not match all conditions in the first term, the packet is evaluated against the conditions in the second term. This process continues until either the packet matches all the conditions in one of the subsequent terms or there are no more terms in the filter. If a match is found, the action specified in the Action section of the matched term is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
• The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
• If a packet passes through all the terms in the filter without a match, the packet is discarded.

Procedure

1. Specify a filter name and description for the Filter profile.
2. Select the switch filter family for which you want to create the profile:
   • If you want to create a Layer 2 based filter, select Ethernet switching.
   • If you want to create a Layer 3 based filter for IPv4, select INET.
   • If you want to create a Layer 3 based filter for IPv6, select INET6.
3. Under Terms, click Add to add one or more terms with match condition(s) to the named filter. You need at least one term for this filter.

   The Create Term window opens.

   Note: The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which the terms are listed.

4. Enter a name for the filter term.
5. Specify the match condition(s) for the filter term as described in Table 119. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

   Table 119: Create Term Fields for Campus Switching ELS

   Field	Description
   Source and Destination Parameters You can specify match conditions based on the packets’ origin (source) or the packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter.
   Source Parameters and Destination Parameters	Procedure To add source and destination parameters to the named filter term: Click Add to the right of the Destination Parameters lists. The Add Source/Destination Parameter window opens. Select either Source (default) or Destination from the Add Source/Destination Parameter window. Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information: IP Address—Provide the IP address of the source or destination device. MAC Address—Provide a MAC address. Port—Provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger protocol, FTP, FTP data, HTTP, HTTPS, Ident protocol, IMAP (Internet Message Access protocol), Kerberos-sec (Kerberos security), Klogin forwarding, Kpasswd command, KRB-prop (Kerberos database propagation), Krbupdate (Kerberos database update), Kshell (Kerberos rsh), LDAP, Login (UNIX rlogin), Mobilip-agent (Mobile IP agent), Mobilip-mn (Mobile IP MN), MSDP (Multicast Source Discovery Protocol),NetBIOS dgm, NetBIOS-ns (NetBIOS name service), NetBIOS-ssn (NetBIOS session service), NFSD, NNTP (Network News Transport Protocol), Ntalk, NTP (Network Time Protocol), POP3 (Post Office Protocol3), PPTP, Printer, RADacct (RADIUS accounting), RADIUS, RIP, RKINIT (Kerberos remote kinit), SMTP, SNMP trap, SNPP, SUNRPC, Syslog, TACACS, TACACS-ds, Talk (UNIX Talk),Telnet, TFTP, Timed (UNIX time daemon), Who (UNIX rwho), XDMCP ( X Display Manager Control Protocol ), Zephyr-clt (Zephyr serv-hm connection), Zephyr-hm (Zephyr hostmanager), Zephyr-srv (Zephyr server), or Other. Note: If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select other and enter a port number. To select any other source/destination than the one indicated, enable Except. Tip: You cannot indicate both matching and except for a parameter. Click OK The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
   Protocols and EtherTypes Depending on the Filter Family you selected, you can sometimes apply a filter term based on either protocols being used by packets or on EtherTypes being used by packets. Recognized protocols are listed where applicable. Recognized EtherTypes, which indicate the protocol that is encapsulated in the payload of an Ethernet Frame, are also listed where applicable.
   Protocols (apply to Ethernet and INET filter families)	Procedure To add a protocol match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under Protocols. The Select Protocols window opens, displaying a list of protocols. From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP. To make the filter exclude the specified protocol, select Except. Note: The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions. Click OK. The protocols are added to the Protocols list.
   EtherTypes (apply to Ethernet filter family)	Procedure To add an EtherTypes match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under EtherTypes. The Select EtherTypes window opens, displaying a list of protocols. From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, IPV4, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA. To make the filter exclude the specified EtherType, select Except. Note: Term values must all be either match conditions or all except conditions. Click OK. The EtherTypes are added to the EtherTypes list.
   DSCP Settings Expand the DSCP section to see the DSCP match settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers. Note: With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
   DSCP (Ethernet and INET filter families)	Procedure To add a DSCP match condition to the named filter term: Note: A DSCP IP match condition and a precedence match condition cannot be both specified for the same term. Click Add in the DSCP section. The Select DSCP Match Condition list appears. Select one of the following DSCP types from the list: AF11—Assured forwarding class 1, low drop precedence AF12—Assured forwarding class 1, medium drop precedence AF21—Assured forwarding class 2, low drop precedence AF22—Assured forwarding class 2, medium drop precedence AF23—Assured forwarding class 2, high drop precedence AF31—Assured forwarding class 3, low drop precedence AF32—Assured forwarding class 3, medium drop precedence AF33—Assured forwarding class 3, high drop precedence AF41—Assured forwarding class 4, low drop precedence AF42—Assured forwarding class 4, medium drop precedence AF43—Assured forwarding class 4, high drop precedence BE—Best effort (default) EF-Expedited forwarding CS0—Class selector 0 CS1—Class selector 1 CS2—Class selector 2 CS3—Class selector 3 CS4—Class selector 4 CS5—Class selector 5 CS6—Class selector 6 CS7—Class selector 7 To make the filter exclude a specified DSCP type, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The DSCP code term for the named filter is added to the DSCP list.
   Precedence for DSCP (Ethernet and INET filter families)	You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic. The match conditions IP Precedence and DSCP cannot be simultaneously applied to a term. Procedure To apply an IP precedence value match condition to the named term: Click Add in the Precedence section. The Select Precedence list appears. Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive). To make the filter exclude the specified IP precedence value, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
   TCP Settings Expand this section to access the TCP settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
   Enable TCP Initial (all families)	Select to use the TCP initial flag for an Ethernet, INET, or INET6 match condition. Tip: If you use the TCP initial flag for filtering, you cannot use any other TCP flag.
   TCP Flags	If you are not using the TCP initial flag for a match condition, you can select one of the TCP flags from the list for a match condition—RST, ACK, SYN, Urgent, Push, FIN, or None. These flags have the following meaning: RST—Reset flag indicates that the TCP connection will be reset. ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK. SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server. Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte. Push—Push flags request that buffered data to the receiving application be sent now. FIN—The final flag indicates that no more data will be sent.
   ICMP Settings You can select the ICMP code value for the filter item’s match condition—expand this section to access the ICMP settings. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
   ICMP Code	Procedure To apply an ICMP code match condition to the named term: Click Add in the ICMP Code section. The Select ICMP Code window appears. Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected. To make the filter exclude the specified ICMP code, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The ICMP code match condition is added to the named term, and the condition is listed in the ICMP Code list. You can now enable Except. Note: An ICMP code specifies more specific information than an ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify and ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
   ICMP Type	Note: ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port. ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated. Procedure To apply an ICMP type match condition to the named term: Click Add in the ICMP Type section. The Select ICMP Types window appears. Select one or more ICMP types from the list. These types vary, depending on the Filter Family selected. To make the filter exclude the specified ICMP type, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The ICMP type match condition is added to the named term, and the condition is listed in the ICMP Type list. You can now enable Except.
   Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard packet that matches the filter term conditions.
   Action	Select either Discard or Accept to indicate what the filter term does with a packet when a match is made. Note: All other fields in this section are enabled only if you select Accept as the action.
   Counter Name	When the action selected is accept, specify the maximum packet count for this filter, term, or policer.
   Loss Priority	When the action selected is accept, specify the packet loss priority, Low, High, Medium-low, Medium-high, or None. Note: Forwarding class and loss priority must be specified together for the same term.
   Policer	When you create a Filter profile with the action accept, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references. You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition.
   	To select an existing policer: Procedure Click Select. The Select Policer page appears. Click OK. The policer is added to the list of applied policers.
   	To create a new policer: Procedure Click Create. The Create Policer page appears. Type a name for the policer—you can use this policer again in the future. Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer. If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate. Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level. Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate. Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size. Note: The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create. Configure these fields for a single-rate-two-color policer: Bandwidth Limit—Specify the traffic rate in bits per second, 1000 through 102,300,000,000 (102.3g) bps. Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Action—Select either Discard or None. Loss Priority—Select either High or None. Configure these fields for a single-rate-three-color policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Configure these fields for a three-color two-rate policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 32,000 through 40,000,000,000 bps. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Click OK. The policer is added to the list of applied policers and the list of available policers.
   Forwarding Class	Specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can either select from a list of available forwarding classes or create a new forwarding class. To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
   	Procedure To create a new forwarding class: Click Create. The Create Forwarding Class page appears. Type a name for the forwarding class—you can use this forwarding class again in the future. Select a queue number from the list, and then click OK. The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.

6. Click OK to save the term and return to the Create Filter Profile page.
7. Click Done.

   The new filter is added to the Manage Filter Profile list.

Specifying Settings for Creating a Data Center Switching Non-ELS Filter Profile

A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:

• The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the action specified for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
• If the packet does not match all conditions in the first term, the packet is evaluated against the conditions in the second term. This process continues until either the packet matches all the conditions in one of the subsequent terms or there are no more terms in the filter. If a match is found, the action specified in the Action section of the matched term is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
• Term values (protocol, EtherType, DSCP, precedence, ICMP code and ICMP type) must all be either match conditions or all of them need to be except conditions.
• If a packet passes through all the terms in the filter without a match, the packet is discarded.

Procedure

1. Specify a filter name and description for the Filter profile.
2. Select the switch filter family for which you want to create the profile:
   • If you want to create a Layer 2 based filter, select Ethernet switching.
   • If you want to create a Layer 3 based filter for IPv4, select INET.
   • If you want to create a Layer 3 based filter for IPv6, select INET6.
3. Under Terms, click Add to add one or more terms with match condition(s) to the named filter.

   The Create Term window opens.

   Note: The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which the terms are listed.

4. Enter a name for the filter term.
5. Specify the match condition(s) for the filter term as described in Table 120. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

   Table 120: Create Term Fields for Data Center Switching Non-ELS

   Field	Description
   Source and Destination Parameters You can specify match conditions for either the packets’ origin (source) or the packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter.
   Source Parameters and Destination Parameters	Procedure To add source and destination parameters to the named filter term: Click Add to the right of the Destination Parameters lists. The Add Source/Destination Parameter page appears. Select either Source (default) or Destination from the Add Source/Destination Parameter page. Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information: IP Address—Provide the IP address of the source or destination device MAC Address—MAC address of the source or destination device Port—Port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger (protocol), or FTP. Note: If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select other and enter a port number. Click OK The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
   Protocols and EtherTypes You can apply a filter term that is based on either the protocols being used by packets or on the EtherTypes being used by packets. Protocols such as AH, DSTOPTS, EGP, ESP, FRAGMENT, GRE, HOP-BY-HOP, ICMP, ICMP6, IPIP, IPv6, no-text-header, OSPF, PIM, ROUTING, RSVP, SCTP, TCP, UDP, and VRRP are recognized. EtherType indicates the protocol that is encapsulated in the payload of an Ethernet Frame.
   Protocols	Procedure To add a protocol match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under Protocols. The Select Protocols window opens, displaying a list of protocols. From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, fragment, GRE, Hop-by-hop, ICMP, IPIP, IPv6, No-text-header, OSPF, PIM, routing, RSVP, SCTP, TCP, UDP, and VRRP. Click OK. The protocols are added to the Protocols list.
   EtherTypes	Procedure To add an EtherTypes match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under EtherTypes. The Select EtherTypes window opens, displaying a list of protocols. From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, IPV4, FCOE, FIP, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, SNA, and VLAN. Click OK. The protocols are added to the Protocols list.
   DSCP Settings DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers. Note: With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
   DSCP	Procedure To add a DSCP match condition to the named filter term: Note: A DSCP IP match condition and a precedence match condition cannot be both specified for the same term. Expand the DSCP Settings section. Click Add in the DSCP section. The Select DSCP Match Condition list appears. Select one of the following DSCP types from the list: AF11—Assured forwarding class 1, low drop precedence AF12—Assured forwarding class 1, medium drop precedence AF21—Assured forwarding class 2, low drop precedence AF22—Assured forwarding class 2, medium drop precedence AF23—Assured forwarding class 2, high drop precedence AF31—Assured forwarding class 3, low drop precedence AF32—Assured forwarding class 3, medium drop precedence AF33—Assured forwarding class 3, high drop precedence AF41—Assured forwarding class 4, low drop precedence AF42—Assured forwarding class 4, medium drop precedence AF43—Assured forwarding class 4, high drop precedence BE—Best effort (default) EF-Expedited forwarding CS0—Class selector 0 CS1—Class selector 1 CS2—Class selector 2 CS3—Class selector 3 CS4—Class selector 4 CS5—Class selector 5 CS6—Class selector 6 CS7—Class selector 7 Click OK. The DSCP code term for the named filter is added to the DSCP list.
   Precedence	You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic. Note: The match conditions IP Precedence and DSCP cannot be simultaneously applied to a term. Procedure To apply an IP precedence value match condition to the named term: Expand the DSCP Settings section. Click Add in the Precedence section. The Select Precedence list appears. Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive). Click OK. The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
   TCP Settings The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
   Enable TCP Initial	Select to use the TCP initial flag for a match condition.
   TCP Flags	If you are not using the TCP initial flag for a match condition, select one of the TCP flags from the list—RST, ACK, SYN, Urgent, Push, Fin, None. These flags have the following meaning: RST—Reset flag indicates that the TCP connection will be reset. ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK. SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server. Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte. Push—Push flags request that buffered data to the receiving application be sent now. FIN—The final flag indicates that no more data will be sent.
   ICMP Settings You can select the ICMP code value for the filter item’s match condition. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
   ICMP Code	Procedure To apply an ICMP code match condition to the named term: Expand the ICMP Settings section. Click Add in the ICMP Codes section. The Select ICMP Codes list appears. Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected. Click OK. The ICMP code match condition is added to the named term, and the condition is listed in the ICMP Code list. Note: ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
   ICMP Type	Note: ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port. ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify an ICMP type along with the ICMP code. The keywords are grouped by the ICMP type with which they are associated. Procedure To apply an ICMP type match condition to the named term: Expand the ICMP Settings section. Click Add in the ICMP Type section. The Select ICMP Types list appears. Select one or more ICMP types from the list: echo-reply, echo-request, info-reply, info-request, mask-reply, mask-request, parameter-problem, redirect, router-advertisement, router-solicit, source-quench, time-exceeded, timestamp, timestamp-reply, or unreachable. Click OK. The ICMP type match condition is added to the named term, and the condition is listed in the ICMP Type list.
   QFabric Settings These settings apply only when the profile is applied to a QFabric device.
   Enable-from-fabric	Select to create a match condition that matches packets coming from the fabric.
   Enable-to-fabric	Select to create a match condition that matches packets going to the fabric.
   except	Select to create a match condition that matches all packets that are not going to the fabric.
   Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard packet that match the filter term’s conditions.
   Action	Select either Discard or Accept to indicate what the filter term does with a packet when a match is made. Note: All other fields in this section are enabled only if you select Accept as the action.
   Counter Name	Specify the maximum packet count for this filter, term, or policer.
   Loss Priority	Specify the packet loss priority, low, high, or none. Note: Forwarding class and loss priority must be specified together for the same term.
   Policer	When you create a Filter profile, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references. You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition. To select a policer from an existing list of policers, click Select. The Select Policer page appears. Select the policer that you want to use for the term and click OK. The system displays the selected policer in the Policer field in the Create Term page. To create a new policer: Procedure Click Create. The Create Policer page appears. Type a name for the policer—you can use this policer again in the future. Select a policer type from the list, either a single-rate-two-color policer, a single-rate-three-color policer, or a three-color-policer. and then click OK. The type of policer that you select here affects the rest of the configurations available for the policer. You can create the following three type of policers: Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level. Single-rate three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate. Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size. Note: The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create. Configure the appropriate fields for the policer: Bandwidth Limit—Specify the traffic rate in bits per second, 1000 through 102,300,000,000 (102.3g) bps. Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 32,000 through 40,000,000,000 bps Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Click OK. The policer is added to the list of applied policers and the list of available policers.
   Forwarding Class	Specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can create a new forwarding class or select from a list of available forwarding classes. To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
   	Procedure To create a new forwarding class: Click Create. The Create Forwarding Class page appears. Type a name for the forwarding class—you can use this forwarding class again in the future. Select a queue number from the list, and then click OK. The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.

   Click OK to save the term and return to the Create Filter Profile page.

Specifying Settings for a Data Center Switching ELS Filter Profile

A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:

• The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the corresponding action for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
• If the packet does not match all conditions in the first term, the packet is evaluated against the conditions in the second term. This process continues until either the packet matches all the conditions in one of the subsequent terms or there are no more terms in the filter. If a match is found, the action specified in the Action section of the matched term is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
• The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
• If a packet passes through all the terms in the filter without a match, the packet is discarded.

Procedure

1. Specify a filter name and description for the Filter profile.
2. Select the switch filter family for which you want to create the profile:
   • If you want to create a Layer 2 based filter, select Switching.
   • If you want to create a Layer 3 based filter for IPv4, select INET.
   • If you want to create a Layer 3 based filter for IPv6, select INET6.
3. Under Terms, click Add to add one or more terms with match condition(s) to the named filter. You need at least one term for this filter.

   The Create Term window opens.

   Note: The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which the terms are listed.

4. Enter a name for the filter term.
5. Specify the match condition(s) for the filter term as described in Table 121. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

   Table 121: Create Term Fields for Data Center Switching ELS

   Field	Description
   Source and Destination Parameters You can specify match conditions based on the packets’ origin (source) or the packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter.
   Source Parameters and Destination Parameters	Procedure To add source and destination parameters to the named filter term: Click Add to the right of the Destination Parameters lists. The Add Source/Destination Parameter window opens. Select either Source (default) or Destination from the Add Source/Destination Parameter window. Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information: IP Address—Provide the IP address of the source or destination device. MAC Address—Provide a MAC address. Port—Provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger protocol, FTP, FTP data, HTTP, HTTPS, Ident protocol, IMAP (Internet Message Access protocol), Kerberos-sec (Kerberos security), Klogin forwarding, Kpasswd command, KRB-prop (Kerberos database propagation), Krbupdate (Kerberos database update), Kshell (Kerberos rsh), LDAP, Login (UNIX rlogin), Mobilip-agent (Mobile IP agent), Mobilip-mn (Mobile IP MN), MSDP (Multicast Source Discovery Protocol),NetBIOS dgm, NetBIOS-ns (NetBIOS name service), NetBIOS-ssn (NetBIOS session service), NFSD, NNTP (Network News Transport Protocol), Ntalk, NTP (Network Time Protocol), POP3 (Post Office Protocol3), PPTP, Printer, RADacct (RADIUS accounting), RADIUS, RIP, RKINIT (Kerberos remote kinit), SMTP, SNMP trap, SNPP, SUNRPC, Syslog, TACACS, TACACS-ds, Talk (UNIX Talk),Telnet, TFTP, Timed (UNIX time daemon), Who (UNIX rwho), XDMCP ( X Display Manager Control Protocol ), Zephyr-clt (Zephyr serv-hm connection), Zephyr-hm (Zephyr hostmanager), Zephyr-srv (Zephyr server), or Other. Note: If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select other and enter a port number. To select any other source/destination than the one indicated, enable Except. Tip: You cannot indicate both matching and except for a parameter. Click OK The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
   Protocols and EtherTypes Depending on the Filter Family you selected, you can sometimes apply a filter term based on either protocols being used by packets or on EtherTypes being used by packets. Recognized protocols are listed where applicable. Recognized EtherTypes, which indicate the protocol that is encapsulated in the payload of an Ethernet Frame, are also listed where applicable.
   Protocols (apply to Ethernet and INET filter families)	Procedure To add a protocol match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under Protocols. The Select Protocols window opens, displaying a list of protocols. From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP. To make the filter exclude the specified protocol, select Except. Note: The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions. Click OK. The protocols are added to the Protocols list.
   EtherTypes (apply to Ethernet filter family)	Procedure To add an EtherTypes match condition to the named filter term: Expand the Protocols and EtherTypes section. Click Add under EtherTypes. The Select EtherTypes window opens, displaying a list of protocols. From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, FCoE, FIP, IPV4, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA. To make the filter exclude the specified EtherType, select Except. Note: Term values must all be either match conditions or all except conditions. Click OK. The EtherTypes are added to the EtherTypes list.
   DSCP Settings Expand the DSCP section to see the DSCP match settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers. Note: With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
   DSCP (Ethernet and INET filter families)	Procedure To add a DSCP match condition to the named filter term: Note: A DSCP IP match condition and a precedence match condition cannot be both specified for the same term. Click Add in the DSCP section. The Select DSCP Match Condition list appears. Select one of the following DSCP types from the list: AF11—Assured forwarding class 1, low drop precedence AF12—Assured forwarding class 1, medium drop precedence AF21—Assured forwarding class 2, low drop precedence AF22—Assured forwarding class 2, medium drop precedence AF23—Assured forwarding class 2, high drop precedence AF31—Assured forwarding class 3, low drop precedence AF32—Assured forwarding class 3, medium drop precedence AF33—Assured forwarding class 3, high drop precedence AF41—Assured forwarding class 4, low drop precedence AF42—Assured forwarding class 4, medium drop precedence AF43—Assured forwarding class 4, high drop precedence BE—Best effort (default) EF-Expedited forwarding CS0—Class selector 0 CS1—Class selector 1 CS2—Class selector 2 CS3—Class selector 3 CS4—Class selector 4 CS5—Class selector 5 CS6—Class selector 6 CS7—Class selector 7 To make the filter exclude a specified DSCP type, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The DSCP code term for the named filter is added to the DSCP list.
   Precedence for DSCP (Ethernet and INET filter families)	You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic. The match conditions IP Precedence and DSCP cannot be simultaneously applied to a term. Procedure To apply an IP precedence value match condition to the named term: Click Add in the Precedence section. The Select Precedence list appears. Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive). To make the filter exclude the specified IP precedence value, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
   TCP Settings Expand this section to access the TCP settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
   Enable TCP Initial (all families)	Select to use the TCP initial flag for an Ethernet, INET, or INET6 match condition. Tip: If you use the TCP initial flag for filtering, you cannot use any other TCP flag.
   TCP Flags	If you are not using the TCP initial flag for a match condition, you can select one of the TCP flags from the list for a match condition—RST, ACK, SYN, Urgent, Push, FIN, or None. These flags have the following meaning: RST—Reset flag indicates that the TCP connection will be reset. ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK. SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server. Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte. Push—Push flags request that buffered data to the receiving application be sent now. FIN—The final flag indicates that no more data will be sent.
   ICMP Settings You can select the ICMP code value for the filter item’s match condition—expand this section to access the ICMP settings. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
   ICMP Code	Procedure To apply an ICMP code match condition to the named term: Click Add in the ICMP Code section. The Select ICMP Code window appears. Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected. To make the filter exclude the specified ICMP code, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The ICMP code match condition is added to the named term, and the condition is listed in the ICMP Code list. Note: An ICMP code specifies more specific information than an ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify and ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
   ICMP Type	Note: ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port. ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated. Procedure To apply an ICMP type match condition to the named term: Click Add in the ICMP Type section. The Select ICMP Types window appears. Select one or more ICMP types from the list. These types vary, depending on the Filter Family selected. To make the filter exclude the specified ICMP type, select Except. Note: Term values must all be either match conditions or all of them need to be except conditions. Click OK. The ICMP type match condition is added to the named term, and the condition is listed in the ICMP Type list.
   Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard packet that matches the filter term conditions.
   Action	Select either Discard or Accept to indicate what the filter term does with a packet when a match is made. Note: All other fields in this section are enabled only if you select Accept as the action.
   Counter Name	When the action selected is accept, specify the maximum packet count for this filter, term, or policer.
   Loss Priority	When the action selected is accept, specify the packet loss priority, Low, High, Medium-low, Medium-high, or None. Note: Forwarding class and loss priority must be specified together for the same term.
   Policer	When you create a Filter profile with the action accept, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references. You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition.
   	To select an existing policer: Procedure Click Select. The Select Policer page appears. Click OK. The policer is added to the list of applied policers.
   	To create a new policer: Procedure Click Create. The Create Policer page appears. Type a name for the policer—you can use this policer again in the future. Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer. If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate. Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level. Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate. Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size. Note: The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create. Configure these fields for a single-rate-two-color policer: Bandwidth Limit—Specify the traffic rate in bits per second, 8000 through 50,000,000,000 bps. Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1 through 2,147,450,880 bytes. Action—The default action is Discard. Loss Priority—Not available. Configure these fields for a single-rate-three-color policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Configure these fields for a three-color two-rate policer: Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bps. Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes. Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes. Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 1500 through 100,000,000,000 bps. Color Mode—Select the way the preclassified packets are to be metered: Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. None—The preclassified packets are not metered. Action—Options are Discard and None. Loss Priority—Options are High and None. Click OK. The policer is added to the list of applied policers and the list of available policers.
   Forwarding Class	Specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can either select from a list of available forwarding classes or create a new forwarding class. To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
   	Procedure To create a new forwarding class: Click Create. The Create Forwarding Class page appears. Type a name for the forwarding class—you can use this forwarding class again in the future. Select a queue number from the list, and then click OK. The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.

6. Click OK to save the term and return to the Create Filter Profile page.
7. Click Done.

   The new filter is added to the Manage Filter Profile list.

What to Do Next

• Link the Filter profile as ingress and egress filters to a Port profile. For more information, see Creating and Managing Port Profiles.
• Link the Filter profile as ingress and egress filters to a VLAN profile. For more information, see Creating and Managing VLAN Profiles. You can then assign the VLAN profile to a device or port in case of switching devices and to a device, port, or access point in case of a wireless network.

Related Documentation

• Understanding Filter Profiles
• Creating and Managing Wireless Filter Profiles
• Network Director Documentation home page