Avoiding Conflicts When Terms Match

A fast update filter can contain multiple terms, each with a variety of match conditions. However, when you configure multiple terms in a filter, you must ensure that the terms do not overlap, or conflict with each other. Two terms are considered to overlap when it is possible for a packet to match all conditions of both terms. Because each term specifies a different action for matches, the router cannot determine which action to take. When terms overlap, a conflict error occurs and the session fails when the dynamic profile attempts to apply the filter. The error log indicates the overlapping terms.

How the Router Evaluates Terms in a Filter

The router creates a table of match conditions when examining terms. The table, which is similar to a routing table, is based on the conditions included in the match-order statement. When the router receives a packet, the router examines the packet’s contents in the sequence specified in the match-order statement.

For example, using the sample configuration in the following Match-Order Example, the router first examines the packet’s source-address, then the destination-address, and finally the destination-port. As shown in the following table, the two terms in the filter do not overlap because each term has a different destination-port specification. The router then takes the appropriate filter action for the term that matches the destination-port value of the packet.

Using Implied Wildcards

This section shows an example of how you might use an implied wildcard specification in the match configuration. A condition in the match-order statement is an implied wildcard when that condition is not configured in the from specification of a term in the filter.

Note: When you use ranges (for example, a range of values or a wildcard) in terms, the ranges must not overlap—overlapping ranges create a conflict error. However, you can configure a range in one term and an exact match in another term. For example, in the following filter table, the wildcard destination port value in term t3 does not overlap the destination port specifications in terms t55 and t999 because the http and https values are exact matches.

In the Implied Wildcard Example configuration, the router views the destination-port condition in the match-order statement as an implied wildcard for term t3, because there is no destination-port value configured in that term. As a result, the wildcard specifies that for term t3 any destination-port value is accepted. The filter table appears as follows:

In the following filter configuration, traffic with a destination port of http matches term t55 and traffic with a destination port of https matches term t999. Traffic with a destination port other than http or https matches term t3, which is the implied wildcard.

Conflict Caused by Overlapping Ranges

This section shows two examples of overlapping ranges in terms. When you use ranges (such as a wildcard or a range of values) in terms, the ranges must not overlap—overlapping ranges create a conflict error and the session fails.

In the following filter configuration, the destination-port ranges in the two terms overlap. Ports in the range from 50 through 80 match both term src0 and term src1, which each specify different actions to take.

Note: You can configure a range in one term and an exact match in another term. See the section, Using Implied Wildcards, for an example that uses a wildcard for a match condition in one term and an exact match for the condition in a second term.

In this filter configuration, the protocol specification in terms src21 and src22 use the implied wildcard, which configures a range for each term. Because overlapping ranges are not allowed, a conflict error results.