Firewall Filter Match Conditions for Protocol-Independent Traffic in Dynamic Service Profiles

forwarding-class class

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

forwarding-class-except class

Do not match on the forwarding class. For details, see the forwarding-class match condition.

loss-priority level

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

packet-length-except bytes

Do not match on the received packet length, in bytes. For details, see the packet-length match type.

service-filter-hit

(Only if the service-filter-hit flag is marked by a previous filter in the current type of chained filters) Direct the packet to the next type of filters.

Indicate to subsequent filters in the chain that the packet was already processed. This match option, coupled with the service-filter-hit nonterminating action, helps to streamline filter processing.