Creating and Managing Wired Filter Profiles
Filter profiles are sets of rules that determine whether to accept or discard packets transiting on switch.
Use the Manage Filter Profiles page to create new wired Filter profiles and manage existing Filter profiles.
This topic describes:
Managing Wired Filter Profiles
From the Manage Filter Profiles page, you can:
Create a new wired Filter profile by clicking Add. For directions, see Creating a Wired Filter Profile.
Modify an existing wired Filter profile by selecting it and clicking Edit.
View information about a wired Filter profile, including the associated interfaces, by either clicking the profile name or by selecting the profile and clicking Details.
Delete a wired Filter profile by selecting the profile and clicking Delete.
Tip:You cannot delete profiles that are in use—that is, profiles assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.
Clone a wired Filter profile by selecting a profile and clicking Clone.
Table 1 describes the information provided about wired Filter profiles on the Manage Filter Profiles page. This page lists all Filter profiles defined for your network, regardless of the scope you selected in the network view.
Field |
Description |
---|---|
Profile Name |
Name given to the profile when the profile was created. |
Family Type |
The device family on which the profile was created: Switching (EX), or Campus Switching ELS. |
Description |
Description of the profile entered when the profile was created. Tip:
To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it. |
Creation Time |
Date and time when the profile was created. |
Last Updated Time |
Date and time when the profile was last modified. |
User Name |
The username of the user who created or modified the profile. |
All columns might not be displayed. To show or hide fields in the table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.
Creating a Wired Filter Profile
To create a wired Filter profile, you must provide a filter name and configure at least one term. A term is a collection of one or more match conditions, and actions that the system takes when match conditions are met. A term must have at least one match condition.
To create a wired Filter profile:
- Click in the Network Director banner.
- Under Views, select one of these options: Logical
View, Location View, Device View or Custom Group View.Tip:
Do not select Dashboard View, or Topology View.
- From the Tasks pane, expand Wired, expand System, and then select Filter.
- Click Add to add a new profile.
Network Director opens the Device Family Chooser window.
- From the Device Family Chooser, select the wired device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), and Data Center Switching.
- Click OK.
The Create Filter Profile wizard for the selected device family is displayed.
- Specify the filter settings by following these directions:
For EX Series switches, specify the settings as described in both the online help and in Specifying Settings for an EX Series Switch Filter Profile.
For Campus Switching ELS, specify the settings as described in both the online help and in Specifying Settings for a Campus Switching ELS Switch Filter Profile.
- Click Done to save the Filter profile.
The system saves the Filter profile and displays the Manage Filter Profiles page. Your new or modified Filter profile is listed in the table of Filter profiles.
Specifying Settings for an EX Series Switch Filter Profile
A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models do accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:
The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the action specified for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
If a packet does not match all conditions in the first term, the packet is then evaluated against the conditions in the second term. This process continues until either the packet matches all conditions in a term or there are no more terms in the filter. Whenever a match occurs, the term’s corresponding action is taken and evaluation ends—subsequent terms in the filter are not evaluated.
If a packet passes through all the terms in the filter without a match, the packet is discarded.
To configure a Filter profile for EX Series switches:
- Specify a filter name and description for the Filter profile.
- Select the switch filter family for which you want to
create the profile:
If you want to create a Layer 2 based filter, select Ethernet switching.
If you want to create a Layer 3 based filter for IPv4, select INET.
If you want to create a Layer 3 based filter for IPv6, select INET6.
- Under Terms, click Add to add one or more terms
with match condition(s) for this filter.
The Create Term window opens, displaying a section for each type of term you can create, Source and Destination Parameters, Protocols, DSCP Settings, TCP Settings, and ICMP Settings. The Action section applies to all of those types.
Note:The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which terms are listed.
- Enter a name for the filter term.
- Specify the match condition(s) for the filter term as
described in Table 2. Required settings
are indicated by a red asterisk (*) that appears next to the field
label in the user interface.
Table 2: Create Term Fields for EX Switching Task
Description
Source and Destination Parameters You can specify match conditions for either packets’ origin (source) or packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter term.
Add Source Parameters and Destination Parameters
To add source and destination parameters to the named filter term:
Click Add to the right of the Destination Parameters list.
The Add Source/Destination Parameter window appears.
Select either Source (default) or Destination from the Add Source/Destination Parameter page.
Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information:
Tip:Available parameter types vary.
IP Address—also provide the IP address of the source or destination device
MAC Address—also provide the MAC address of the source or destination device
Port—also provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger (protocol), or FTP.
Note:If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select Other and enter a port number.
Click OK
The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
Protocols and EtherTypes For either INET family, you can apply a filter term based on protocols being used by packets. For the Ethernet-switching family, you can apply a filter term based on either the protocols being used by packets or on the EtherTypes being used by packets. EtherType indicates a protocol that is encapsulated in the payload of an Ethernet Frame. Expand the Protocols section to see the configuration.
Add a Protocol Match Condition
(Ethernet-switching family or INET family)To add a protocol match condition to the named filter term:
Expand the Protocols and EtherTypes section.
Click Add under Protocols.
The Select Protocols window opens, displaying a list of protocols.
From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, ICMP6, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP.
Click OK.
The protocols are added to the Protocols list.
Add an EtherType Match Condition
(Ethernet-switching family)To add an EtherType match condition to the named filter Ethernet-switching family term:
Expand the Protocols and EtherTypes section.
Click Add under EtherTypes.
The Select EtherTypes window opens, displaying a list of protocols.
From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, IPv4, IPv6, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA.
Click OK.
The EtherTypes are added to the EtherTypes list.
DSCP Settings Expand this section to see the DSCP term settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers.
Note:With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
Add a DSCP Match Condition
To add a DSCP match condition to the named filter term:
Note:A DSCP IP match condition and a precedence match condition cannot be both specified for the same term.
Click Add in the DSCP section to see a list of match conditions.
The Select DSCP list appears.
Select one or more of the following DSCP types from the list:
AF11—Assured forwarding class 1, low drop precedence
AF12—Assured forwarding class 1, medium drop precedence
AF21—Assured forwarding class 2, low drop precedence
AF22—Assured forwarding class 2, medium drop precedence
AF23—Assured forwarding class 2, high drop precedence
AF31—Assured forwarding class 3, low drop precedence
AF32—Assured forwarding class 3, medium drop precedence
AF33—Assured forwarding class 3, high drop precedence
AF41—Assured forwarding class 4, low drop precedence
AF42—Assured forwarding class 4, medium drop precedence
AF43—Assured forwarding class 4, high drop precedence
BE—Best effort (default)
EF-Expedited forwarding
CS0—Class selector 0
CS1—Class selector 1
CS2—Class selector 2
CS3—Class selector 3
CS4—Class selector 4
CS5—Class selector 5
CS6—Class selector 6
CS7—Class selector 7
Click OK.
The DSCP code term for the named filter is added to the DSCP list.
Add a Precedence match condition
You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic.
Note:The two match conditions IP Precedence and DSCP cannot be simultaneously applied to a term.
To apply an IP precedence value match condition to the named term:
Click Add in the Precedence section.
The Select Precedence list appears.
Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive).
Click OK.
The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
TCP Settings Expand this section to see the TCP term settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
Enable TCP Initial flag match condition
Select to use the TCP initial flag for a match condition. The TCP flags option becomes unavailable as a result.
Enable other TCP flag match conditions
If you are not using the TCP initial flag for a match condition, select one of the TCP flags from the list—RST, ACK, SYN, Urgent, Push, FIN, None. These flags have the following meaning:
RST—Reset flag indicates that the TCP connection will be reset.
ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK.
SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server.
Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte.
Push—Push flags request that buffered data to the receiving application be sent now.
FIN—The final flag indicates that no more data will be sent.
ICMP Settings Expand the ICMP Settings section to select an ICMP code value for the filter item’s match condition. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
Add an ICMP Code match condition
To apply an ICMP code match condition to the named term:
Click Add in the ICMP Codes section.
The Select ICMP Code list appears.
Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected.
Click OK.
The ICMP code match condition is listed in the ICMP Code list and added to the named term.
Note:ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify an ICMP type along with an ICMP code. The keywords are grouped by the ICMP type with which they are associated.
Add an ICMP Type match condition
Note:ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port.
ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify an ICMP type along with the ICMP code. The keywords are grouped by the ICMP type with which they are associated.
To apply an ICMP type match condition to the named term:
Click Add in the ICMP Type section.
The Select ICMP Type list appears.
Select one or more ICMP types from the list. Options vary, depending on which Filter Family you selected.
Click OK.
The ICMP type match condition is listed in the ICMP Type list and is added to the named term.
Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard a packet that matches the filter term’s conditions.
Action
Select either Discard or Accept to indicate what the filter term does with a packet when a match is made.
Note:The remaining fields in this section are enabled only if you select Accept as the action.
Counter Name
When Accept is the action, specify a counter name.
Loss Priority
When Accept is the action, specify the packet loss priority, Low, High, or None.
Note:Forwarding class and loss priority must be specified together for the same term.
Policer
When you create a Filter profile, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references.
You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition.
To select a policer from an existing list of policers, click Select. The Select Policer page appears. Select the policer that you want to use for the term and click OK. The system displays the selected policer in the Policer field in the Create Term page.
To create a new policer:
Click Create.
The Create Policer page appears.
Type a name for the policer—you can use this policer again in the future.
Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer.
If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate.
Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level.
Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate.
Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size.
Note:The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create.
Configure these fields for a single-rate-two-color policer:
Bandwidth Limit—Specify the traffic rate in bits per second, 1000 through 102,300,000,000 (102.3g) bps.
Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Action—Select either Discard or None.
Loss Priority—Select either High or None.
Configure these fields for a single-rate-three-color policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Configure these fields for a three-color two-rate policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 32,000 through 40,000,000,000 bps.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Click OK.
The policer is added to the list of applied policers and the list of available policers.
Forwarding Class
When Accept is the action, specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can create a new forwarding class or select from a list of available forwarding classes.
To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
To create a new forwarding class:
Click Create.
The Create Forwarding Class page appears.
Type a name for the forwarding class—you can use this forwarding class again in the future.
Select a queue number from the list, and then click OK.
The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.
Click OK to save the term and return to the Create Filter Profile page.
Specifying Settings for a Campus Switching ELS Switch Filter Profile
A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:
The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the corresponding action for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
If the packet does not match all conditions in the first term, the packet is evaluated against the conditions in the second term. This process continues until either the packet matches all the conditions in one of the subsequent terms or there are no more terms in the filter. If a match is found, the action specified in the Action section of the matched term is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
If a packet passes through all the terms in the filter without a match, the packet is discarded.
To configure a Filter profile for Campus switching ELS:
- Specify a filter name and description for the Filter profile.
- Select the switch filter family for which you want to
create the profile:
If you want to create a Layer 2 based filter, select Ethernet switching.
If you want to create a Layer 3 based filter for IPv4, select INET.
If you want to create a Layer 3 based filter for IPv6, select INET6.
- Under Terms, click Add to add one or more terms
with match condition(s) to the named filter. You need at least one
term for this filter.
The Create Term window opens.
Note:The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which the terms are listed.
- Enter a name for the filter term.
- Specify the match condition(s) for the filter term as
described in Table 3. Required settings
are indicated by a red asterisk (*) that appears next to the field
label in the user interface.
Table 3: Create Term Fields for Campus Switching ELS Field
Description
Source and Destination Parameters You can specify match conditions based on the packets’ origin (source) or the packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter.
Source Parameters and Destination Parameters
To add source and destination parameters to the named filter term:
Click Add to the right of the Destination Parameters lists.
The Add Source/Destination Parameter window opens.
Select either Source (default) or Destination from the Add Source/Destination Parameter window.
Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information:
IP Address—Provide the IP address of the source or destination device.
MAC Address—Provide a MAC address.
Port—Provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger protocol, FTP, FTP data, HTTP, HTTPS, Ident protocol, IMAP (Internet Message Access protocol), Kerberos-sec (Kerberos security), Klogin forwarding, Kpasswd command, KRB-prop (Kerberos database propagation), Krbupdate (Kerberos database update), Kshell (Kerberos rsh), LDAP, Login (UNIX rlogin), Mobilip-agent (Mobile IP agent), Mobilip-mn (Mobile IP MN), MSDP (Multicast Source Discovery Protocol),NetBIOS dgm, NetBIOS-ns (NetBIOS name service), NetBIOS-ssn (NetBIOS session service), NFSD, NNTP (Network News Transport Protocol), Ntalk, NTP (Network Time Protocol), POP3 (Post Office Protocol3), PPTP, Printer, RADacct (RADIUS accounting), RADIUS, RIP, RKINIT (Kerberos remote kinit), SMTP, SNMP trap, SNPP, SUNRPC, Syslog, TACACS, TACACS-ds, Talk (UNIX Talk),Telnet, TFTP, Timed (UNIX time daemon), Who (UNIX rwho), XDMCP ( X Display Manager Control Protocol ), Zephyr-clt (Zephyr serv-hm connection), Zephyr-hm (Zephyr hostmanager), Zephyr-srv (Zephyr server), or Other.
Note:If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select other and enter a port number.
To select any other source/destination than the one indicated, enable Except.
Tip:You cannot indicate both matching and except for a parameter.
Click OK
The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
Protocols and EtherTypes Depending on the Filter Family you selected, you can sometimes apply a filter term based on either protocols being used by packets or on EtherTypes being used by packets. Recognized protocols are listed where applicable. Recognized EtherTypes, which indicate the protocol that is encapsulated in the payload of an Ethernet Frame, are also listed where applicable.
Protocols
(apply to Ethernet and INET filter families)To add a protocol match condition to the named filter term:
Expand the Protocols and EtherTypes section.
Click Add under Protocols.
The Select Protocols window opens, displaying a list of protocols.
From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP.
To make the filter exclude the specified protocol, select Except.
Note:The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
Click OK.
The protocols are added to the Protocols list.
EtherTypes
(apply to Ethernet filter family)To add an EtherTypes match condition to the named filter term:
Expand the Protocols and EtherTypes section.
Click Add under EtherTypes.
The Select EtherTypes window opens, displaying a list of protocols.
From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, IPV4, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA.
To make the filter exclude the specified EtherType, select Except.
Note:Term values must all be either match conditions or all except conditions.
Click OK.
The EtherTypes are added to the EtherTypes list.
DSCP Settings Expand the DSCP section to see the DSCP match settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers.
Note:With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
DSCP
(Ethernet and INET filter families)To add a DSCP match condition to the named filter term:
Note:A DSCP IP match condition and a precedence match condition cannot be both specified for the same term.
Click Add in the DSCP section.
The Select DSCP Match Condition list appears.
Select one of the following DSCP types from the list:
AF11—Assured forwarding class 1, low drop precedence
AF12—Assured forwarding class 1, medium drop precedence
AF21—Assured forwarding class 2, low drop precedence
AF22—Assured forwarding class 2, medium drop precedence
AF23—Assured forwarding class 2, high drop precedence
AF31—Assured forwarding class 3, low drop precedence
AF32—Assured forwarding class 3, medium drop precedence
AF33—Assured forwarding class 3, high drop precedence
AF41—Assured forwarding class 4, low drop precedence
AF42—Assured forwarding class 4, medium drop precedence
AF43—Assured forwarding class 4, high drop precedence
BE—Best effort (default)
EF-Expedited forwarding
CS0—Class selector 0
CS1—Class selector 1
CS2—Class selector 2
CS3—Class selector 3
CS4—Class selector 4
CS5—Class selector 5
CS6—Class selector 6
CS7—Class selector 7
To make the filter exclude a specified DSCP type, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The DSCP code term for the named filter is added to the DSCP list.
Precedence for DSCP
(Ethernet and INET filter families)You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic.
Note:The match conditions IP Precedence and DSCP cannot be simultaneously applied to a term.
To apply an IP precedence value match condition to the named term:
Click Add in the Precedence section.
The Select Precedence list appears.
Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive).
To make the filter exclude the specified IP precedence value, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
TCP Settings Expand this section to access the TCP settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
Enable TCP Initial
(all families)Select to use the TCP initial flag for an Ethernet, INET, or INET6 match condition.
Tip:If you use the TCP initial flag for filtering, you cannot use any other TCP flag.
TCP Flags
If you are not using the TCP initial flag for a match condition, you can select one of the TCP flags from the list for a match condition—RST, ACK, SYN, Urgent, Push, FIN, or None. These flags have the following meaning:
RST—Reset flag indicates that the TCP connection will be reset.
ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK.
SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server.
Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte.
Push—Push flags request that buffered data to the receiving application be sent now.
FIN—The final flag indicates that no more data will be sent.
ICMP Settings You can select the ICMP code value for the filter item’s match condition—expand this section to access the ICMP settings. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
ICMP Code
To apply an ICMP code match condition to the named term:
Click Add in the ICMP Code section.
The Select ICMP Code window appears.
Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected.
To make the filter exclude the specified ICMP code, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The ICMP code match condition is added to the named term, and the condition is listed in the ICMP Code list. You can now enable Except.
Note:An ICMP code specifies more specific information than an ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify and ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
ICMP Type
Note:ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port.
ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
To apply an ICMP type match condition to the named term:
Click Add in the ICMP Type section.
The Select ICMP Types window appears.
Select one or more ICMP types from the list. These types vary, depending on the Filter Family selected.
To make the filter exclude the specified ICMP type, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The ICMP type match condition is added to the named term, and the condition is listed in the ICMP Type list. You can now enable Except.
Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard packet that matches the filter term conditions.
Action
Select either Discard or Accept to indicate what the filter term does with a packet when a match is made.
Note:All other fields in this section are enabled only if you select Accept as the action.
Counter Name
When the action selected is accept, specify the maximum packet count for this filter, term, or policer.
Loss Priority
When the action selected is accept, specify the packet loss priority, Low, High, Medium-low, Medium-high, or None.
Note:Forwarding class and loss priority must be specified together for the same term.
Policer
When you create a Filter profile with the action accept, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references.
You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition.
To select an existing policer:
Click Select.
The Select Policer page appears.
Click OK.
The policer is added to the list of applied policers.
To create a new policer:
Click Create.
The Create Policer page appears.
Type a name for the policer—you can use this policer again in the future.
Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer.
If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate.
Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level.
Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate.
Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size.
Note:The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create.
Configure these fields for a single-rate-two-color policer:
Bandwidth Limit—Specify the traffic rate in bits per second, 1000 through 102,300,000,000 (102.3g) bps.
Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Action—Select either Discard or None.
Loss Priority—Select either High or None.
Configure these fields for a single-rate-three-color policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Configure these fields for a three-color two-rate policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 32,000 through 40,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 32,000 through 40,000,000,000 bps.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Click OK.
The policer is added to the list of applied policers and the list of available policers.
Forwarding Class
Specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can either select from a list of available forwarding classes or create a new forwarding class.
To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
To create a new forwarding class:
Click Create.
The Create Forwarding Class page appears.
Type a name for the forwarding class—you can use this forwarding class again in the future.
Select a queue number from the list, and then click OK.
The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.
- Click OK to save the term and return to the Create Filter Profile page.
- Click Done.
The new filter is added to the Manage Filter Profile list.
Specifying Settings for a Data Center Switching ELS Filter Profile
A Filter profile must have at least one term in it. Each term has one filtering function. For example, if a term is evaluating the source of packets, then that term cannot also evaluate the protocols used by the packets. Some switch models accommodate multiple terms in one filter. When you have more than one term in a filter, the ordering of the terms is important. The system evaluates multiple filter terms as follows:
The packet is evaluated against the first term’s conditions. If the packet matches all of the conditions in that term, the corresponding action for that condition is taken and evaluation ends. Subsequent terms in the filter are not evaluated.
If the packet does not match all conditions in the first term, the packet is evaluated against the conditions in the second term. This process continues until either the packet matches all the conditions in one of the subsequent terms or there are no more terms in the filter. If a match is found, the action specified in the Action section of the matched term is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
If a packet passes through all the terms in the filter without a match, the packet is discarded.
To configure a Filter profile for Data Center switching ELS:
- Specify a filter name and description for the Filter profile.
- Select the switch filter family for which you want to
create the profile:
If you want to create a Layer 2 based filter, select Switching.
If you want to create a Layer 3 based filter for IPv4, select INET.
If you want to create a Layer 3 based filter for IPv6, select INET6.
- Under Terms, click Add to add one or more terms
with match condition(s) to the named filter. You need at least one
term for this filter.
The Create Term window opens.
Note:The order of the terms within a Filter profile configuration is important. Packets are tested against each term in the order in which the terms are listed.
- Enter a name for the filter term.
- Specify the match condition(s) for the filter term as
described in Table 4. Required settings
are indicated by a red asterisk (*) that appears next to the field
label in the user interface.
Table 4: Create Term Fields for Data Center Switching ELS Field
Description
Source and Destination Parameters You can specify match conditions based on the packets’ origin (source) or the packets’ destination, or both. You are indicating the location of the filtering here—either specifying that packets that originate at a specific place (source) will be filtered or packets destined for a specific location (destination) will be filtered. You can have multiple sources and destinations for one filter.
Source Parameters and Destination Parameters
To add source and destination parameters to the named filter term:
Click Add to the right of the Destination Parameters lists.
The Add Source/Destination Parameter window opens.
Select either Source (default) or Destination from the Add Source/Destination Parameter window.
Select one of following available Parameter Types from the Add Source/Destination Parameter page and provide the corresponding information:
IP Address—Provide the IP address of the source or destination device.
MAC Address—Provide a MAC address.
Port—Provide the port type of the source or destination port. Select either AFS (Andrew File System), BGP (Border Gateway Protocol), BIFF (UNIX mail notification), Bootpc (bootstrap protocol client), Bootps, Cmd, CVS pserver, DHCP, Domain, EK login, EK shell, EXEC, Finger protocol, FTP, FTP data, HTTP, HTTPS, Ident protocol, IMAP (Internet Message Access protocol), Kerberos-sec (Kerberos security), Klogin forwarding, Kpasswd command, KRB-prop (Kerberos database propagation), Krbupdate (Kerberos database update), Kshell (Kerberos rsh), LDAP, Login (UNIX rlogin), Mobilip-agent (Mobile IP agent), Mobilip-mn (Mobile IP MN), MSDP (Multicast Source Discovery Protocol),NetBIOS dgm, NetBIOS-ns (NetBIOS name service), NetBIOS-ssn (NetBIOS session service), NFSD, NNTP (Network News Transport Protocol), Ntalk, NTP (Network Time Protocol), POP3 (Post Office Protocol3), PPTP, Printer, RADacct (RADIUS accounting), RADIUS, RIP, RKINIT (Kerberos remote kinit), SMTP, SNMP trap, SNPP, SUNRPC, Syslog, TACACS, TACACS-ds, Talk (UNIX Talk),Telnet, TFTP, Timed (UNIX time daemon), Who (UNIX rwho), XDMCP ( X Display Manager Control Protocol ), Zephyr-clt (Zephyr serv-hm connection), Zephyr-hm (Zephyr hostmanager), Zephyr-srv (Zephyr server), or Other.
Note:If you selected Port as the parameter and do not find the type of port that you want to add from the Port list, then select other and enter a port number.
To select any other source/destination than the one indicated, enable Except.
Tip:You cannot indicate both matching and except for a parameter.
Click OK
The parameter term is added to the appropriate list, either Source Parameters or Destination Parameters.
Protocols and EtherTypes Depending on the Filter Family you selected, you can sometimes apply a filter term based on either protocols being used by packets or on EtherTypes being used by packets. Recognized protocols are listed where applicable. Recognized EtherTypes, which indicate the protocol that is encapsulated in the payload of an Ethernet Frame, are also listed where applicable.
Protocols
(apply to Ethernet and INET filter families)To add a protocol match condition to the named filter term:
Expand the Protocols and EtherTypes section.
Click Add under Protocols.
The Select Protocols window opens, displaying a list of protocols.
From the list of protocols, select one or more. The options are AH, DSTOPTS, EGP, ESP, Fragment, GRE, Hop-by-hop, ICMP, IPIP, IPv6, No-text-header, OSPF, PIM, Routing, RSVP, SCTP, TCP, UDP, and VRRP.
To make the filter exclude the specified protocol, select Except.
Note:The term conditions for protocol, EtherType, DSCP, precedence, ICMP code and ICMP type must all be either match conditions or except conditions.
Click OK.
The protocols are added to the Protocols list.
EtherTypes
(apply to Ethernet filter family)To add an EtherTypes match condition to the named filter term:
Expand the Protocols and EtherTypes section.
Click Add under EtherTypes.
The Select EtherTypes window opens, displaying a list of protocols.
From the list of EtherTypes, select one or more. The options are AARP, AppleTalk, ARP, FCoE, FIP, IPV4, MPLS multicast, MPLS unicast, OAM, PPP, PPPOE discovery, PPPOE session, and SNA.
To make the filter exclude the specified EtherType, select Except.
Note:Term values must all be either match conditions or all except conditions.
Click OK.
The EtherTypes are added to the EtherTypes list.
DSCP Settings Expand the DSCP section to see the DSCP match settings. DiffServ is a simple mechanism for classifying and managing network traffic and providing quality-of-service (QoS) on IP networks. DiffServ can, for example, be used to apply low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as Web traffic. Here, you can apply a filter term based on the Differentiated Services code point (DSCP) which is a field in IPv4 and IPv6 headers.
Note:With IPv6 packets, the DS field and ECN field replace the IPv4 TOS field.
DSCP
(Ethernet and INET filter families)To add a DSCP match condition to the named filter term:
Note:A DSCP IP match condition and a precedence match condition cannot be both specified for the same term.
Click Add in the DSCP section.
The Select DSCP Match Condition list appears.
Select one of the following DSCP types from the list:
AF11—Assured forwarding class 1, low drop precedence
AF12—Assured forwarding class 1, medium drop precedence
AF21—Assured forwarding class 2, low drop precedence
AF22—Assured forwarding class 2, medium drop precedence
AF23—Assured forwarding class 2, high drop precedence
AF31—Assured forwarding class 3, low drop precedence
AF32—Assured forwarding class 3, medium drop precedence
AF33—Assured forwarding class 3, high drop precedence
AF41—Assured forwarding class 4, low drop precedence
AF42—Assured forwarding class 4, medium drop precedence
AF43—Assured forwarding class 4, high drop precedence
BE—Best effort (default)
EF-Expedited forwarding
CS0—Class selector 0
CS1—Class selector 1
CS2—Class selector 2
CS3—Class selector 3
CS4—Class selector 4
CS5—Class selector 5
CS6—Class selector 6
CS7—Class selector 7
To make the filter exclude a specified DSCP type, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The DSCP code term for the named filter is added to the DSCP list.
Precedence for DSCP
(Ethernet and INET filter families)You can apply an IP precedence match condition to the named term. With IP precedence, a device prioritizes traffic by class first. Then it differentiates and prioritizes same-class traffic.
Note:The match conditions IP Precedence and DSCP cannot be simultaneously applied to a term.
To apply an IP precedence value match condition to the named term:
Click Add in the Precedence section.
The Select Precedence list appears.
Select one of the following precedence settings from the list: Routine (0 or lowest, also called Best Effort), Priority (1), Immediate (2), Flash (3, mainly used for voice signaling or for video), Flash-override (4), Critical-ECP (5, mainly used for voice RTP), Internet-control (6, used for IP routing protocols), or Net-control (7 or highest, used for link layer and routing protocol keep alive).
To make the filter exclude the specified IP precedence value, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The precedence match condition is added to the named term, and the condition is listed in the Precedence list.
TCP Settings Expand this section to access the TCP settings. The Transmission Control Protocol (TCP) is the most common core protocol of the Internet protocol suite (IP). TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to the Internet or an intranet. You can use the TCP initial flag for a match condition.
Enable TCP Initial
(all families)Select to use the TCP initial flag for an Ethernet, INET, or INET6 match condition.
Tip:If you use the TCP initial flag for filtering, you cannot use any other TCP flag.
TCP Flags
If you are not using the TCP initial flag for a match condition, you can select one of the TCP flags from the list for a match condition—RST, ACK, SYN, Urgent, Push, FIN, or None. These flags have the following meaning:
RST—Reset flag indicates that the TCP connection will be reset.
ACK—Third step in TCP three-way handshake for connection. In response to a server’s SYN-ACK, the client replies with an ACK.
SYN—First step in TCP three-way handshake for connection. The active open is performed by the client sending a SYN to the server.
Urgent—If the URG flag is set, then the 16-bit field is an offset from the sequence number indicating the last urgent data byte.
Push—Push flags request that buffered data to the receiving application be sent now.
FIN—The final flag indicates that no more data will be sent.
ICMP Settings You can select the ICMP code value for the filter item’s match condition—expand this section to access the ICMP settings. The Internet Control Message Protocol (ICMP) is one of the core IP protocols used by operating systems of networked computers to send error messages. ICMP can also be used to relay query messages.
ICMP Code
To apply an ICMP code match condition to the named term:
Click Add in the ICMP Code section.
The Select ICMP Code window appears.
Select one or more ICMP codes from the list. These codes vary, depending on the Filter Family you selected.
To make the filter exclude the specified ICMP code, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The ICMP code match condition is added to the named term, and the condition is listed in the ICMP Code list.
Note:An ICMP code specifies more specific information than an ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify and ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
ICMP Type
Note:ICMP type specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port.
ICMP code specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify ICMP type along with ICMP code. The keywords are grouped by the ICMP type with which they are associated.
To apply an ICMP type match condition to the named term:
Click Add in the ICMP Type section.
The Select ICMP Types window appears.
Select one or more ICMP types from the list. These types vary, depending on the Filter Family selected.
To make the filter exclude the specified ICMP type, select Except.
Note:Term values must all be either match conditions or all of them need to be except conditions.
Click OK.
The ICMP type match condition is added to the named term, and the condition is listed in the ICMP Type list.
Action Select the action that the system performs on an IP packet if all match conditions that you specified above are met. Possible actions are Discard and Accept. The default action is to discard packet that matches the filter term conditions.
Action
Select either Discard or Accept to indicate what the filter term does with a packet when a match is made.
Note:All other fields in this section are enabled only if you select Accept as the action.
Counter Name
When the action selected is accept, specify the maximum packet count for this filter, term, or policer.
Loss Priority
When the action selected is accept, specify the packet loss priority, Low, High, Medium-low, Medium-high, or None.
Note:Forwarding class and loss priority must be specified together for the same term.
Policer
When you create a Filter profile with the action accept, you can specify a policer action for any term or terms within the filter. Policing, or rate limiting, enables you to limit the amount of traffic that passes into or out of an interface. All traffic that matches a term that contains a policer action goes through the policer that the term references.
You have two options with a policer. You can specify that an existing policer be used for the packet that matches the match condition. Or, you can create a new policer for the packet that matches the match condition.
To select an existing policer:
Click Select.
The Select Policer page appears.
Click OK.
The policer is added to the list of applied policers.
To create a new policer:
Click Create.
The Create Policer page appears.
Type a name for the policer—you can use this policer again in the future.
Select a policer type from the list, either a single-rate-two-color policer, or a three-color-policer. The type of policer that you select here affects the rest of the configurations available for the policer.
If you selected a three-color-policer, then also select a rate for it, either single-rate or two-rate.
Single-rate two-color—A two-color policer (sometimes called simply policer) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level.
Single-Rate Three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets are arriving at rates that are below the CBS (green), exceed the CBS but not the EBS (yellow), or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet size and not according to peak arrival rate.
Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and the peak information rate (PIR), along with their associated burst sizes; the CBS, and the peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on packets are arriving at rates that are below the CIR (green), exceed the CIR but not the PIR (yellow), or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet size.
Note:The system displays and hides various fields in the Create Policer page depending on the type of policer that you want to create.
Configure these fields for a single-rate-two-color policer:
Bandwidth Limit—Specify the traffic rate in bits per second, 8000 through 50,000,000,000 bps.
Burst Size Limit—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1 through 2,147,450,880 bytes.
Action—The default action is Discard.
Loss Priority—Not available.
Configure these fields for a single-rate-three-color policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Excess Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Configure these fields for a three-color two-rate policer:
Committed Information Rate—Specify the guaranteed bandwidth (in bits per second) under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bps.
Committed Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green). The range is 1500 through 100,000,000,000 bytes.
Peak Burst Size—Specify the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red). The range is 1500 through 100,000,000,000 bytes.
Peak Information Rate—Specify the maximum achievable rate in bits per second. Packets that exceed the peak information rate (PIR) are marked with high packet loss priority (red). You can configure a discard action for packets that exceed the PIR. The range is 1500 through 100,000,000,000 bps.
Color Mode—Select the way the preclassified packets are to be metered:
Color-aware—The local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority.
Color-blind—The local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority.
None—The preclassified packets are not metered.
Action—Options are Discard and None.
Loss Priority—Options are High and None.
Click OK.
The policer is added to the list of applied policers and the list of available policers.
Forwarding Class
Specify the forwarding class (or output queue) that is to be used for the packet that matches the match condition. You can either select from a list of available forwarding classes or create a new forwarding class.
To select a forwarding class from an existing list of classes, click Select. The Select Forwarding Class page appears. Select the forwarding class that you want to use for the packet and click OK. The system displays the selected forwarding class in the Forwarding Class field in the Create Term page.
To create a new forwarding class:
Click Create.
The Create Forwarding Class page appears.
Type a name for the forwarding class—you can use this forwarding class again in the future.
Select a queue number from the list, and then click OK.
The system creates a new forwarding class and displays it in the Forwarding Class field in the Create Term page.
- Click OK to save the term and return to the Create Filter Profile page.
- Click Done.
The new filter is added to the Manage Filter Profile list.
What to Do Next
After you create a Filter profile, you can do one of the following:
Link the Filter profile as ingress and egress filters to a Port profile. For more information, see Creating and Managing Port Profiles.
Link the Filter profile as ingress and egress filters to a VLAN profile. For more information, see Creating and Managing VLAN Profiles. You can then assign the VLAN profile to a device or port in case of switching devices.