Flexible Filter Templates
Flexible filter templates maximize the number of map rules, optimize filter resources, and enhance the scalability and flexibility of flow mapping. Flexible filter template is supported in GigaVUE‑HC1, GigaVUE-HC2 CCv2, GigaVUE-HC3, GigaVUE-TA100, GigaVUE-TA200
Refer to Manage Map Rule Resources for template groups on other GigaVUE nodes.
Flexible filter templates increase the number of map rules and also eliminate current restrictions on map rule combinations, such as ipv6+MAC or ipv6+UDA.
Refer to the section Flow Mapping® FAQ for the number of map rules supported.
Flow mapping uses filter templates to determine the traffic to filter based on qualifiers specified in the template. A filter template has a specific set of qualifiers used to apply to map rules. You can control the template that you apply to a specific slot on GigaVUE-HC3 or a specific pseudo-slot on GigaVUE-TA100 or GigaVUE-TA200. For GigaVUE‑HC1 and GigaVUE-HC2 CCv2, you can apply the filter template only at the control card level which will be applied across all the line cards.
Flexible filter templates offer five default templates. Custom templates can also be created that have a qualifier set selected from the list of available qualifiers.
Refer to the following sections for details:
• | Filter Template Qualifiers and Defaults |
• | Custom Filter Template Configuration |
• | Filter Template Limits |
• | Filter Template Rules and Recommendations |
• | Filter Template Best Practices |
• | Filter Templates in a Cluster |
• | Filter Templates Formulas |
Filter Template Qualifiers and Defaults
Refer to the rows in Map Rule Criteria for Default Templates for the list of qualifiers for filter templates. Refer to the columns in Table 1: Map Rule Criteria for Default Templates for the default templates and the qualifiers that are predefined for the defaults.
NOTES:
• | The default templates cannot be deleted. |
• | The ipver qualifier is implicitly included in all default and custom templates. |
Custom Filter Template Configuration
To configure filter templates:
1. | Access the GigaVUE node using a Web browser and log in with administrator user credentials. |
2. | Select Maps > Filter Templates. |
3. | To add a custom template, click New. |
4. | Specify an alias, an optional comment, then select qualifiers. Click OK. |
5. | To apply a custom template to a slot or pseudo-slot, select it and click Apply. |
Note: For GigaVUE‑HC1 and GigaVUE-HC2 CCv2, you can apply a filter template only at the control card level which will be applied across all the line cards
6. | Select the slot or pseudo-slot and click OK. |
The Filter Templates page displays the applied slot or pseudo-slot. You can edit an existing custom filter or delete it. A template can be deleted if it is not currently in use, meaning that it has not been applied.
7. | To display filter templates, click on a row in the Filter Templates page. |
Filter Template Limits
The number of qualifiers in a template limits the total number of rules that can be defined. The maximum rule limit on the GigaVUE-HC3, GigaVUE-TA100, or GigaVUE-TA200 is 1K (1024) per slot or pseudo-slot when using the default templates.
Custom templates allow the creation of templates with only those qualifiers needed for the rules that you plan to use in flow maps. The qualifiers specified in a flexible template can increase or decrease the maximum rule limit, depending on the qualifiers selected. With flexible filter templates, it is possible to reach a maximum limit of 6K rules per slot on the GigaVUE-HC3 node and 6K rules per pseudo-slot , or 24K total rules on the GigaVUE-TA100 or GigaVUE-TA200 node
Flexible Filter Templates displays a Limit.
How to Understand Map Filter Resources
Starting in software version 5.0, when a filter template is applied, filter resources display the total number of map rules used in a map as well as the limit. If the limit is 1024, 1023 is displayed, even though the actual limit is 1022, or two less than the limit. This discrepancy is due to extra resources needed for internal usage.
Filter Template Rules and Recommendations
When creating flexible filter templates, keep the following rules and recommendations in mind:
- Filters are applied to a specific slot or pseudo-slot, not to the node.
- By default, all slots will be in the pre-defined ipv4 template.
- There is a limit of 512 custom templates.
- Custom templates can have duplicate sets of qualifiers.
- The filter limit is calculated when the template is created. In most cases, a higher-cost qualifier set (for example, IPv6, UDA, or MAC are higher cost) consumes more resources and leads to a lower filter limit.
- Flexible filter templates have no effect on existing flow mapping behavior, including pass versus drop map rules, map priority, network port sharing, GigaSMART operations, or first level and second level maps.
- When deploying a Resilient Inline Arrangements (RIA) map in IPv6, specifying MAC source address, MAC destination address and Ether type as qualifiers will not be accepted.
- When configuring filter templates, certain combinations of qualifiers are not supported on some of the platforms even though the total bits consumed by the qualifiers is less than (480-54) bits. This is due to the limitations in the hardware. For example, a flexible filter template configured with qualifiers 'ipsrc ipdst portsrc portdst uda1 uda2' is supported on GigaVUE-HC3 but not on GigaVUE-HC2 CCv2 card.
Note: To verify if a flexible filter template is supported on a specific platform and the number of rules supported, you must create the template with the desired qualifiers and execute the
show filter-template limit
command. If the number of rules is N/A, then it indicates that this combination of qualifiers is not supported on the corresponding platform.
Filter Template Best Practices
The following are best practices for optimizing filter resources using filter templates.
First determine all the needed qualifiers, then create a template, apply the template, and configure the map rules.
• | Connect network ports of a slot to flows of the same application. For example, if you have two flows: |
• | one is filtered on macsrc and macdst |
• | the second one is filtered on ipdst and ipsrc |
• | In case both flows connect to ports on the same slot, that slot will have to have a template of macsrc, macdst, ipsrc, and ipdst, with a limit of 1024 rules. |
• | However, filter resources can be optimized by connecting these two flows to ports on different slots with one template for macsrc and macdst and the other template for ipsrc and ipdst. Both templates will have a limit of 3072 rules. |
The following are best practices for adding more rules if a limit has been reached:
• | Create a new template with all the qualifiers that are in use on a specified slot. |
• | Issue the show filter-resource slot command to obtain the list of qualifiers in use. |
• | Issue the filter-template alias <alias> qualifiers add command with that list of qualifiers. |
• | Issue the show filter-template limit command to check if the new template allows a higher limit. If it does, apply the filter using the card slot <slot ID> filter-template command. |
Filter Templates in a Cluster
Filter template configuration is synchronized across the cluster. However, a cluster can have different GigaVUE nodes, so one set of qualifiers may or may not be valid on all nodes.
Filter Templates Formulas
The formulas in this section can help you determine the number of map rules that are supported, based on the qualifiers specified in the filter template. Use the formulas as guidelines.
The number of map rules depends on the number of qualifiers a template can support. The total cost of qualifiers for a map rule must not exceed 10.
The cost of each qualifier depends on the number of bits it consumes. The following table lists the number of bits each qualifier consumes and the cost for each qualifier.
Qualifier |
Bits |
Cost |
dscp |
6 |
1 |
ethertype |
16 |
1 |
ip6src |
128 |
4 |
ip6dst |
128 |
4 |
ip4src |
32 |
1 |
ip4dst |
32 |
1 |
macdst |
48 |
2 |
macsrc |
48 |
2 |
macsrc and macdst |
96 |
3 |
portsrc |
16 |
1 |
portdst |
16 |
1 |
protocol |
8 |
1 |
tos |
8 |
1 |
ttl |
8 |
1 |
vlan |
16 |
1 |
vxlan |
48 |
1 |
l2gre |
24 |
1 |
uda1 |
128 |
4 |
uda2 |
128 |
4 |
inner-vlan |
16 |
1 |
qset1* |
58* |
* |
* qset1 is made up of the following: tos: 8, ipfrag: 2, tcpctl: 8, ttl: 8, ip6fl: 32. The cost depends on the combination of the qualifiers used.
The qualifier cost is the cost of all qualifiers + 54 bits.
• | If the cost is less than or equal to 80 bits, 6K rules/slot are supported. |
• | If the cost is greater than 80 bits but less than 160 bits, 3K rules/slot are supported. |
• | If the cost is greater than or equal to 160 bits, 1K rules/slot are supported. |
Examples:
• | For the ip6src and vlan qualifiers—ip6src is 128 bits, vlan is 16 bits, so the total is 128+16+54 bits, which is a cost greater than 160 bits, so 1K rules per slot are supported. |
• | For the portdst qualifier only—portdst is 16 bits, so the total is 16+54 bits, which is a cost less than 80 bits, so 6K rules per slot are supported. |
The maximum cost supported is 480 bits/template.