map rule

The map rule command has the following syntax:

rule add <drop | pass>
   bidir    comment <comment>
   dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>
   ethertype <2-byte-hex>
   inner-vlan <vlan | vlan1..vlan2> innervlan-subset <even | odd>
   ip6dst <IPv6 address> <IPv6 netmask>
   ip6fl <3-byte-hex>
   ip6src <IPv6 address> <IPv6 netmask>
   ipdst <IP address> <netmask>
   ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag>
   ipsrc <IP address> <netmask>
   ipver <4 | 6>
   macdst <MAC address> <MAC netmask>
   macsrc <MAC address> <MAC netmask>

rewrite-dstmac <value> rewrite-srcmac <value>

portdst <0-65535 | x..y> portdst-subset <even | odd>
   portsrc <0-65535 | x..y> portsrc-subset <even | odd>
   protocol <ipv6-hop | icmp-ipv4 | igmp | ipv4ov4 | tcp | udp | ipv6 | rsvp | gre | icmp-ipv6> <1- byte-hex>
   tcpctl <1-byte-hex> tcpctlmask <1-byte-hex>
   tosval <1-byte-hex>
   ttl <ttl | ttl1..ttl2>
   uda1-data <16-byte-hex> uda1-mask <16-byte-hex> uda1-offset <2-110 bytes>
   uda2-data <16-byte-hex> uda2-mask <16-byte-hex> uda2-offset <2-110 bytes>
   vlan <vlan | vlan1..vlan2> vlan-subset <even | odd>

The following table describes the arguments for the map rule command:

Argument

Description

<drop | pass>

Adds a map drop rule or a map pass rule.

bidir

Mirrors source and destination rules on Layer 2-Layer 3 address and port number.

The bidir argument automatically creates a second map rule mirroring source arguments to destination (and vice-versa). For example, consider the following map rule:

(config) # map alias map1 rule add pass ipdst 192.168.1.50 255.255.255.0 ipsrc 192.168.1.25 255.255.255.0 bidir

Because the bidir argument is included, the system automatically creates a second map rule mirroring all source/destination criteria:

rule add pass ipsrc 192.168.1.50 255.255.255.0 ipdst 192.168.1.25 255.255.255.0

Note:  The second map rule is not displayed in the output of the show map command, however, it consumes map rule resources.

You can also include the bidir argument with an IP source and port source as follows:

(config) # map alias map2 rule add pass ipsrc 192.168.1.22 /32 portsrc 23 bidir

The bidir argument causes the following rule to be added automatically:

rule add pass ipdst 192.168.1.22 /32 portdst 23

You can also include the bidir argument with just a single IP address to specify that you want to see traffic both in and out of a particular address. For example, this rule specifies that we want all traffic to and from 192.168.1.75:

(config) # map alias map3 rule add pass ipsrc 192.168.1.75 /32 bidir

The bidir argument causes the following rule to be added automatically:

rule add pass ipdst 192.168.1.75 /32

You can also include the bidir argument with an IP source and destination and a port source and destination as follows:

(config) # map alias map4 rule add pass ipsrc 192.168.1.33 /32 ipdst 192.168.1.44 /32 portsrc 23 portdst 63 bidir

The bidir argument causes the following rule to be added automatically:

rule add pass ipdst 192.168.1.33 /32 ipsrc 192.168.1.44 /32 portdst 23 portsrc 63

Note:  If the bidir argument is added to a rule that does not support bidirectional filters, the bidir argument will not appear in the output of the show running-config command and there will not be any error message displayed. For example, the TCP protocol rule does not support bidirectional filters and the bidir argument does not appear in the output of the show running-config command for this rule.

comment <comment>

Adds comments to map rules. Comments can be up to 128 characters, including special characters. Comments longer than one word must be enclosed in double quotation marks.

For example:

(config) # map alias m1 rule add drop ipver 6 comment “Drop IPv6”

dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>

Creates a map rule pattern for a particular decimal DSCP value. You can select any value within the four Assured Forwarding (af) class ranges or ef for Expedited Forwarding (the highest priority in the DSCP model).

The valid DSCP values by Assured Forwarding Class are as follows:

Class 1—11, 12, 13
Class 2—21, 22, 23
Class 3—31, 32, 33
Class 4—41, 42, 43
Expedited Forwarding—ef

For example, the following map rule passes all traffic with expedited forwarding assigned:

(config map alias mymap) # map alias m1 rule add pass dscp ef

ethertype <2-byte-hex>

Creates a rule pattern for the ethertype value in a packet. For example, the following rule matches all traffic with an IPv6 ethertype (0x86DD):

(config map alias mymap) # rule add pass ethertype 0x86DD

Note:  To create rules matching VLANs use the predefined VLAN map rule element type instead of the following TPID ethertypes:

o 0x8100
o 0x88A8
o 0x9100

For details, refer to the “Handling of Q-in-Q Packets in Map Rules” section in the GigaVUE Fabric Management Guide.

Note:  The CLI accepts hexadecimal entries either with or without the leading 0x.

inner-vlan <vlan | vlan1..vlan2>    innervlan-subset <even | odd>

Creates a rule for an inner VLAN ID or range of inner VLAN IDs, as follows:

inner-vlan—Specifies the VLAN ID value as a number between 1 and 4094 or VLAN ID range as <vlan1..vlan2>.
innervlan-subset—Specifies a subset of VLAN IDs to match, either even or odd VLAN IDs.

Double tagged packets have both an inner and an outer VLAN tag. The outer tag is detected when the ethertype is 0x8100, 0x88A8, or 0x9100. The inner tag is detected only when the ethertype is 0x8100.

Examples:

(config map alias mymap) # rule add pass inner-vlan 100 innervlan-subset even

(config) # map alias map1 rule add pass inner-vlan 100..200

ip6src <IPv6 address> <IPv6 netmask>

ip6dst <IPv6 address> <IPv6 netmask>

Creates a rule for either a source or destination IPv6 address or netmask. Enter IPv6 addresses as eight 16-bit hexadecimal blocks separated by colons. For example:

2001:0db8:3c4d:0015:0000:0000:abcd:ef12

Use netmask to match traffic from a range of IP addresses. You can enter netmasks either in 16-bit hexadecimal blocks separated by colons or in the bit count format (refer to “Using Bit Count Netmasks” section in the GigaVUE Fabric Management Guide).

Note that netmasks used in IP map rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, the GigaVUE H Series node will accept a netmask where the masked bits start in the third octet, as follows—0.0.255.255.

For example:

(config map alias mymap) # rule add pass ip6src FE80:0:0:0:202:B3FF:FE1E:8329 /64

(config map alias mymap) # rule add pass ip6dst FE80:0000:0000:0000:0202:B3FF:FE1E:8329 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Note:   When creating a by-rule map with IP filters through GigaVUE‑OS CLI, an invalid netmask is accepted without error. For example:

HC2-3-R6 (config) # map alias m2HC2-3-R6 (config map alias m2) # from 1/1/g3

HC2-3-R6 (config map alias m2) # rule add pass ipsrc 1.1.1.1 0.0.3.0

HC2-3-R6 (config map alias m2) # exit

HC2-3-R6 (config) #

An error should appear in this case, but it does not. This issue only occurs in GigaVUE‑OS-CLI. In GigaVUE H-VUE, an error is shown.

ip6fl <3-byte-hex>

Creates a rule for the 20-bit Flow Label field in an IPv6 packet. Packets with the same Flow Label, source address, and destination address are classified as belonging to the same flow. IPv6 networks can implement flow-based QoS using this approach.

Specify the flow label as a 3-byte hexadecimal pattern. Note, however, that only the last 20 bits are used—the first four bits must be zeroes (specified as a single hexadecimal zero in the CLI). For example, to match all packets without flow labels, use the following map rule:

(config map alias mymap) # rule add pass ip6fl 0x000000

Alternatively, to match the flow label of 0x12345, use the following:

(config map alias mymap) # rule add pass ip6fl 0x12345

Note:  The CLI accepts hexadecimal entries either with or without the leading 0x.

ipfrag    no-frag   all-frag   all-frag-no-first   first-frag   first-or-no-frag

Creates a map rule for different types of IPv4 and IPv6 fragments as follows:

no-frag—Matches unfragmented packets.
all-frag—Matches any fragment.
all-frag-no-first—Matches all fragments except the first fragment in a packet.
first-frag—Matches the first fragment of a packet.
first-or-no-frag—Matches unfragmented packets or the first fragment of a packet.

For example, (config map alias mymap) # rule ipfrag first-frag creates a rule that matches the first fragment in a packet.

ipdst <IP address> <netmask>

ipsrc <IP address> <netmask>

Creates a rule for either a source or destination IPv4 address or netmask.

Use netmask to match traffic from a range of IP addresses. You can enter netmasks using either dotted-quad notation (<xxx.xxx.xxx.xxx>) or in the bit count format (refer to Using Bit Count Netmasks on page 90).

Note that netmasks used in IP rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, the GigaVUE H Series node will accept a netmask where the masked bits start in the third octet, 0.0.255.255.

For example:

(config map alias mymap) # rule add pass ipsrc 1.1.1.1 /32

(config map alias mymap) # rule add pass ipdst 2.2.2.2 255.255.255.248

ipver <4 | 6>

Specifies the IP version for a map rule that matches either IPv4 or IPv6 traffic.

Note:  The ipver argument is implicitly set to 4. If you configure a rule without ipver specified, the GigaVUE H Series node assumes that the IP version is 4.

You can also set ipver to 6 and use it together with other arguments to change their meaning. Refer to the “IPv4/IPv6 and Map Rules” section in the GigaVUE Fabric Management Guide for more information on ipver.

For example:

(config map alias mymap) # rule add pass ipver 4

macdst <MAC address> <MAC netmask>

macsrc <MAC address> <MAC netmask>

Creates a rule for either a source or destination MAC address as follows:

Enter MAC addresses in 01:23:45:67:89:AB format with colons between bytes.
Supply a MAC netmask to create a range of MAC addresses that will satisfy the map rule pattern. Enter netmasks in ffff.ffff.ffff format.

For example:

(config map alias mymap) # rule add drop macsrc 00:00:00:00:00:03 ffff.ffff.fffe

Refer to How to Use MAC Address/Mask Map Rules for examples of how to use MAC address masks.

portdst <0-65535 | x..y>   portdst-subset <even | odd>

 

portsrc <0-65535 | x..y>   portsrc-subset <even | odd>

Creates a rule for a source or destination application port. You can specify the following:

A range of ports. For example, to match all source ports from 5000 to 5100, use the following:

(config map alias mymap) # rule add pass portsrc 5000..5100

Either odd or even port numbers using the portdst-subset and portsrc-subset arguments. These arguments are useful when setting up rules for VoIP traffic. Most VoIP implementations send RTP traffic on even port numbers and RTCP traffic on odd port numbers.

Following are some examples:

To match all odd source ports between 5000 and 5100, use the following:

(config map alias mymap) # rule add pass portdst 5000..5100 portdst-subset odd

To match only the TCP/UDP traffic with the specific destination port, use the following:

(config map alias mymap)# rule add pass protocol tcp portdst 3000

(config map alias mymap)# rule add pass protocol udp portdst 3000

To match only the TCP/UDP traffic with the specific source port, use the following:

(config map alias mymap)# rule add pass protocol tcp portsrc 3000

(config map alias mymap)# rule add pass protocol udp portsrc 3000

Note:  For non-TCP/UDP packets, the portsrc matches the first and second bytes after the L3 header. Whereas, the portdst matches the third and fourth bytes after the L3 header.

protocol

Protocol number 0

Protocol number 1

Protocol number 2

Protocol number 4

Protocol number 6

Protocol number 17

Protocol number 41

Protocol number 46

Protocol number 47

Protocol number 58

Custom hex entry

Creates a map rule for a particular protocol. For example, to create a map rule that excludes all GRE traffic, use the following

(config map alias gre-map) # rule add drop protocol gre

Protocol Map Rules and IPv6

The predefined protocol map-rules available for IPv4 (GRE, RSVP, and so on) are not allowed when ipver is set to 6. This is because with the next header approach used by IPv6, the next layer of protocol data is not always at a fixed offset as it is in IPv4.

To address this, the GigaVUE H Series node provides the <1-byte-hex> option to match against the standard hex values for these protocols in the Next Header field. The standard 1-byte-hex values for both IPv4 and IPv6 are as follows:

0x00: Hop-By-Hop Option (v6 only)

0x01: ICMP (v4 only)

0x02: IGMP

0x04: IP over IP

0x06: TCP

0x11: UDP

0x29: IPv6 over IPv4

0x2b: Routing Option (v6 only)

0x2c: Fragment (v6 only)

0x2E: RSVP (v4 only)

0x2F: GRE (v4 only)

0x32: Encapsulation Security Payload (ESP) Header

0x33: Authentication (v6 only)

0x3a: ICMP (v6 only)

0x3b: No Next Header (v6 only)

0x3c: Destination Option (v6 only)

tcpctl <1-byte-hex>   tcpctlmask <1-byte-hex>

Creates a one-byte pattern match map rule for the standard TCP control bits (URG, SYN, FIN, ACK, and so on). Use the tcpctlmask argument to specify which bits should be considered when matching packets.

Refer to the Set Map Rules for TCP Control Bits” section in the GigaVUE Fabric Management Guide for a list of the hexadecimal patterns for each of the eight TCP flags, along with some examples.

Note:  Map rules using the tcpctl argument must also include the protocol argument set to 6 (TCP).

For example:

(config map alias mymap) # rule add pass protocol 6 tcpctl 0x02

tosval <1-byte-hex>

Creates a rule for the Type of Service (TOS) value in an IPv4 header. The TOS value is how some legacy IPv4 equipment implements quality of service traffic engineering. The standard values are:

Minimize-Delay: Hex 0x10 or 10
Maximize-Throughput: Hex 0x08 or 08
Maximize-Reliability: Hex 0x04 or 04
Minimize-Cost: Hex 0x02 or 02
Normal-Service: Hex 0000 or 00

Note:  Most network equipment now uses DSCP to interpret the TOS byte instead of the IP precedence and TOS value fields.

For example:

(config map alias mymap) # rule add pass tosval 0000

ttl <ttl | ttl1..ttl2>

Creates a rule for the Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255 as follows:

If there is no ipver argument included in the map rule (or if it is set to 4), the GigaVUE H Series node matches the value against the TTL field in IPv4 packets.
If ipver is set to 6 in the map rule, the GigaVUE H Series node matches the value against the Hop Limit field in IPv6 packets.

The TTL and Hop Limit fields perform the same function, specifying the maximum number of hops a packet can cross before it reaches its destination.

For example:

(config map alias mymap) # rule add pass ttl 0

uda1-data <16-byte-hex>   uda1-mask <16-byte-hex>   uda1-offset <2-110 bytes>

uda2-data <16-byte-hex>]   uda2-mask <16-byte-hex>   uda2-offset <2-110 bytes>

Creates up to two user-defined, 16-byte pattern matches in a rule. A pattern is a particular sequence of bits at a specified offset from the start of a frame.

User-defined pattern matches consists of the following:

A pattern (udax-data). The pattern specifies on what to search.
A mask (udax-mask). The mask specifies the bits in the pattern that must match to satisfy the map rule.
An offset (udax-offset). The offset specifies where in the packet the bits must match.

A single rule can contain up to two user-defined pattern matches.

Note:  Always use the predefined map rule elements instead of user-defined pattern matches when possible.

Refer to the “Working with User-Defined Pattern Match Rules” section in the GigaVUE Fabric Management Guide for details.

vlan <vlan | vlan1..vlan2>   vlan-subset <even | odd>

Creates a rule for a VLAN ID or range of VLAN IDs for an outer VLAN tag. You can also use the optional vlan-subset argument to match even or odd VLAN IDs.

For example, to match all even VLAN IDs between 200 and 300, use the following:

(config map alias mymap) # rule add pass vlan 200..300 vlan-subset even