map rule
The map rule command has the following syntax:
rule add <drop | pass>
bidir comment <comment>
dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>
ethertype <2-byte-hex>
inner-vlan <vlan | vlan1..vlan2> innervlan-subset <even | odd>
ip6dst <IPv6 address> <IPv6 netmask>
ip6fl <3-byte-hex>
ip6src <IPv6 address> <IPv6 netmask>
ipdst <IP address> <netmask>
ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag>
ipsrc <IP address> <netmask>
ipver <4 | 6>
macdst <MAC address> <MAC netmask>
macsrc <MAC address> <MAC netmask>
rewrite-dstmac <value> rewrite-srcmac <value>
portdst <0-65535 | x..y> portdst-subset <even | odd>
portsrc <0-65535 | x..y> portsrc-subset <even | odd>
protocol <ipv6-hop | icmp-ipv4 | igmp | ipv4ov4 | tcp | udp | ipv6 | rsvp | gre | icmp-ipv6> <1- byte-hex>
tcpctl <1-byte-hex> tcpctlmask <1-byte-hex>
tosval <1-byte-hex>
ttl <ttl | ttl1..ttl2>
uda1-data <16-byte-hex> uda1-mask <16-byte-hex> uda1-offset <2-110 bytes>
uda2-data <16-byte-hex> uda2-mask <16-byte-hex> uda2-offset <2-110 bytes>
vlan <vlan | vlan1..vlan2> vlan-subset <even | odd>
The following table describes the arguments for the map rule command:
Argument |
Description |
|||||||||||||||
<drop | pass> |
Adds a map drop rule or a map pass rule. |
|||||||||||||||
bidir |
Mirrors source and destination rules on Layer 2-Layer 3 address and port number. The bidir argument automatically creates a second map rule mirroring source arguments to destination (and vice-versa). For example, consider the following map rule: (config) # map alias map1 rule add pass ipdst 192.168.1.50 255.255.255.0 ipsrc 192.168.1.25 255.255.255.0 bidir Because the bidir argument is included, the system automatically creates a second map rule mirroring all source/destination criteria: rule add pass ipsrc 192.168.1.50 255.255.255.0 ipdst 192.168.1.25 255.255.255.0 Note: The second map rule is not displayed in the output of the show map command, however, it consumes map rule resources. You can also include the bidir argument with an IP source and port source as follows: (config) # map alias map2 rule add pass ipsrc 192.168.1.22 /32 portsrc 23 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.22 /32 portdst 23 You can also include the bidir argument with just a single IP address to specify that you want to see traffic both in and out of a particular address. For example, this rule specifies that we want all traffic to and from 192.168.1.75: (config) # map alias map3 rule add pass ipsrc 192.168.1.75 /32 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.75 /32 You can also include the bidir argument with an IP source and destination and a port source and destination as follows: (config) # map alias map4 rule add pass ipsrc 192.168.1.33 /32 ipdst 192.168.1.44 /32 portsrc 23 portdst 63 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.33 /32 ipsrc 192.168.1.44 /32 portdst 23 portsrc 63 Note: If the bidir argument is added to a rule that does not support bidirectional filters, the bidir argument will not appear in the output of the show running-config command and there will not be any error message displayed. For example, the TCP protocol rule does not support bidirectional filters and the bidir argument does not appear in the output of the show running-config command for this rule. |
|||||||||||||||
comment <comment> |
Adds comments to map rules. Comments can be up to 128 characters, including special characters. Comments longer than one word must be enclosed in double quotation marks. For example: (config) # map alias m1 rule add drop ipver 6 comment “Drop IPv6” |
|||||||||||||||
dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef> |
Creates a map rule pattern for a particular decimal DSCP value. You can select any value within the four Assured Forwarding (af) class ranges or ef for Expedited Forwarding (the highest priority in the DSCP model). The valid DSCP values by Assured Forwarding Class are as follows:
For example, the following map rule passes all traffic with expedited forwarding assigned: (config map alias mymap) # map alias m1 rule add pass dscp ef |
|||||||||||||||
ethertype <2-byte-hex> |
Creates a rule pattern for the ethertype value in a packet. For example, the following rule matches all traffic with an IPv6 ethertype (0x86DD): (config map alias mymap) # rule add pass ethertype 0x86DD Note: To create rules matching VLANs use the predefined VLAN map rule element type instead of the following TPID ethertypes:
For details, refer to the “Handling of Q-in-Q Packets in Map Rules” section in the GigaVUE Fabric Management Guide. Note: The CLI accepts hexadecimal entries either with or without the leading 0x. |
|||||||||||||||
inner-vlan <vlan | vlan1..vlan2> innervlan-subset <even | odd> |
Creates a rule for an inner VLAN ID or range of inner VLAN IDs, as follows:
Double tagged packets have both an inner and an outer VLAN tag. The outer tag is detected when the ethertype is 0x8100, 0x88A8, or 0x9100. The inner tag is detected only when the ethertype is 0x8100. Examples: (config map alias mymap) # rule add pass inner-vlan 100 innervlan-subset even (config) # map alias map1 rule add pass inner-vlan 100..200 |
|||||||||||||||
ip6src <IPv6 address> <IPv6 netmask> ip6dst <IPv6 address> <IPv6 netmask> |
Creates a rule for either a source or destination IPv6 address or netmask. Enter IPv6 addresses as eight 16-bit hexadecimal blocks separated by colons. For example: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 Use netmask to match traffic from a range of IP addresses. You can enter netmasks either in 16-bit hexadecimal blocks separated by colons or in the bit count format (refer to “Using Bit Count Netmasks” section in the GigaVUE Fabric Management Guide). Note that netmasks used in IP map rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, the GigaVUE H Series node will accept a netmask where the masked bits start in the third octet, as follows—0.0.255.255. For example: (config map alias mymap) # rule add pass ip6src FE80:0:0:0:202:B3FF:FE1E:8329 /64 (config map alias mymap) # rule add pass ip6dst FE80:0000:0000:0000:0202:B3FF:FE1E:8329 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF Note: When creating a by-rule map with IP filters through GigaVUE‑OS CLI, an invalid netmask is accepted without error. For example: HC2-3-R6 (config) # map alias m2HC2-3-R6 (config map alias m2) # from 1/1/g3 HC2-3-R6 (config map alias m2) # rule add pass ipsrc 1.1.1.1 0.0.3.0 HC2-3-R6 (config map alias m2) # exit HC2-3-R6 (config) # An error should appear in this case, but it does not. This issue only occurs in GigaVUE‑OS-CLI. In GigaVUE H-VUE, an error is shown. |
|||||||||||||||
ip6fl <3-byte-hex> |
Creates a rule for the 20-bit Flow Label field in an IPv6 packet. Packets with the same Flow Label, source address, and destination address are classified as belonging to the same flow. IPv6 networks can implement flow-based QoS using this approach. Specify the flow label as a 3-byte hexadecimal pattern. Note, however, that only the last 20 bits are used—the first four bits must be zeroes (specified as a single hexadecimal zero in the CLI). For example, to match all packets without flow labels, use the following map rule: (config map alias mymap) # rule add pass ip6fl 0x000000 Alternatively, to match the flow label of 0x12345, use the following: (config map alias mymap) # rule add pass ip6fl 0x12345 Note: The CLI accepts hexadecimal entries either with or without the leading 0x. |
|||||||||||||||
ipfrag no-frag all-frag all-frag-no-first first-frag first-or-no-frag |
Creates a map rule for different types of IPv4 and IPv6 fragments as follows:
For example, (config map alias mymap) # rule ipfrag first-frag creates a rule that matches the first fragment in a packet. |
|||||||||||||||
ipdst <IP address> <netmask> ipsrc <IP address> <netmask> |
Creates a rule for either a source or destination IPv4 address or netmask. Use netmask to match traffic from a range of IP addresses. You can enter netmasks using either dotted-quad notation (<xxx.xxx.xxx.xxx>) or in the bit count format (refer to Using Bit Count Netmasks on page 90). Note that netmasks used in IP rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, the GigaVUE H Series node will accept a netmask where the masked bits start in the third octet, 0.0.255.255. For example: (config map alias mymap) # rule add pass ipsrc 1.1.1.1 /32 (config map alias mymap) # rule add pass ipdst 2.2.2.2 255.255.255.248 |
|||||||||||||||
ipver <4 | 6> |
Specifies the IP version for a map rule that matches either IPv4 or IPv6 traffic. Note: The ipver argument is implicitly set to 4. If you configure a rule without ipver specified, the GigaVUE H Series node assumes that the IP version is 4. You can also set ipver to 6 and use it together with other arguments to change their meaning. Refer to the “IPv4/IPv6 and Map Rules” section in the GigaVUE Fabric Management Guide for more information on ipver. For example: (config map alias mymap) # rule add pass ipver 4 |
|||||||||||||||
macdst <MAC address> <MAC netmask> macsrc <MAC address> <MAC netmask> |
Creates a rule for either a source or destination MAC address as follows:
For example: (config map alias mymap) # rule add drop macsrc 00:00:00:00:00:03 ffff.ffff.fffe Refer to How to Use MAC Address/Mask Map Rules for examples of how to use MAC address masks. |
|||||||||||||||
portdst <0-65535 | x..y> portdst-subset <even | odd>
portsrc <0-65535 | x..y> portsrc-subset <even | odd> |
Creates a rule for a source or destination application port. You can specify the following:
(config map alias mymap) # rule add pass portsrc 5000..5100
Following are some examples:
(config map alias mymap) # rule add pass portdst 5000..5100 portdst-subset odd
(config map alias mymap)# rule add pass protocol tcp portdst 3000 (config map alias mymap)# rule add pass protocol udp portdst 3000
(config map alias mymap)# rule add pass protocol tcp portsrc 3000 (config map alias mymap)# rule add pass protocol udp portsrc 3000 Note: For non-TCP/UDP packets, the portsrc matches the first and second bytes after the L3 header. Whereas, the portdst matches the third and fourth bytes after the L3 header. |
|||||||||||||||
protocol Protocol number 0 Protocol number 1 Protocol number 2 Protocol number 4 Protocol number 6 Protocol number 17 Protocol number 41 Protocol number 46 Protocol number 47 Protocol number 58 Custom hex entry |
Creates a map rule for a particular protocol. For example, to create a map rule that excludes all GRE traffic, use the following (config map alias gre-map) # rule add drop protocol gre Protocol Map Rules and IPv6The predefined protocol map-rules available for IPv4 (GRE, RSVP, and so on) are not allowed when ipver is set to 6. This is because with the next header approach used by IPv6, the next layer of protocol data is not always at a fixed offset as it is in IPv4. To address this, the GigaVUE H Series node provides the <1-byte-hex> option to match against the standard hex values for these protocols in the Next Header field. The standard 1-byte-hex values for both IPv4 and IPv6 are as follows: 0x00: Hop-By-Hop Option (v6 only) 0x01: ICMP (v4 only) 0x02: IGMP 0x04: IP over IP 0x06: TCP 0x11: UDP 0x29: IPv6 over IPv4 0x2b: Routing Option (v6 only) 0x2c: Fragment (v6 only) 0x2E: RSVP (v4 only) 0x2F: GRE (v4 only) 0x32: Encapsulation Security Payload (ESP) Header 0x33: Authentication (v6 only) 0x3a: ICMP (v6 only) 0x3b: No Next Header (v6 only) 0x3c: Destination Option (v6 only) |
|||||||||||||||
tcpctl <1-byte-hex> tcpctlmask <1-byte-hex> |
Creates a one-byte pattern match map rule for the standard TCP control bits (URG, SYN, FIN, ACK, and so on). Use the tcpctlmask argument to specify which bits should be considered when matching packets. Refer to the “Set Map Rules for TCP Control Bits” section in the GigaVUE Fabric Management Guide for a list of the hexadecimal patterns for each of the eight TCP flags, along with some examples. Note: Map rules using the tcpctl argument must also include the protocol argument set to 6 (TCP). For example: (config map alias mymap) # rule add pass protocol 6 tcpctl 0x02 |
|||||||||||||||
tosval <1-byte-hex> |
Creates a rule for the Type of Service (TOS) value in an IPv4 header. The TOS value is how some legacy IPv4 equipment implements quality of service traffic engineering. The standard values are:
Note: Most network equipment now uses DSCP to interpret the TOS byte instead of the IP precedence and TOS value fields. For example: (config map alias mymap) # rule add pass tosval 0000 |
|||||||||||||||
ttl <ttl | ttl1..ttl2> |
Creates a rule for the Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255 as follows:
The TTL and Hop Limit fields perform the same function, specifying the maximum number of hops a packet can cross before it reaches its destination. For example: (config map alias mymap) # rule add pass ttl 0 |
|||||||||||||||
uda1-data <16-byte-hex> uda1-mask <16-byte-hex> uda1-offset <2-110 bytes> uda2-data <16-byte-hex>] uda2-mask <16-byte-hex> uda2-offset <2-110 bytes> |
Creates up to two user-defined, 16-byte pattern matches in a rule. A pattern is a particular sequence of bits at a specified offset from the start of a frame. User-defined pattern matches consists of the following:
A single rule can contain up to two user-defined pattern matches. Note: Always use the predefined map rule elements instead of user-defined pattern matches when possible. Refer to the “Working with User-Defined Pattern Match Rules” section in the GigaVUE Fabric Management Guide for details. |
|||||||||||||||
vlan <vlan | vlan1..vlan2> vlan-subset <even | odd> |
Creates a rule for a VLAN ID or range of VLAN IDs for an outer VLAN tag. You can also use the optional vlan-subset argument to match even or odd VLAN IDs. For example, to match all even VLAN IDs between 200 and 300, use the following: (config map alias mymap) # rule add pass vlan 200..300 vlan-subset even |