Port Filters
Flow Mapping® provides the ability to apply filters to egress ports (tool, hybrid, circuit, and inline network), passing or dropping traffic after it has been forwarded from a network port.
Port-filters provide a convenient way to narrow down the traffic seen by egress ports without having to change an entire map. However, they are less efficient and scalable than flow maps – focus on using flow maps as your first packet distribution technique.
Port Filter—Rules and Notes
Keep in mind the following notes when managing port-filters:
The filter is only supported for egress ports (tool, hybrid, circuit, and inline network) – network ports use maps to direct traffic. |
You can only configure egress port filters on a single port at a time. The filter argument is blocked when used the with multiple tool ports or port groups. |
In cases of inline network LAG and inline network groups, the port filters must be applied on each of the inline network ports that are part of the inline network LAG or inline network group. |
Port filters for inline network ports are supported on GigaVUE-TA25, GigaVUE-TA200 . |
The GigaVUE‑TA25 ports cannot be part of destination ports of first level maps if the source port is on another node (i.e combination of VPort and GigaVUE‑TA25 destination port in the “to” ports list) in legacy cluster. |
In the release 5.14 on GigaVUE‑TA400, the outer VLAN tool port filter cannot be used to match ingress VLAN tag that is configured on the source port. |
IP fragmentation tool port filter is not supported on GigaVUE‑TA400 in 5.14 release. |
The following limitation is applicable only for double tag mode (software version 5.14.00). Egress port filters are supported on GigaVUE-TA25 , except that a) VLAN rules are not supported with port filters and b) either IPv4 or IPv6 type port filter rules are supported only if L2 circuit encapsulation tunnels or GS maps are used else both IPv4 and IPv6 rules are supported. |
VLAN qualifiers cannot be combined with IPv6-based port filter rules in GigaVUE‑TA25, GigaVUE‑TA25E, GigaVUE‑HC1-Plus, and (Undefined variable: prodVar.prod-GigaVUE-HCT) with single tag mode due to platform limitations. |
when ingress-vlan-tag/add-header gsop is configured in a map on GigaVUE‑TA25, GigaVUE‑TA25E, GigaVUE‑HC1-Plus, and (Undefined variable: prodVar.prod-GigaVUE-HCT) devices, VLAN port-filter rule is not supported in the tool/hybrid ports. |
Port-Filter Maximums
Table 1: Port-Filter Maximums per GigaVUE Node provides the maximum port-filters for the different GigaVUE nodes:
GigaVUE Node |
Maximum Number of Port-Filters |
||||||||||||
GigaVUE‑HC1 |
• 448 for IPv4 rules • 255 for IPv6 rules • 448 for IPv4+IPv6 Pass rules. Note: For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed. |
||||||||||||
GigaVUE‑HC2 (CCv2) |
|||||||||||||
GigaVUE‑HC3 (CCv1 and CCv2) |
|||||||||||||
GigaVUE‑HC2 (CCv1) |
|||||||||||||
|
|||||||||||||
GigaVUE-TA10 |
|
||||||||||||
GigaVUE-TA40 |
|
||||||||||||
GigaVUE‑TA25 |
Without Advanced Feature License:
With Advanced Feature License
Note: For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed. |
||||||||||||
GigaVUE-TA100 |
Without Advanced Feature License:
With Advanced Feature License:
Note: For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed. |
||||||||||||
GigaVUE-TA200 |
|||||||||||||
GigaVUE-TA400 |
Without Advanced Feature License:
With Advanced Feature License:
|
Note: A single filter applied to multiple tool ports counts multiple times against the 100-filter limit.
How to Apply Port Filters
To apply a port filter, do the following:
1. | From the device view, go to Ports > Ports > All Ports. |
2. | Select the egress port (tool, hybrid, circuit, and inline network) to which you want to apply a filter, and then click Edit. |
3. | Under the Filters section on the Ports page, click Add Rule. |
4. | Select and configure any of the following required rule: |
Rule |
Action |
circuit-id |
Configure circuit id |
Description |
Add a description to the Map Rule |
dscp |
Configure DiffServ Code Point bits |
ethertype |
Configure Layer 2 ethernet type |
ip6dst |
Configure destination IPv6 address |
ip6src |
Configure source IPv6 address |
ipdst |
Configure destination IPv4 address |
ipfrag |
Configure IP fragmentation bits |
ipsrc |
Configure source IPv4 address |
ipver |
Configure IP version number |
l2gre-id |
Configure l2gre id |
macdst |
Configure destination MAC address |
macsrc |
Configure source MAC address |
portdst |
Configure destination port number or port range |
portsrc |
Configure source port number or port range |
protocol |
Configure internet protcol number |
tcpctl |
Configure TCP control bits |
tosval |
Configure type of service bits |
ttl |
Configure time to live value or range |
vlan |
Configure vlan id or id range |
vxlan-id |
Configure vxlan id |
5. | Add a new port-filter using the specified criteria as follows: |
Use a drop rule to deny packets matching the specified criteria. |
Use a pass rule to allow packets matching the specified criteria. All other packets are denied. |
6. | Click Save. |
View Port Filter Statistics
You can view the port filter counters based on the filter rules configured for the port. To view the port filter statistics:
1. | From the device view, go to Ports > Ports > All Ports. |
2. | Click the port ID for which you want to view the filter counters. The Port ID quick view appears. Refer to the following figure: |
View Filter Resources for a Slot
You can view the maximum filter resources available and the filter resources used for a slot in the Slot ID quick view. To access the Slot ID quick view:
1. | From the device view, go to Chassis. The Box ID page appears. |
2. | Click the required slot ID. The Slot ID quick view appears. |
3. | Go to the Filter Resource section to view the filter resources limit and the filter resources used. Refer to the following figure: |