Port Filters

Flow Mapping® provides the ability to apply filters to egress ports (tool, hybrid, circuit, and inline network), passing or dropping traffic after it has been forwarded from a network port.

Port-filters provide a convenient way to narrow down the traffic seen by egress ports without having to change an entire map. However, they are less efficient and scalable than flow maps – focus on using flow maps as your first packet distribution technique.

Port Filter—Rules and Notes

Keep in mind the following notes when managing port-filters:

■   The filter is only supported for egress ports (tool, hybrid, circuit, and inline network) – network ports use maps to direct traffic.
■   You can only configure egress port filters on a single port at a time. The filter argument is blocked when used the with multiple tool ports or port groups.
■   In cases of inline network LAG and inline network groups, the port filters must be applied on each of the inline network ports that are part of the inline network LAG or inline network group.
■   Port filters for inline network ports are supported on GigaVUE-TA25, GigaVUE-TA200 .
■   The GigaVUE‑TA25 ports cannot be part of destination ports of first level maps if the source port is on another node (i.e combination of VPort and GigaVUE‑TA25 destination port in the “to” ports list) in legacy cluster.
■   In the release 5.14 on GigaVUE‑TA400, the outer VLAN tool port filter cannot be used to match ingress VLAN tag that is configured on the source port.
■   IP fragmentation tool port filter is not supported on GigaVUE‑TA400 in 5.14 release.
■   The following limitation is applicable only for double tag mode (software version 5.14.00). Egress port filters are supported on GigaVUE-TA25 and GigaVUE‑HC1-Plus, except that a) VLAN rules are not supported with port filters and b) either IPv4 or IPv6 type port filter rules are supported only if L2 circuit encapsulation tunnels or GS maps are used else both IPv4 and IPv6 rules are supported.
■   VLAN qualifiers cannot be combined with IPv6-based port filter rules in GigaVUE‑TA25, GigaVUE‑TA25E, GigaVUE‑HC1-Plus, and (Undefined variable: prodVar.prod-GigaVUE-HCT) with single tag mode due to platform limitations.
■   when ingress-vlan-tag/add-header gsop is configured in a map on GigaVUE‑TA25, GigaVUE‑TA25E, GigaVUE‑HC1-Plus, and (Undefined variable: prodVar.prod-GigaVUE-HCT) devices, VLAN port-filter rule is not supported in the tool/hybrid ports.

Port-Filter Maximums

Table 1: Port-Filter Maximums per GigaVUE Node provides the maximum port-filters for the different GigaVUE nodes:

Table 1: Port-Filter Maximums per GigaVUE Node

GigaVUE Node

Maximum Number of Port-Filters

GigaVUE‑HC1

• 448 for IPv4 rules

• 255 for IPv6 rules

• 448 for IPv4+IPv6 Pass rules.

Note:  For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed.

GigaVUE‑HC2 (CCv2)

GigaVUE‑HC3 (CCv1 and CCv2)

GigaVUE‑HC1-Plus

448 per Pseudo slot

GigaVUE‑HC2 (CCv1)

448 per chassis

GigaVUE-TA10
20 per chassis
100 with Advanced Features License

GigaVUE-TA40
20 per chassis
100 with Advanced Features License

GigaVUE‑TA25

Without Advanced Feature License:

20 per chassis

With Advanced Feature License

448 for IPv4 rules per pseudo-slot
255 for IPv6 rules per pseudo-slot
448 for IPv4+IPv6 Pass rules per pseudo-slot.

Note:  For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed.

GigaVUE‑TA25E

Without Advanced Feature License:

20 per chassis

With Advanced Feature License

448 per pseudo-slot

GigaVUE-TA100

Without Advanced Feature License:

20 per chassis

With Advanced Feature License:

448 for IPv4 rules per pseudo-slot
255 for IPv6 rules per pseudo-slot
448 for IPv4+IPv6 Pass rules per pseudo-slot.

Note:  For an IPv4 and IPv6 combination the maximum filters allowed is 448. In such combination the maximum limit is 254 for IPv4 filters and 255 for IPv6 filters. While configuring an IPv4 + IPv6 combination ensure that the individual filter limits are not crossed.

GigaVUE-TA200

GigaVUE‑TA200E

Without Advanced Feature License:

20 per chassis

With Advanced Feature License:

448 per pseudo slot

GigaVUE-TA400

Without Advanced Feature License:

20 per chassis

With Advanced Feature License:

450 for IPv4 rules per pseudo slot
450 for IPv6 rules per pseudo slot.

Note:  A single filter applied to multiple tool ports counts multiple times against the 100-filter limit.

How to Apply Port Filters

To apply a port filter, do the following:

1.   From the device view, go to Ports > Ports > All Ports.
2. Select the egress port (tool, hybrid, circuit, and inline network) to which you want to apply a filter, and then click Edit.
3. Under the Filters section on the Ports page, click Add Rule.
4. Select and configure any of the following required rule:

Table 2: Port-Filter Rule

Rule

Action

circuit-id

Configure circuit id

Description

Add a description to the Map Rule

dscp

Configure DiffServ Code Point bits

ethertype

Configure Layer 2 ethernet type

ip6dst

Configure destination IPv6 address

ip6src

Configure source IPv6 address

ipdst

Configure destination IPv4 address

ipfrag

Configure IP fragmentation bits

ipsrc

Configure source IPv4 address

ipver

Configure IP version number

l2gre-id

Configure l2gre id

macdst

Configure destination MAC address

macsrc

Configure source MAC address

portdst

Configure destination port number or port range

portsrc

Configure source port number or port range

protocol

Configure internet protcol number

tcpctl

Configure TCP control bits

tosval

Configure type of service bits

ttl

Configure time to live value or range

vlan

Configure vlan id or id range

vxlan-id

Configure vxlan id
5. Add a new port-filter using the specified criteria as follows:
o   Use a drop rule to deny packets matching the specified criteria.
o   Use a pass rule to allow packets matching the specified criteria. All other packets are denied.
6. Click Save.

View Port Filter Statistics

You can view the port filter counters based on the filter rules configured for the port. To view the port filter statistics:

1.   From the device view, go to Ports > Ports > All Ports.
2. Click the port ID for which you want to view the filter counters. The Port ID quick view appears. Refer to the following figure:

View Filter Resources for a Slot

You can view the maximum filter resources available and the filter resources used for a slot in the Slot ID quick view. To access the Slot ID quick view:

1.   From the device view, go to Chassis. The Box ID page appears.
2. Click the required slot ID. The Slot ID quick view appears.
3. Go to the Filter Resource section to view the filter resources limit and the filter resources used. Refer to the following figure: