map rule
The map rule command has the following syntax:
rule add <drop | pass>
bidir comment <comment>
circuit-id <2-4000>
dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>
ethertype <2-byte-hex>
inner-ethertype <2-byte-hex>
inner-ipver <4 or 6>
inner-ipfrag <no-frag|all-frag|all-frag-no-first|first-frag|first-or-no-frag>
inner-ipdst <IP address>
inner-ipsrc <IP address>
inner-ip6dst <IPv6 address>
inner-ip6src <IPv6 address>
inner-protocol <1-byte-hex>
inner-portdst <0~65535 | x..y> inner-portdst-subset <even|odd>
inner-portsrc <0~65535 | x..y> inner-portsrc-subset <even|odd>
inner-uda1-data <16-byte-hex> inner-uda1-mask <16-byte-hex> inner-uda1-offset <0-120 bytes>
inner-uda2-data <16-byte-hex> inner-uda2-mask <16-byte-hex> inner-uda2-offset <0-120 bytes>
inner-vlan <vlan | vlan1..vlan2> innervlan-subset <even | odd>
ip6dst <IPv6 address> <IPv6 netmask>
ip6fl <3-byte-hex>
ip6src <IPv6 address> <IPv6 netmask>
ipdst <IP address> <netmask>
ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag>
ipsrc <IP address> <netmask>
ipver <4 | 6>
l2gre-id <1-4294967295>
macdst <MAC address> <MAC netmask>
macsrc <MAC address> <MAC netmask>
mpls-label-id <0~1048575 | x..y> pos <any | 1~7> mpls-label-id-subset <even|odd>
mpls-label-exp <0~7> pos <any | 1~7>
mpls-label-bos <0/1> pos <any | 1~7>
mpls-label-ttl <0~255 | x..y> pos <any | 1~7> mpls-label-ttl-subset <even|odd>
portdst <0-65535 | x..y> portdst-subset <even | odd>
portsrc <0-65535 | x..y> portsrc-subset <even | odd>
protocol <ipv6-hop | icmp-ipv4 | igmp | ipv4ov4 | tcp | udp | ipv6 | rsvp | gre | icmp-ipv6> <1- byte-hex>
rewrite-dstmac <value> rewrite-srcmac <value>
rewrite-dstip <value> rewrite-srcip <value>
vlan-op add <vlan id> tpid <value>
tcpctl <1-byte-hex> tcpctlmask <1-byte-hex>
tosval <1-byte-hex>
ttl <ttl | ttl1..ttl2>
uda1-data <16-byte-hex> uda1-mask <16-byte-hex> uda1-offset <2-110 bytes>
uda2-data <16-byte-hex> uda2-mask <16-byte-hex> uda2-offset <2-110 bytes>
vlan <vlan | vlan1..vlan2> vlan-subset <even | odd>
vxlan <1-16777215>
The following table describes the arguments for the map rule command:
|
Argument |
Description |
|||||||||||||||||||||||||||||||||||||||||||
|
<drop | pass> |
Adds a map drop rule or a map pass rule. |
|||||||||||||||||||||||||||||||||||||||||||
|
bidir |
Mirrors source and destination rules on Layer 2-Layer 3 address and port number. The bidir argument automatically creates a second map rule mirroring source arguments to the destination (and vice-versa). For example, consider the following map rule: (config) # map alias map1 rule add pass ipdst 192.168.1.50 255.255.255.0 ipsrc 192.168.1.25 255.255.255.0 bidir Because the bidir argument is included, the system automatically creates a second map rule mirroring all source/destination criteria: rule add pass ipsrc 192.168.1.50 255.255.255.0 ipdst 192.168.1.25 255.255.255.0 Note: The second map rule is not displayed in the output of the show map command, however, it consumes map rule resources. You can also include the bidir argument with an IP source and port source as follows: (config) # map alias map2 rule add pass ipsrc 192.168.1.22 /32 portsrc 23 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.22 /32 portdst 23 You can also include the bidir argument with just a single IP address to specify that you want to see traffic both in and out of a particular address. For example, this rule specifies that we want all traffic to and from 192.168.1.75: (config) # map alias map3 rule add pass ipsrc 192.168.1.75 /32 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.75 /32 You can also include the bidir argument with an IP source and destination and a port source and destination as follows: (config) # map alias map4 rule add pass ipsrc 192.168.1.33 /32 ipdst 192.168.1.44 /32 portsrc 23 portdst 63 bidir The bidir argument causes the following rule to be added automatically: rule add pass ipdst 192.168.1.33 /32 ipsrc 192.168.1.44 /32 portdst 23 portsrc 63 Note: If the bidir argument is added to a rule that does not support bidirectional filters, the bidir argument will not appear in the output of the show running-config command and there will not be any error message displayed. For example, the TCP protocol rule does not support bidirectional filters and the bidir argument does not appear in the output of the show running-config command for this rule. |
|||||||||||||||||||||||||||||||||||||||||||
|
comment <comment> |
Add comments to map rules. Comments can be up to 128 characters, including special characters. Comments longer than one word must be enclosed in double quotation marks. For example: (config) # map alias m1 rule add drop ipver 6 comment “Drop IPv6” |
|||||||||||||||||||||||||||||||||||||||||||
|
circuit-id <2-4000> |
Configure a user-defined Circuit ID within the range of 2 to 4000. For example: (config) # map alias circuit_rule rule add pass circuit-id 2000 |
|||||||||||||||||||||||||||||||||||||||||||
|
dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef> |
Creates a map rule pattern for a particular decimal DSCP value. You can select any value within the four Assured Forwarding (af) class ranges or ef for Expedited Forwarding (the highest priority in the DSCP model). The valid DSCP values by Assured Forwarding Class are as follows:
For example, the following map rule passes all traffic with expedited forwarding assigned: (config map alias mymap) # map alias m1 rule add pass dscp ef |
|||||||||||||||||||||||||||||||||||||||||||
|
ethertype <2-byte-hex> |
Creates a rule pattern for the ethertype value in a packet. For example, the following rule matches all traffic with an IPv6 ethertype (0x86DD): (config map alias mymap) # rule add pass ethertype 0x86DD Note: To create rules matching VLANs use the predefined VLAN map rule element type instead of the following TPID ethertypes:
For details, refer to the “Handling of Q-in-Q Packets in Map Rules” section in the GigaVUE Fabric Management Guide. Note: The CLI accepts hexadecimal entries either with or without the leading 0x. |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-ethertype <2-byte-hex> |
Creates a rule pattern for the inner-ethertype value in a packet. This inner qualifier is applicable only for GigaVUE-TA400. For example, the following rule matches all traffic with an IPv6 inner-ethertype (0x86DD): (config map alias mymap) # rule add pass inner-ethertype 0x86DD Note: The following TPID ethertypes are not supported:
For details, refer to the “Handling of Q-in-Q Packets in Map Rules” section in the GigaVUE Fabric Management Guide. Note: The CLI accepts hexadecimal entries either with or without the leading 0x. |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-ipver <4 | 6> |
Specifies the inner IP version for a map rule that matches either inner IPv4 or IPv6 traffic. This inner qualifier is applicable only for GigaVUE-TA400. Refer to the “IPv4/IPv6 and Map Rules” section in the GigaVUE Fabric Management Guide for more information on inner-ipver. For example: (config map alias mymap) # rule add pass inner-ipver 4 |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag> |
Creates a map rule for different types of IPv4 and IPV6 inner fragments as follows:
This inner qualifier is applicable only for GigaVUE-TA400. For example, (config map alias mymap) # rule add pass inner-ipfrag first-frag creates a rule that matches the first inner fragment in a packet. |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-ipdst <IP address> inner-ipsrc <IP address> |
Creates a rule for either an inner source IPv4 address or an inner destination IPv4 address. This inner qualifier is applicable only for GigaVUE-TA400. For example: (config map alias mymap) # rule add pass inner-ipdst 20.0.0.1 /24 (config map alias mymap) # rule add pass inner-ipsrc 30.0.0.1 255.255.0.0 |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-ip6src <IPv6 address> inner-ip6dst <IPv6 address> |
Creates a rule for either an inner source IPv6 address or an inner destination IPv6 address. This inner qualifier is applicable only for GigaVUE-TA400. Enter IPv6 addresses as eight 16-bit hexadecimal blocks separated by colons. For example: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 For example: (config map alias mymap) # rule add pass inner-ip6dst fe80::01 /64 (config map alias mymap) # rule add pass inner-ip6dst 1001:01::0a ffff:ffff:0000::0000 |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-protocol Inner protocol number 0 Inner protocol number 1 Inner protocol number 2 Inner protocol number 4 Inner protocol number 6 Inner protocol number 17 Inner protocol number 41 Inner protocol number 46 Inner protocol number 47 Inner protocol number 58 Custom hex entry |
Creates a map rule for a particular inner protocol. This inner qualifier is applicable only for GigaVUE-TA400. For example, to create a map rule that excludes all inner GRE traffic, use the following (config map alias gre-map) # rule add drop inner-protocol gre The predefined inner protocol map-rules available for IPv4 (inner GRE, RSVP, and so on) are not allowed when inner-ipver is set to 6. This is because, with the next header approach used by IPv6, the next layer of inner protocol data is not always at a fixed offset as it is in IPv4. To address this, the <1-byte-hex> option allows to match against the standard hex values for these inner protocols in the Next Header field. The standard 1-byte-hex values for both IPv4 and IPv6 are as follows: 0x00: Hop-By-Hop Option (v6 only) 0x01: ICMP (v4 only) 0x02: IGMP 0x04: IP over IP 0x06: TCP 0x11: UDP 0x29: IPv6 over IPv4 0x2b: Routing Option (v6 only) 0x2c: Fragment (v6 only) 0x2E: RSVP (v4 only) 0x2F: Inner GRE (v4 only) 0x32: Encapsulation Security Payload (ESP) Header 0x33: Authentication (v6 only) 0x3a: ICMP (v6 only) 0x3b: No Next Header (v6 only) 0x3c: Destination Option (v6 only) |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-portdst <0-65535 | x..y> inner-portdst-subset <even | odd>
inner-portsrc <0-65535 | x..y> inner-portsrc-subset <even | odd> |
Creates a rule for an inner source application port or inner destination application port. You can specify the following:
(config map alias mymap) # rule add pass portsrc 5000..5100
Following are some examples:
(config map alias mymap) # rule add pass inner-portdst 5000..5100 inner-portdst-subset odd
(config map alias mymap)# rule add pass inner-protocol tcp inner-portdst 3000 (config map alias mymap)# rule add pass inner-protocol udp inner-portdst 3000
(config map alias mymap)# rule add pass inner-protocol tcp inner-portsrc 3000 (config map alias mymap)# rule add pass inner-protocol udp inner-portsrc 3000 |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-uda1-data <16-byte-hex> inner-uda1-mask <16-byte-hex> inner-uda1-offset <0-120 bytes> inner-uda2-data <16-byte-hex>] inner-uda2-mask <16-byte-hex> inner-uda2-offset <0-120 bytes> |
Creates up to two user-defined, 16-byte pattern matches in a rule. This inner qualifier is applicable only for GigaVUE-TA400. A pattern is a particular sequence of bits at a specified offset from the start of the inner L3 header. Inner user-defined pattern matches consist of the following:
A single rule can contain up to two user-defined pattern matches. Note: Always use the predefined map rule elements instead of user-defined pattern matches when possible. Examples: (config map alias mymap) # rule add pass inner-uda1-data 26010101-2701010e-00000000-00000000 inner-uda1-mask ffffffff-ffffffff-00000000-00000000 inner-uda1-offset 12 (config map alias mymap) # rule add pass inner-uda2-data 03ed0158-40060000-00000000-00000000 inner-uda2-mask ffffffff-ffff0000-00000000-00000000 inner-uda2-offset 4 Refer to the “User-Defined Pattern Match on GigaVUE-TA400” section in the GigaVUE Fabric Management Guide for supported combinations. |
|||||||||||||||||||||||||||||||||||||||||||
|
inner-vlan <vlan | vlan1..vlan2> innervlan-subset <even | odd> |
Creates a rule for an inner VLAN ID or range of inner VLAN IDs, as follows:
Double-tagged packets have both an inner and an outer VLAN tag. The outer tag is detected when the ethertype is 0x8100, 0x88A8, or 0x9100. The inner tag is detected only when the ethertype is 0x8100. Examples: (config map alias mymap) # rule add pass inner-vlan 100 innervlan-subset even (config) # map alias map1 rule add pass inner-vlan 100..200 |
|||||||||||||||||||||||||||||||||||||||||||
|
ip6src <IPv6 address> <IPv6 netmask> ip6dst <IPv6 address> <IPv6 netmask> |
Creates a rule for either a source or destination IPv6 address or netmask. Enter IPv6 addresses as eight 16-bit hexadecimal blocks separated by colons. For example: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 Use netmask to match traffic from a range of IP addresses. You can enter netmasks either in 16-bit hexadecimal blocks separated by colons or in the bit count format (refer to “Using Bit Count Netmasks” section in the GigaVUE Fabric Management Guide). Note that netmasks used in IP map rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, theGigaVUE HC Seriesnode will accept a netmask where the masked bits start in the third octet, as follows—0.0.255.255. For example: (config map alias mymap) # rule add pass ip6src FE80:0:0:0:202:B3FF:FE1E:8329 /64 (config map alias mymap) # rule add pass ip6dst FE80:0000:0000:0000:0202:B3FF:FE1E:8329 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF Note: When creating a by-rule map with IP filters through GigaVUE‑OS CLI, an invalid netmask is accepted without error. For example: HC3-3-R6 (config) # map alias m2HC3-3-R6 (config map alias m2) # from 1/1/g3 HC3-3-R6 (config map alias m2) # rule add pass ipsrc 1.1.1.1 0.0.3.0 HC3-3-R6 (config map alias m2) # exit HC3-3-R6 (config) # An error should appear in this case, but it does not. |
|||||||||||||||||||||||||||||||||||||||||||
|
ip6fl <3-byte-hex> |
Creates a rule for the 20-bit Flow Label field in an IPv6 packet. Packets with the same Flow Label, source address, and destination address are classified as belonging to the same flow. IPv6 networks can implement flow-based QoS using this approach. Specify the flow label as a 3-byte hexadecimal pattern. Note, however, that only the last 20 bits are used—the first four bits must be zeroes (specified as a single hexadecimal zero in the CLI). For example, to match all packets without flow labels, use the following map rule: (config map alias mymap) # rule add pass ip6fl 0x000000 Alternatively, to match the flow label of 0x12345, use the following: (config map alias mymap) # rule add pass ip6fl 0x12345 Note: The CLI accepts hexadecimal entries either with or without the leading 0x. |
|||||||||||||||||||||||||||||||||||||||||||
|
ipfrag no-frag all-frag all-frag-no-first first-frag first-or-no-frag |
Creates a map rule for different types of IPv4 and IPV6 fragments as follows:
For example, (config map alias mymap) # rule ipfrag first-frag creates a rule that matches the first fragment in a packet. |
|||||||||||||||||||||||||||||||||||||||||||
|
ipdst <IP address> <netmask> ipsrc <IP address> <netmask> |
Creates a rule for either a source or destination IPv4 address or netmask. Use netmask to match traffic from a range of IP addresses. You can enter netmasks using either dotted-quad notation (<xxx.xxx.xxx.xxx>) or in the bit count format (refer to Using Bit Count Netmasks on page 90). Note that netmasks used in IP rules do not need to begin from the start of the address, nor do masked bits need to be contiguous. For example, theGigaVUE HC Series node will accept a netmask where the masked bits start in the third octet, 0.0.255.255. For example: (config map alias mymap) # rule add pass ipsrc 1.1.1.1 /32 (config map alias mymap) # rule add pass ipdst 2.2.2.2 255.255.255.248 |
|||||||||||||||||||||||||||||||||||||||||||
|
ipver <4 | 6> |
Specifies the IP version for a map rule that matches either IPv4 or IPv6 traffic. Note: The ipver argument is implicitly set to 4. If you configure a rule without ipver specified, the GigaVUE HC Series node assumes that the IP version is 4. You can also set ipver to 6 and use it together with other arguments to change their meaning. Refer to the “IPv4/IPv6 and Map Rules” section in the GigaVUE Fabric Management Guide for more information on ipver. For example: (config map alias mymap) # rule add pass ipver 4 |
|||||||||||||||||||||||||||||||||||||||||||
|
l2gre-id <1 to 4294967295> |
Configure a user-defined L2GRE ID within the range of 1 to 4294967295. For example: (config) # map alias circuit_rule rule add pass l2gre-id 1999 |
|||||||||||||||||||||||||||||||||||||||||||
|
macdst <MAC address> <MAC netmask> macsrc <MAC address> <MAC netmask> |
Creates a rule for either a source or destination MAC address as follows:
For example: (config map alias mymap) # rule add pass macsrc 00:00:00:01:02:04 ff:ff:ff:ff:ff:ff (config map alias mymap) # rule add pass macsrc 0000.0001.0205 ffff.ffff.ffff (config map alias mymap) # rule add pass macdst 00:00:00:01:02:06 ff:ff:ff:ff:ff:ff (config map alias mymap) # rule add pass macdst 0000.0001.0207 ffff.ffff.ffff
Refer to How to Use MAC Address/Mask Map Rules for examples of how to use MAC address masks. |
|||||||||||||||||||||||||||||||||||||||||||
|
mpls-label-id <0~1048575 | x..y> pos <any | 1~7> mpls-label-id-subset <even|odd> |
Adds a rule to pass traffic based on MPLS label criteria. Specifies the MPLS label ID (0~1048575 or a range x..y), the label position (any or 1~7), and optionally filter by even or odd label IDs using mpls-label-id-subset. This MPLS header qualifier is applicable only for GigaVUE-TA400. For example: (config map alias mymap) # rule add pass mpls-label-id 100..200 pos 2 mpls-label-id-subset even (config map alias mymap) # # rule add pass mpls-label-id 500 pos 4 mpls-label-id 600 pos 5 (config map alias mymap) # rule add pass mpls-label-id 500 pos any When using the MPLS header attributes (Label ID, EXP, BoS, and TTL) in the flow map rule configuration on the GigaVUE-TA400 chassis, setting these attributes to a value of 0 may lead to unintended packet matches. To ensure precise filtering, it is recommended to additionally filter based on the depth of the MPLS label using the BoS (Bottom of Stack) attribute. For example: If a user wants to filter packets with Label ID as 0 at position 2, adding the following rule will also match MPLS 1-labelled packets and non-MPLS packets that do not have an MPLS header at position 2: (config map alias mymap) # rule add pass mpls-label-id 0 pos 2 To avoid incorrect matches, add the MPLS BoS attribute as well to filter at position 2: (config map alias mymap) # rule add pass mpls-label-id 0 pos 2 mpls-label-bos 1 pos 2 |
|||||||||||||||||||||||||||||||||||||||||||
|
mpls-label-exp <0~7> pos <any | 1~7> |
Adds a rule to pass traffic based on the MPLS label EXP (Experimental) field. Specifies the EXP value (0~7) and the label position (any or 1~7). This MPLS header qualifier is applicable only for GigaVUE-TA400. For example: (config map alias mymap) # rule add pass mpls-label-exp 1 pos any (config map alias mymap) # rule add pass mpls-label-exp 2 pos 1 (config map alias mymap) # rule add pass mpls-label-exp 3 pos 2 When using the MPLS header attributes (Label ID, EXP, BoS, and TTL) in the flow map rule configuration on the GigaVUE-TA400 chassis, setting these attributes to a value of 0 may lead to unintended packet matches. To ensure precise filtering, it is recommended to additionally filter based on the depth of the MPLS label using the BoS (Bottom of Stack) attribute. For example: If a user wants to filter packets with Label EXP as 0 at position 2, adding the following rule will also match MPLS 1-labelled packets and non-MPLS packets that do not have an MPLS header at position 2: (config map alias mymap) # rule add pass mpls-label-exp 0 pos 2 To avoid incorrect matches, add the MPLS BoS attribute as well to filter at position 2: (config map alias mymap) # rule add pass mpls-label-exp 0 pos 2 mpls-label-bos 1 pos 2 |
|||||||||||||||||||||||||||||||||||||||||||
|
mpls-label-bos <0/1> pos <any | 1~7> |
Adds a rule to pass traffic based on the MPLS label BOS (Bottom of Stack) bit. Specifies the EXP value (0~7) and the label position (any or 1~7). This MPLS header qualifier is applicable only for GigaVUE-TA400. For example: (config map alias mymap) # rule add pass mpls-label-bos 1 pos any (config map alias mymap) # rule add pass mpls-label-bos 1 pos 1 (config map alias mymap) # rule add pass mpls-label-bos 1 pos 2 When using the MPLS header attributes (Label ID, EXP, BoS, and TTL) in the flow map rule configuration on the GigaVUE-TA400 chassis, setting these attributes to a value of 0 may lead to unintended packet matches. To ensure precise filtering, it is recommended to additionally filter based on the depth of the MPLS label using the BoS (Bottom of Stack) attribute. For example: If a user wants to filter MPLS 2-labelled packets where Label ID 0 is not part of the outermost MPLS header, the following rule will also match MPLS 1-labelled packets and non-MPLS packets without an MPLS header at position 2: (config map alias mymap) # rule add pass mpls-label-id 0 pos 2 mpls-label-bos 0 pos 1 To avoid incorrect matches, add the MPLS BoS attribute as well to filter at position 2: (config map alias mymap) # rule add pass mpls-label-id 0 pos 2 mpls-label-bos 0 pos 1 mpls-label-bos 1 pos 2 |
|||||||||||||||||||||||||||||||||||||||||||
|
mpls-label-ttl <0~255 | x..y> pos <any | 1~7> mpls-label-ttl-subset <even|odd> |
Adds a rule to allow (pass) MPLS packets based on their TTL (Time To Live) value and label position. The mpls-label-ttl parameter specifies the TTL value or range (0–255 or x..y) to match, while the pos parameter defines the MPLS label position in the stack (1–7 for specific positions or any for any position). The mpls-label-ttl-subset parameter further filters TTL values to only even or odd numbers. This MPLS header qualifier is applicable only for GigaVUE-TA400. For example: (config map alias mymap) # rule add pass mpls-label-ttl 30..60 pos any mpls-label-ttl-subset odd (config map alias mymap) # rule add pass mpls-label-ttl 40 pos any (config map alias mymap) # rule add pass mpls-label-ttl 50 pos 1 mpls-label-ttl 70 pos 3 When using the MPLS header attributes (Label ID, EXP, BoS, and TTL) in the flow map rule configuration on the GigaVUE-TA400 chassis, setting these attributes to a value of 0 may lead to unintended packet matches. To ensure precise filtering, it is recommended to additionally filter based on the depth of the MPLS label using the BoS (Bottom of Stack) attribute. For example: If a user wants to filter packets with Label TTL as 0 at position 2, the following rule will also match MPLS 1-labelled packets and non-MPLS packets that do not have an MPLS header at position 2: (config map alias mymap) # rule add pass mpls-label-ttl 0 pos 2 To avoid incorrect matches, add the MPLS BoS attribute as well to filter at position 2: (config map alias mymap) # rule add pass mpls-label-ttl 0 pos 2 mpls-label-bos 1 pos 2 |
|||||||||||||||||||||||||||||||||||||||||||
|
rewrite-dstmac <value> | rewrite-srcmac<value> |
For MAC Address rewrite ,configure the destination and Source fields as follows:
Note: Rule based MAC rewrite feature is applicable only on pass rules To delete a rule based MAC address, re-write utilize the rule edit or delete command. |
|||||||||||||||||||||||||||||||||||||||||||
|
rewrite-dstip <value> | rewrite-srcip <value> |
For IP Address rewrite, configure the destination and Source fields as follows:
Note: Rule based IP rewrite feature is applicable only on pass rules To delete a rule based IP address re-write utilize the rule edit or delete commands. |
|||||||||||||||||||||||||||||||||||||||||||
|
vlan-op add <vlan id> tpid <value> |
For VLAN manipulation, configure a VLAN ID and TPID value:
|
|||||||||||||||||||||||||||||||||||||||||||
|
portdst <0-65535 | x..y> portdst-subset <even | odd>
portsrc <0-65535 | x..y> portsrc-subset <even | odd> |
Creates a rule for a source or destination application port. You can specify the following:
(config map alias mymap) # rule add pass portsrc 5000..5100
Following are some examples:
(config map alias mymap) # rule add pass portdst 5000..5100 portdst-subset odd
(config map alias mymap)# rule add pass protocol tcp portdst 3000 (config map alias mymap)# rule add pass protocol udp portdst 3000
(config map alias mymap)# rule add pass protocol tcp portsrc 3000 (config map alias mymap)# rule add pass protocol udp portsrc 3000 Note: For non-TCP/UDP packets, the portsrc matches the first and second bytes after the L3 header. Whereas, the portdst matches the third and fourth bytes after the L3 header. |
|||||||||||||||||||||||||||||||||||||||||||
|
protocol Protocol number 0 Protocol number 1 Protocol number 2 Protocol number 4 Protocol number 6 Protocol number 17 Protocol number 41 Protocol number 46 Protocol number 47 Protocol number 58 Custom hex entry |
Creates a map rule for a particular protocol. For example, to create a map rule that excludes all GRE traffic, use the following (config map alias gre-map) # rule add drop protocol gre Protocol Map Rules and IPv6The predefined protocol map-rules available for IPv4 (GRE, RSVP, and so on) are not allowed when ipver is set to 6. This is because with the next header approach used by IPv6, the next layer of protocol data is not always at a fixed offset as it is in IPv4. To address this, the GigaVUE HC Series node provides the <1-byte-hex> option to match against the standard hex values for these protocols in the Next Header field. The standard 1-byte-hex values for both IPv4 and IPv6 are as follows: 0x00: Hop-By-Hop Option (v6 only) 0x01: ICMP (v4 only) 0x02: IGMP 0x04: IP over IP 0x06: TCP 0x11: UDP 0x29: IPv6 over IPv4 0x2b: Routing Option (v6 only) 0x2c: Fragment (v6 only) 0x2E: RSVP (v4 only) 0x2F: GRE (v4 only) 0x32: Encapsulation Security Payload (ESP) Header 0x33: Authentication (v6 only) 0x3a: ICMP (v6 only) 0x3b: No Next Header (v6 only) 0x3c: Destination Option (v6 only) |
|||||||||||||||||||||||||||||||||||||||||||
|
tcpctl <1-byte-hex> tcpctlmask <1-byte-hex> |
Creates a one-byte pattern match map rule for the standard TCP control bits (URG, SYN, FIN, ACK, and so on). Use the tcpctlmask argument to specify which bits should be considered when matching packets. Refer to the Set Map Rules for TCP Control Bits section in the GigaVUE Fabric Management Guide for a list of the hexadecimal patterns for each of the eight TCP flags, along with some examples. Note: Map rules using the tcpctl argument must also include the protocol argument set to 6 (TCP). For example: (config map alias mymap) # rule add pass protocol 6 tcpctl 0x02 |
|||||||||||||||||||||||||||||||||||||||||||
|
tosval <1-byte-hex> |
Creates a rule for the Type of Service (TOS) value in an IPv4 header. The TOS value is how some legacy IPv4 equipment implements quality of service traffic engineering. The standard values are:
Note: Most network equipment now uses DSCP to interpret the TOS byte instead of the IP precedence and TOS value fields. For example: (config map alias mymap) # rule add pass tosval 0000 |
|||||||||||||||||||||||||||||||||||||||||||
|
ttl <ttl | ttl1..ttl2> |
Creates a rule for the Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255 as follows:
The TTL and Hop Limit fields perform the same function, specifying the maximum number of hops a packet can cross before it reaches its destination. For example: (config map alias mymap) # rule add pass ttl 0 |
|||||||||||||||||||||||||||||||||||||||||||
|
uda1-data <16-byte-hex> uda1-mask <16-byte-hex> uda1-offset <2-110 bytes> uda2-data <16-byte-hex>] uda2-mask <16-byte-hex> uda2-offset <2-110 bytes> |
Creates up to two user-defined, 16-byte pattern matches in a rule. A pattern is a particular sequence of bits at a specified offset from the start of a frame. User-defined pattern matches consist of the following:
A single rule can contain up to two user-defined pattern matches. Note: Always use the predefined map rule elements instead of user-defined pattern matches when possible. The following table provides the packet format, hex value, and offset details for UDA-1 and UDA-2 across different platforms:
Examples: (config map alias mymap) # rule add pass uda1-data 26010101-2701010e-00000000-00000000 uda1-mask ffffffff-ffffffff-00000000-00000000 uda1-offset 12 (config map alias mymap) # rule add pass uda2-data 03ed0158-40060000-00000000-00000000 uda2-mask ffffffff-ffff0000-00000000-00000000 uda2-offset 4 Refer to the “Working with User-Defined Pattern Match Rules” section in the GigaVUE Fabric Management Guide for details. |
|||||||||||||||||||||||||||||||||||||||||||
|
vlan <vlan | vlan1..vlan2> vlan-subset <even | odd> |
Creates a rule for a VLAN ID or range of VLAN IDs for an outer VLAN tag. You can also use the optional vlan-subset argument to match even or odd VLAN IDs. For example, to match all even VLAN IDs between 200 and 300, use the following: (config map alias mymap) # rule add pass vlan 200..300 vlan-subset even |
|||||||||||||||||||||||||||||||||||||||||||
|
vxlan-id <1 to 16777215> |
Configure a user-defined L2GRE ID within the range of 1 to 16777215. For example: (config) # map alias circuit_rule rule add pass vxlan-id 500 |
|||||||||||||||||||||||||||||||||||||||||||
