Policy Traffic Filtering

Policy traffic filtering introduces the ability to filter traffic across multiple layers of the frame or packet, and offload the filtering to the hardware.

Note

As of this release, policy traffic filtering is only supported for the Redfox 7000/5000 and Lynx 5000-series.

Introduction

Usage of policy traffic filtering allows for the possibility to offload filtering of packets directly in hardware.

When using the firewall subsystem, it requires packets to be forwarded by the CPU of the switch to perform the filtering of network traffic.

However, these operations will come at a cost in routing performance. Since packets are filtered in hardware, filters need to be configured per direction, ingress or egress, and per port.

This entails that policy traffic filtering is not capable of monitoring and tracking active network connections (stateful) and is therefore stateless. If returning traffic should be accepted, filters need to be configured in both ingress and egress directions. An additional benefit with policy traffic filtering is the ability of matching across multiple layers of the packet. E.g. matching on a packets MAC address, something not possible with the firewall subsystem.

Configuration

Policies are configured and enabled from the policy configuration context in the CLI.

example:/#> configure
example:/config/#> policy
example:/config/policy/#>

To delete all policy related configurations execute the following command.

example:/#> configure 
example:/config/#> no policy

[no] enable

Enable or disable policies.

Note

Configured policies will not be deleted upon no enable, rather they are saved but not applied.

no: Disable the policies.

show

Show the current policy settings

Ingress and Egress Policy Specific Settings

The following context creates and manages the groups of filters for ingress or egress policies. The name or id is used to distinguish between different groups of ingress or egress policies. The following options can both be found when configuring an ingress policy or egress policy.

example:/config/policy/#> <ingress|egress>-policy <NAME|id>

To delete all ingress- or egress-policy configuration for a specific id or name execute the following command.

example:/config/policy/#> no <ingress|egress>-policy <NAME|id>

[no] description <STRING>

Free form description of the current policy group.

A valid string contains ASCII characters in the range of [32-126]. Maximum of 128 characters allowed.

no: Remove the saved description.

[no] name <STRING>

Set name of the current policy group.

A valid string contains alphabetic and numeric characters. Maximum of 16 characters allowed.

no: Remove the saved name.

[no] filter <id>

Enter the filter configuration context

Create a filter with an id that is used as a ruleset for ingress or egress traffic control. Valid filter id range [1-50].

no: Remove saved filter of the given id.

show

Show the current settings of the ingress or egress policy.

Filter Specific Settings

The following context creates and manages the individual filters for ingress or egress policies, depending on the current context. The filter options are identical in both the ingress-policy context and the egress-policy context. Valid filter id range [1-50].

example:/config/policy/ingress-policy-1/#> filter <id>

To delete the filter of a given id, execute the following command.

example:/config/policy/ingress-policy-1/#> no filter <id>

[no] match [MATCH]

Set match rule(s) specifying the policy when the filter action should be applied. It is possible to match on several match conditions within the same filter. However, if two match statements are entered using the same match condition. The older match statement will be overwritten.

Currently the following are supported options when using the match statement.

no: Remove a specific match condition.
smac: Match frames on the source MAC address field in the frame header. A wildcard (*) can be used to match on specific blocks of the MAC address.
dmac: Match frames on the destination MAC address field in the frame header. A wildcard (*) can be used to match on specific blocks of the MAC address.
saddr: Match frames on the source IP address field in the IP header. A CIDR (/) can be used to match on a range of IP addresses.
daddr: Match frames on the destination IP address field in the IP header. A CIDR (/) can be used to match a on range of IP addresses.

pos [POSITION]

Position of the current filter in relation to other filter of the same ingress or egress policy. A lower position entails a higher priority. Filters are checked in the order of their respective positions, in ascending order. The position can not be the same as another filter. Valid positions include [1-1000].

action <accept|drop|trap>

Specify the action to be performed when a filter match is found. A newly created filter will default to drop if nothing else is specified.

accept: Let the matching packet pass through the filter.
drop: Let the matching packet be dropped and not pass the filter.
trap: Let the matching packet be trapped and sent to the CPU. Only recommended when certain packets need to be sent through the CPU. Only supported in ingress direction.

Port Specific Settings

The following context is used to configure and manage traffic filter policies for a specific port. In the port context, ingress and egress policies are applied to the given port.

example:/config/policy/#> port <PORT>

ingress-chain

Enter the ingress chain context.

Configure and manage ingress policies for the selected port.

egress-chain

Enter the egress chain context.

Configure and manage egress policies for the selected port.

Port Ingress and Egress Chain Specific Settings

The following context manages the ingress or egress chains of the specific port. Previously created ingress or egress policies are applied in the following context.

Note

Ingress polices can not be applied on a egress chain, and vice versa. If an identical filter should be placed in both ingress and egress direction. Two identical filters need to be created, one ingress filter and one egress filter.

To manage and configure ingress chains enter:

example:/config/policy/port-eth1/#> ingress-chain

To manage and configure egress chains enter:

example:/config/policy/port-eth1/#> egress-chain

[no] ingress <NAME|id> [pos POSITION] [vid VID]

Apply a previously created ingress policy to current port.

Note

This command is only available in the ingress-chain context.

NAME|id: The name or id of the ingress policy.
pos: The position of the ingress policy for the current port. A lower position entails a higher priority. Policies are checked and evaluated in ascending order.
vid: The optional vid argument allows control of which VLANs the selected policy should act on. If no vid is specified the policy will for all VLANs.

[no] egress <NAME|id> [pos POSITION] [vid VID]

Apply a previously created egress policy to current port.

Note

This command is only available in the egress-chain context.

NAME|id: The name or id of the egress policy.
pos: The position of the egress policy for the current port. A lower position entails a higher priority. Policies are checked and evaluated in ascending order.
vid: The optional vid argument allows control of which VLANs the selected policy should act on. If no vid is specified the policy will for all VLANs.

default-action <accept|drop>

Selection of action to be applied if there is no policies matching for a packet. The default-action is per default set to drop.

accept: If no policies match the incoming or outgoing packet, the packet will be passed.
drop: If no policies match the incoming or outgoing packet, the packet will be dropped.