Traffic Selector

Contents

This chapter covers some aspects related to traffic selector, which is a set of rules that allows us to filter network packets based on different attributes: incoming/outgoing interface, source/destination address, protocol, VRF, etc.

traffic selectors behaves like ACLs (Access Control Lists) and can be used in many places in configuration; such as, traffic policies, NAT, Netflow, traffic trace, etc.

Every traffic selector contains a set of rules that are processed in order until one of them matches the current network packet. The sense of matching can be inverted by using the not command. The special exclude command can be used to stop checking remaining rules if current one matches.

Note

Rules are evaluated in ascending order. Meaning that, if first rule is met, the remaining rules are not evaluated and network packet is selected. As a reminder, exclude is an exception: if a rule with the exclude command matches, the remanining rules are not evaluated and packet is not selected.

Configuration

This is the syntax to create a traffic selector:

set traffic selector <selector_name> [ ... ]

In order to attach a traffic selector in a traffic policy rule you can use the following command:

set traffic policy <policy_name> rule <u32> selector <selector_name>

And, in the case of an interface with NAT:

set interfaces <if_type> <if_name> traffic nat <source / destination> rule <u32> selector <selector_name>

Below, you can find the different fitlers available. Network family refers to the network layer where this filter will act:

• ARP filters act on level 2.

• IPv4 / IPv6 filters act on level 3.

Inet refers to both IPv4 & IPv6 filters. The filters that do not have a specific Network family is because the match is based on some metadata information (e.g., the packet input interface).

The compatible features column refers to the OSDx features where a specific traffic selector filter can be used.

Available filters:

Traffic selector filter	Network family	Compatible features
advisor		All
app-id	Inet	Regular policies, NAT & Netflow
arp-operation	ARP	Link policy
connmark		Regular policies, NAT & Netflow
destination	Inet / ARP	All
dscp	IPv4	All, except IPv6
ecn	IPv4	All, except IPv6
ether-type	ARP	Link policy
extra-connmark		Regular policies, NAT & Netflow
extra-mark		Regular policies, NAT & Netflow
fragmentation	IPv4	All, except IPv6
header-length	IPv4	All, except IPv6
hoplimit	IPv6	All, except IPv4
icmp-code	IPv4	All, except IPv6
icmp-type	IPv4	All, except IPv6
in-interface		All
ip-option	IPv4	All, except IPv6
ipv6-dscp	IPv6	All, except IPv4
ipv6-ecn	IPv6	All, except IPv4
ipv6-extension	IPv6	All, except IPv4
ipv6-fragmentation	IPv6	All, except IPv4
ipv6-icmp-code	IPv6	All, except IPv4
ipv6-icmp-type	IPv6	All, except IPv4
ipv6-next-header	IPv6	All, except IPv4
label		Regular policies, NAT & Netflow
length	ARP	All
mark		Regular policies, NAT & Netflow
ori-in-interface		All
out-interface		All
pkt-type	ARP	All
protocol	Inet	All
source	Inet / ARP	All
state		Regular policies, NAT & Netflow
tcp-flags	Inet	All
tcp-mss	Inet	All
tcp-option	Inet	All
tcp-window	Inet	All
ttl	IPv4	All, except IPv6
vrf-connmark		Regular policies, NAT & Netflow
vrf-mark		Regular policies, NAT & Netflow

Examples

Let’s suppose we need to control the network packets that meet one of the following conditions:

• Source address is one of the addresses specified in ADDR_LAN group (click here for more information about traffic groups).

• Protocol is tcp and destination port is 80 or 443.

• Protocol is icmp or udp and destination address is not 10.0.0.0/24.

In order to filter the network packets that meet those constraints, you can create the following traffic selector:

set traffic selector SEL_LAN rule 1 source address-group ADDR_LAN
set traffic selector SEL_LAN rule 2 protocol tcp
set traffic selector SEL_LAN rule 2 destination port 80,443
set traffic selector SEL_LAN rule 3 protocol icmp,udp
set traffic selector SEL_LAN rule 3 not destination address 10.0.0.0/24

Here, you can find more examples related to traffic selector.

Monitoring

The operational command traffic selector <txt> show can be used to display some network statistics.

Example:

admin@osdx$ traffic selector SEL_SUBNET2 show
Selector SEL_SUBNET2 (nat destination -- ifc eth1 -- rule 1)

-----------------------------------------------------
rule   pkts match  pkts eval  bytes match  bytes eval
-----------------------------------------------------
1               2          2          106         106
-----------------------------------------------------
Total           2          2          106         106

Command Summary

Configuration commands

• traffic selector <txt>

• traffic selector <txt> description <txt>

• traffic selector <txt> rule <u32>

• traffic selector <txt> rule <u32> app-id

• traffic selector <txt> rule <u32> destination

• traffic selector <txt> rule <u32> exclude

• traffic selector <txt> rule <u32> fragmentation

• traffic selector <txt> rule <u32> header-length

• traffic selector <txt> rule <u32> hoplimit

• traffic selector <txt> rule <u32> ip-option

• traffic selector <txt> rule <u32> ipv6-extension

• traffic selector <txt> rule <u32> ipv6-fragmentation

• traffic selector <txt> rule <u32> length

• traffic selector <txt> rule <u32> not

• traffic selector <txt> rule <u32> source

• traffic selector <txt> rule <u32> tcp-mss

• traffic selector <txt> rule <u32> tcp-option

• traffic selector <txt> rule <u32> tcp-window

• traffic selector <txt> rule <u32> ttl

Operational commands

• traffic selector <txt> show

• traffic selector <txt> show json

• traffic selector show

• traffic selector show json