Traffic Selector

This chapter covers some aspects related to traffic selector, which is a set of rules that allows us to filter network packets based on different attributes: incoming/outgoing interface, source/destination address, protocol, VRF, etc.

traffic selectors behaves like ACLs (Access Control Lists) and can be used in many places in configuration; such as, traffic policies, NAT, Netflow, traffic trace, etc.

Every traffic selector contains a set of rules that are processed in order until one of them matches the current network packet. The sense of matching can be inverted by using the not command. The special exclude command can be used to stop checking remaining rules if current one matches.

Note

Rules are evaluated in ascending order. Meaning that, if first rule is met, the remaining rules are not evaluated and network packet is selected. As a reminder, exclude is an exception: if a rule with the exclude command matches, the remanining rules are not evaluated and packet is not selected.

Configuration

This is the syntax to create a traffic selector:

set traffic selector <selector_name> [ ... ]

In order to attach a traffic selector in a traffic policy rule you can use the following command:

set traffic policy <policy_name> rule <u32> selector <selector_name>

And, in the case of an interface with NAT:

set interfaces <if_type> <if_name> traffic nat <source / destination> rule <u32> selector <selector_name>

Below, you can find the different fitlers available. Network family refers to the network layer where this filter will act:

  • ARP filters act on level 2.

  • IPv4 / IPv6 filters act on level 3.

Inet refers to both IPv4 & IPv6 filters. The filters that do not have a specific Network family is because the match is based on some metadata information (e.g., the packet input interface).

The compatible features column refers to the OSDx features where a specific traffic selector filter can be used.

Available filters:

Traffic selector filter

Network family

Compatible features

advisor

All

app-id

Inet

Regular policies, NAT & Netflow

arp-operation

ARP

Link policy

class

All

connlimit

Inet

Regular policies, NAT & Netflow

connmark

Regular policies, NAT & Netflow

destination

Inet / ARP

All

dscp

IPv4

All, except IPv6

ecn

IPv4

All, except IPv6

ether-type

ARP

Link policy

extra-connmark

Regular policies, NAT & Netflow

extra-mark

All

fragmentation

IPv4

All, except IPv6

header-length

IPv4

All, except IPv6

hoplimit

IPv6

All, except IPv4

icmp-code

IPv4

All, except IPv6

icmp-type

IPv4

All, except IPv6

in-interface

All

ip-option

IPv4

All, except IPv6

ipv6-dscp

IPv6

All, except IPv4

ipv6-ecn

IPv6

All, except IPv4

ipv6-extension

IPv6

All, except IPv4

ipv6-fragmentation

IPv6

All, except IPv4

ipv6-icmp-code

IPv6

All, except IPv4

ipv6-icmp-type

IPv6

All, except IPv4

ipv6-next-header

IPv6

All, except IPv4

label

Regular policies, NAT & Netflow

length

ARP

All

mark

All

ori-in-interface

All

out-interface

All

pkt-type

ARP

All

protocol

Inet

All

source

Inet / ARP

All

state

Regular policies, NAT & Netflow

tcp-flags

Inet

All

tcp-mss

Inet

All

tcp-option

Inet

All

tcp-window

Inet

All

ttl

IPv4

All, except IPv6

vrf-connmark

Regular policies, NAT & Netflow

vrf-mark

All

Examples

Let’s suppose we need to control the network packets that meet one of the following conditions:

  • Source address is one of the addresses specified in ADDR_LAN group (click here for more information about traffic groups).

  • Protocol is tcp and destination port is 80 or 443.

  • Protocol is icmp or udp and destination address is not 10.0.0.0/24.

In order to filter the network packets that meet those constraints, you can create the following traffic selector:

set traffic selector SEL_LAN rule 1 source address-group ADDR_LAN
set traffic selector SEL_LAN rule 2 protocol tcp
set traffic selector SEL_LAN rule 2 destination port 80,443
set traffic selector SEL_LAN rule 3 protocol icmp,udp
set traffic selector SEL_LAN rule 3 not destination address 10.0.0.0/24

Here, you can find more examples related to traffic selector.

Monitoring

The operational command traffic selector <txt> show can be used to display some network statistics.

Example:

admin@osdx$ traffic selector SEL_SUBNET2 show
Selector SEL_SUBNET2 (nat destination -- ifc eth1 -- rule 1)

-----------------------------------------------------
rule   pkts match  pkts eval  bytes match  bytes eval
-----------------------------------------------------
1               2          2          106         106
-----------------------------------------------------
Total           2          2          106         106

Command Summary

Configuration commands

Operational commands