Traffic Selector
This chapter covers some aspects related to traffic selector,
which is a set of rules that allows us to filter network packets
based on different attributes: incoming/outgoing interface,
source/destination address, protocol, VRF, etc.
traffic selector behaves like ACLs (Access Control Lists) and
can be used in many configuration-related places, such as traffic
policies, NAT, Netflow, traffic trace, etc.
Every traffic selector contains a set of rules that are processed
in order until one of them matches the current network packet. The
matching process can be inverted using the not command. The
special exclude command can be used to stop checking remaining rules
if the current one matches.
Note
Rules are evaluated in ascending order. Meaning that, if the first rule
is met, the remaining rules are not evaluated and the network packet is
selected. As a reminder, exclude is an exception: if a rule with
the exclude command matches, the remanining rules are not evaluated
and the packet is not selected.
Configuration
This is the syntax to create a traffic selector:
set traffic selector <selector_name> [ ... ]
In order to attach a traffic selector to a traffic policy rule
you can use the following command:
set traffic policy <policy_name> rule <u32> selector <selector_name>
And, in the case of an interface with NAT:
set interfaces <if_type> <if_name> traffic nat <source / destination> rule <u32> selector <selector_name>
Below, you can find the different fitlers available. Network family refers to the network layer where this filter will act:
ARP filters act on level 2.
IPv4 / IPv6 filters act on level 3.
Inet refers to both IPv4 & IPv6 filters. When the match is based on some metadata information (e.g., the packet input interface), filters do not have a specific Network family.
The compatible features column refers to the OSDx features where a specific traffic selector filter can be used.
Available filters:
Traffic selector filter |
OSI Layer |
Compatible features |
|---|---|---|
advisor |
All |
|
app-detect |
Application layer |
Regular policies, NAT & Netflow |
arp-operation |
Data link layer |
Link policies |
class |
All |
|
connlimit |
Network / Transport layer |
Regular policies, NAT & Netflow |
connmark |
Regular policies, NAT & Netflow |
|
conntag |
Network / Transport layer |
Regular policies, NAT & Netflow |
destination |
Data link / Network / Transport Layer |
All |
dscp |
Network layer (IPv4) |
All, except IPv6 |
ecn |
Network layer (IPv4) |
All, except IPv6 |
ether-type |
Data link layer |
All, except NAT |
extra-connmark |
Regular policies, NAT & Netflow |
|
extra-mark |
All |
|
fragmentation |
Network layer (IPv4) |
All, except IPv6 |
header-length |
Network layer (IPv4) |
All, except IPv6 |
hoplimit |
Network layer (IPv6) |
All, except IPv4 |
icmp-code |
Network layer (IPv4) |
All, except IPv6 |
icmp-type |
Network layer (IPv4) |
All, except IPv6 |
in-interface |
All |
|
ip-option |
Network layer (IPv4) |
All, except IPv6 |
ipv6-dscp |
Network layer (IPv6) |
All, except IPv4 |
ipv6-ecn |
Network layer (IPv6) |
All, except IPv4 |
ipv6-extension |
Network layer (IPv6) |
All, except IPv4 |
ipv6-fragmentation |
Network layer (IPv6) |
All, except IPv4 |
ipv6-icmp-code |
Network layer (IPv6) |
All, except IPv4 |
ipv6-icmp-type |
Network layer (IPv6) |
All, except IPv4 |
ipv6-next-header |
Network layer (IPv6) |
All, except IPv4 |
label |
Regular policies, NAT & Netflow |
|
length |
Data link layer |
All |
mark |
All |
|
ori-in-interface |
All |
|
out-interface |
All |
|
pkt-type |
Data link layer |
All |
protocol |
Transport layer |
All |
source |
Data link / Network / Transport Layer |
All |
state |
Regular policies, NAT & Netflow |
|
tcp-flags |
Transport layer |
All |
tcp-mss |
Transport layer |
All |
tcp-option |
Transport layer |
All |
tcp-window |
Transport layer |
All |
ttl |
Network layer (IPv4) |
All, except IPv6 |
vrf-connmark |
Regular policies, NAT & Netflow |
|
vrf-mark |
All |
Examples
Let’s suppose we need to control network packets that meet one of the following conditions:
Source address is one of the addresses specified under the ADDR_LAN group (click here for more information about
traffic groups).Protocol is tcp and destination port is 80 or 443.
Protocol is icmp or udp and destination address is not 10.0.0.0/24.
To filter the network packets that meet these constraints, you can create
the following traffic selector:
set traffic selector SEL_LAN rule 1 source address-group ADDR_LAN
set traffic selector SEL_LAN rule 2 protocol tcp
set traffic selector SEL_LAN rule 2 destination port 80,443
set traffic selector SEL_LAN rule 3 protocol icmp,udp
set traffic selector SEL_LAN rule 3 not destination address 10.0.0.0/24
Here you can find more traffic selector examples.
Monitoring
The traffic selector <txt> show operational command can be used to
display some network statistics.
Example:
admin@osdx$ traffic selector SEL_SUBNET2 show
Selector SEL_SUBNET2 (nat destination -- ifc eth1 -- rule 1)
-----------------------------------------------------
rule pkts match pkts eval bytes match bytes eval
-----------------------------------------------------
1 2 2 106 106
-----------------------------------------------------
Total 2 2 106 106