hardware-profile filter (Qumran 1)

Use this command to enable or disable ingress IPv4 or IPv6, egress IPv6 filter groups, EVPN-MPLS,VxLAN filter and TWAMP IPv4 or IPv6 groups. Disabling filter groups increases the configurable filter entries.

Disabling a TCAM filter group is not allowed if the group has any entries configured in hardware. Group dependent entries must be explicitly removed before disabling the TCAM group.

 

  • This feature is supported for IPv4 unicast and IPv4 BGP/MPLS VPN service based on RFC 8955.
  • The qos, qos-ext, and qos-policer filter groups can only be used for Layer 2 and IPv4 traffic. For IPv6 traffic QoS classification and actions, users must enable the ingress-ipv6-qos group and create an IPv6 ACL which can be matched in a class-map for applying QoS actions. For more details, refer to the Quality of Service Guide.
  • Usually the number of extended ingress filter groups that can be created at the same time is 3. If the PIM bidirectional feature is enabled, only 2 ingress extended filter groups can be created.
  • The ipv4-ext and qos-policer grp parameters are not supported together.
  • For better utilization of TCAM resources, it is recommended to enable the large groups first and then smaller groups. For example, Using admin credentials, configure evpn-mpls-mh as last filter as it is the smallest group.
  • In Qumran1 (Q1) series platforms, Egress ACLs are not applicable for packets sent from the CPU.
  • Disable and Enable the hardware-profile filter command in a single commit is not recommended.

Example:

OcNOS(config)#hardware-profile filter ingress-ipv4 disable

OcNOS(config)#hardware-profile filter ingress-ipv4-ext enable

OcNOS(config)#commit

  • Configuring and unconfiguring access-list to the interface in a single commit is not recommended.

Example:

OcNOS(config)#interface xe8

OcNOS(config-if)#no ip access-group ACL1v4 out

OcNOS(config-if)#exit

OcNOS(config)#interface xe3

OcNOS(config-if)#ip access-group ACL2v4 out

OcNOS(config-if)#commit

Example 1

Copy 
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#hardware-profile filter ingress-ipv6 enable
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter ingress-l2 enable
      (config)#hardware-profile filter evpn-mpls-mh enable

Example 2

Copy 
(config)#hardware-profile filter ingress-ipv4-qos enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-l2 enable
      (config)#hardware-profile filter vxlan enable
      (config)#hardware-profile filter vxlan-mh enable

Example 3

Copy 
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter egress-ipv4 enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-ipv4 enable
(config)#hardware-profile filter ingress-ipv4 enable

The twamp-ipv4 hardware profile sets up a PMF group to manage TWAMP IPv4 traffic, enabling precise hardware time stamping of TWAMP packets. These packets are identified by their source IP, destination IP, source UDPClosed User Datagram Protocol port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, directing the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action is used to ensure the packet is encapsulated with the correct FECClosed FEC is a technique that detects and corrects errors during data transmission to maintain the reliability of the communication system.. If the packet includes MPLS labels, the predefined qualifiers will not match. In this scenario, user-defined qualifiers are added to the same PMF group to identify the TWAMP packet.

The twamp-ipv6 hardware profile establishes two PMF groups to manage TWAMP IPv6 traffic, differentiating between MPLS and non-MPLS traffic due to the inability to fit user-defined qualifiers in a single PMF group. These groups ensure accurate hardware time stamping of TWAMP packets, identified by their source IPv6, destination IPv6, source UDP port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, sending the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action ensures the packet is encapsulated with the correct FEC. If the packet includes MPLS labels, the predefined qualifiers will not match. In this case, user-defined qualifiers are added to identify the TWAMP packet, and since the IPv6 qualifiers cannot be included in the same group, they are created in a separate group.

Enabling TWAMP hardware profiles requires a system reboot.

Command Syntax

Copy 
hardware-profile filter (ingress-l2|ingress-l2-ext|ingress-ipv4|ingress-ipv4-ext|ingress-ipv4-qos|ingress-ipv6|ingress-ipv6-ext|ingress-ipv6-ext-vlan|ingress-ipv6-qos|qos-ipv6|ingress-arp|qos|qos-ext|qos-policer|egress-l2|egress-ipv4|evpn-mpls-cw|evpn-mpls-mh|vxlan|vxlabn-mh|cfm-domain-name-str|twamp-ipv4|twamp-ipv6|twamp-ipv6-mpls|ipv4-bgp-flowspec|) (enable|disable)

Parameters

ingress-12

Ingress L2 ACL filter group.

ingress-12-ext

Ingress L2 ACL, QoS, mirror filter group.

ingress-ipv4

Ingress IP ACL filter group.

ingress-ipv4-ext

Ingress IP ACL, mirror, PBR filter group.

ingress-ipv4-qos

Ingress IPv4 group for ACL match QoS.

ingress-ipv6

Ingress IPv6 ACL, mirror, PBR filter group

ingress-ipv6-ext

Ingress IPv6 group to support 128-bit address qualification support on physical interface.

ingress-ipv6-ext-vlan

Ingress IPv6 group to support 128-bit address qualification support on vlan interface and subinterface.

ingress-ipv6-qos

Ingress IPv6 group for ACL match QoS.

qos-ipv6

Ingress QOS IPv6 group for IPv6 QoS support with statistics.

ingress-arp

Ingress ARP group.

qos

Ingress QoS filter group

qos-ext

Ingress QoS extended filter group.

qos-policer

Ingress extended QoS group for hierarchical policer support.

egress-12

Egress L2 ACL filter group

egress-ipv4

Egress IP ACL filter group.

evpn-mpls-mh

Ingress EVPN MPLS Multi-Homing Forwarding Group

vxlan

Ingress VxLAN Forwarding group

vxlan-mh

Ingress VxLAN Multi-Homing Forwarding Group.

cfm-domain-name-str

Egress CFM domain group.

twamp-ipv4

TWAMP IPv4 filter group.

twamp-ipv6

TWAMP IPv6 filter group.

twamp-ipv6-mpls

TWAMP IPv6 MPLS filter group.

ipv4-bgp-flowspec

BGP FlowSpec filter group.

enable

Enable filter group.

disable

Disable filter group

Default

By default, all filter groups are disabled.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3 and changed in OcNOS version 3.0.

Examples

Copy 
OcNOS#configure terminal 
OcNOS(config)#hardware-profile filter ingress-ipv4 enable 
OcNOS(config)#hardware-profile filter ingress-ipv4 disable
OcNOS(config)#hardware-profile filter egress-ipv4 enable
OcNOS(config)#hardware-profile filter egress-ipv4 disable
Table 117.

Supported groups and the feature dependency on the groups

Group

Key Size

Security

QoS

PBR

Mirror

Statistics

 

 

 

 

 

 

QMX

QAX

QUX

ingress-l2

160

Yes

No

N/A

No

Yes

Yes

Yes

ingress-l2-ext

320

Yes

No

N/A

Yes

Yes

Yes

Yes

ingress-ipv4

160

Yes

No

No

No

Yes

Yes

Yes

ingress-ipv4-ext

320

Yes

No

Yes

Yes

Yes

Yes

Yes

ingress-ipv4-qos

320

N/A

Yes

N/A

N/A

Yes

Yes

Yes

ingress-ipv6

320

Yes

No

Yes

Yes

Yes

Yes

Yes

Ingress-ipv6-ext

320

N/A

Yes

No

Yes

Yes

Yes

Yes

Ingress-ipv6-ext-vlan

320

N/A

Yes

No

Yes

Yes

Yes

Yes

ingress-ipv6-qos

320

N/A

Yes

N/A

N/A

Yes

Yes

Yes

qos-ipv6

320

N/A

Yes

N/A

N/A

Yes

Yes

Yes

qos

160

N/A

Yes

N/A

N/A

No

No

No

qos-ext

320

N/A

Yes

N/A

N/A

Yes

Yes

Yes

qos-policer

320

N/A

Yes

N/A

N/A

Yes

Yes

Yes

egress-l2

320

Yes

N/A

N/A

N/A

Yes

Yes

Yes

egress-ipv4

320

Yes

N/A

N/A

N/A

Yes

Yes

Yes

cfm-domain-name-str

160

N/A

N/A

N/A

N/A

Yes

Yes

Yes

twamp-ipv4

320

N/A

N/A

N/A

N/A

Yes

Yes

Yes

twamp-ipv6

320

N/A

N/A

N/A

N/A

Yes

Yes

Yes

twamp-ipv6-mpls

320

N/A

N/A

N/A

N/A

Yes

Yes

Yes

Ipv4-bgp-flowspec

320

N/A

N/A

N/A

N/A

No

No

No
Table 118.

Comparison between basic and extended group qualifiers

Basic Group

Supported Qualifiers

Supported Action

Extended Group

Supported Qualifiers

Supported Action

ingress-l2

Source MAC

Destination MAC

Ether Type (ip, ipv6, mpls, arp, cfm, fcoe)

VLAN ID

Inner VLAN ID

Permit, Deny

ingress-l2-ext

Source MAC

Destination MAC

Ether Type

VLAN ID

Inner VLAN ID

COS

Permit, Deny, Policer, Mirror, Assign Queue, COS Remark

ingress-ipv4

Source IP

Destination IP

IP Protocols

L4 Ports

Permit, Deny

ingress-ipv4-ext

Source IP

Destination IP

IP Protocols

L4 Ports

DSCP

VLAN ID

Inner VLAN ID

TCP flags

Permit, Deny, Mirror

ingress-ipv6

Source IPv6 (n/w part)

Destination IPv6 (n/w part)

IPv6 Protocols

L4 Ports

VLAN ID

DSCP

Permit, Deny, Mirror, Assign Queue,

ingress-ipv6-ext

Source IPv6 address full 128 bits

Destination IPv6 address full 128 bits

L4 Ports

IPv6 Protocols

Physical interface

Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror

qos

VLAN ID

COS

Inner VLAN ID

Inner COS

Ether Type

DSCP

Topmost EXP

Assign Queue, COS Remark, DSCP Remark, Policer

qos-ext

VLAN ID

COS

Inner VLAN ID

Inner COS

Ether Type

DSCP

Topmost EXP

IP RTP

L4 Ports

Destination MAC

Traffic type

Assign Queue, COS Remark, DSCP Remark, Policer
Table 119.

Qualifiers for other groups

Group

Qualifiers

Actions

ingress-ipv6-ext-vlan

Source IPv6 address full 128 bits

Destination IPv6 address full 128 bits

L4 Ports

IPv6 Protocols

vlan interface

subinterface

Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror

egress-l2

Source MAC

Destination MAC

VLAN ID

Inner VLAN ID

COS

Permit, Deny

egress-ipv4

Source IP

Destination IP

IP Protocols

L4 Ports

DSCP

VLAN ID

Inner VLAN ID

Permit, Deny

qos-policer

VLAN ID

COS

Inner VLAN ID

Inner COS

Ether Type

DSCP

Topmost EXP

IP RTP

L4 Ports

Assign Queue, COS Remark, DSCP Remark, Policer, Hierarchical Policer and Storm Control

ingress-ipv4-qos

Source IP

Destination IP

IP Protocols

L4 Ports

DSCP

VLAN ID

Inner VLAN ID

TCP flags

Policer, Assign Queue, DSCP Remark

ingress-ipv6-qos

Source IPv6 (n/w part)

Destination IPv6 (n/w part)

IPv6 Protocols

L4 Ports

VLAN ID

DSCP

Assign Queue, DSCP Remark, Policer

qos-ipv6

IPv6 Protocols

L4 Ports

VLAN ID

COS

Inner VLAN ID

Inner COS

Ether Type

DSCP

Assign Queue, COS Remark, DSCP Remark, Policer

ingress-arp

ARP Request/Response

ARP IP address

ARP MAC address

VLAN ID

Inner VLAN ID

Permit, Deny

cfm-domain-name-str

MA ID

 

twamp-ipv4

- predefined qualifer IPV4_SIP

- predefined qualifer IPV4_DIP

- predefined qualifer L4_SRC_PORT

- predefined qualifer L4_DST_PORT

- user-defined qualifer MplsSrcIpv4_qual

- user-defined qualifer MplsDstIpv4_qual

- user-defined qualifer MplsUdpPorts_qual

 

twamp-ipv6

For non-MPLS group:

- predefined qualifer IPV6_SIP

- predefined qualifer IPV6_DIP

- predefined qualifer L4_SRC_PORT

- predefined qualifer L4_DST_PORT

 

For MPLS group:

- user-defined qualifer MplsSrcIpv6_qual

- user-defined qualifer MplsDstIpv6_qual

- user-defined qualifer MplsUdpPorts_qual

 

 

Ipv4-bgp-flowspec

VRFClosed Virtual Routing and Forwarding ID

Source IP

Destination IP

IP Protocols

L4 Ports

ICMPClosed Internet Control Message Protocol (ICMP) is a fundamental protocol used in networking to relay error messages and operational information. Type/Code

TCP Flags

PacketSize

DSCP

IP Fragmentation

The following traffic filter types of the components range value can be specified only with non-range value.

Type 3: IP Protocol
Type 7: ICMP type
Type 8: ICMP code
Type 10: Packet length
Type 11: DSCP (Diffserv Code Point)