Forwarding Policy

policy policy policy overview policy overview policies are the main part of data aggregation and triage, and are used to configure the flow of traffic from input, to filtering, and to output in a completed process to complete the forwarding you need to create a set of policies, click the create policy button, you can configure the policy name, inbound interface, outbound interface, mirroring direction, and optionally add a specified vlan two models of policy two models of policy currently there are two modes of forwarding strategy, one is mirroring mode and the other is forwarding mode mirror mode the entrance will be based on acl matching an additional mirror traffic, does not affect the original non acl service, if the original service has an acl rule, then the acl will confirm the priority to decide which acl rule to hit, when the entrance is more will affect the performance (4 8 ports), span, rspan are mirror mode forwarding mode ingress rx traffic will be forwarded directly by acl, acl priority is higher than layer 2 and layer 3 forwarding, so it may affect the original service, but the performance is higher, forward belongs to the forwarding mode in the forwarding policy must be completed, the web ui will display the current forwarding policy mode, forwarding mode can not be switched can only be deleted and reconfigured the following are the differences in the function of several types of policies policy type span rspan forward add vlan on policy × √ √ add or delete vlan on acl × × √ multiple egress (replication) √ × √ performance loss √ √ × impacts original service (non acl service) × × √ tunnel stripping × × √ the following constraints are imposed by port type for different policy modes port type as an input port under span/rspan type as an output port under span/rspan type as an input under forward type as an output under forward type hybrid √ √ √ √ network × × √ × tool × √ × √ service √ × × × policy configure policy configure policy creation policy creation before creating em/emv6 policies, you must configure the global template if the rule match items do not align with the template, the policy cannot be applied if em/emv6 policies are already applied, the template cannot be modified; you must disable the policies first before making changes to the template when creating a policy, drag the mouse to + to select a policy mode, and select a rule type, including l3 rules can filter the network layer key of the ipv4 message, and support transparent transmission of all ipv4, ipv6, and non ip packets l3v6 rules can filter the network layer key of the ipv6 message, and support transparent transmission of all ipv4, ipv6, and non ip packets l2 rules can filter the link layer key such as mac, vlan, ether type ( multiple ether type filtering the innermost layer) ex rules are extensions of l2 rules that can additionally filter ipv4 source ips or tcp flag, vni, and so on regardless of the ip version em rules can filter any combination of the ipv4 5 tuple (src ip, dst ip, ip protocol, src port, dst port) emv6 rules can filter any combination of the ipv6 4 tuple(src ipv6, ip protocol, src port, dst port) globally, only one em template and one emv6 template can be filtered after the policy is created, an initial rule will be added by default, and you can make desired changes to the initial rule or click + after the mode to add a new rule to the policy, and the keys of different modes of the policy are slightly different after the strategy is created, it is set to enabled mode by default it can be switched to disabled mode, and then it will only be stashed on the web and will not be issued to the device's underlying layer policy configure policy configure key words description policyname name for policy policy id policy id is associated with acl name for cli commands; this field is initially set to the same value as the policy name upon first configuration and cannot be modified thereafter ingress port(s) support one port or multi ports or one lag or multi lags as ingress ports egress port(s) support redirecting to an interface or multi interfaces or a lag or lags ports and lags can be added together direction only rx is supported deny deny means the packet is not forwarded but can be normally trapped; not deny means permit handle action add vlan add new vlan, range 1 4094 not support for multi redirections modify vlan modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan slice enables message truncation, with a fixed truncation limit of 128 bytes color support to highlight policy with different colors and support to filter policy with color rule configure rule configure the supported match fields for different types of acl tables vary, and the specific match fields for each type of acl table are described below l2 acl match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction dst mac specify destination mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction ethernet type specify ethernet protocol type, range 0 ffff supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 supported only in the ingress direction handle action add vlan add new vlan, range 1 4094 not support for multi redirections modify vlan modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan supported only in the ingress direction add timestamp add timestamp, ptp needs to open manually with cli commands, see adding timestamp supported only in the ingress direction modify destination mac modify dst mac nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction l3 acl match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ip specify source ip address a b c d(/mask) dst ip specify destination ip address a b c d(/mask) icmp type specify type of icmp, range 0 16 supported only in the ingress direction icmp code specify code of icmp, range 0 5 supported only in the ingress direction src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 ip fragment specify ip fragment any, all ip fragment packets supported only in the ingress direction src port range specify src port range, eg 1024 65535 supported only in the ingress direction dst port range specify dst port range, eg 1024 65535 supported only in the ingress direction src port exclude specify l4 source port, range 0 65535 supported only in the ingress direction dst port exclude specify l4 destination port, range 0 65535 supported only in the ingress direction dscp specify dscp of ip header, range 0 63 supported only in the ingress direction handle action add vlan add new vlan, range 1 4094 not support for multi redirections modify vlan modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan supported only in the ingress direction add timestamp add timestamp, ptp needs to open manually with cli commands, adding timestamp supported only in the ingress direction modify destination mac modify dst mac nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction l3v6 acl match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ipv6 specify source ip address a b(/mask) dst ipv6 specify destination ip address a b(/mask) icmpv6 type specify type of icmp, range 0 16 supported only in the ingress direction icmpv6 code specify code of icmp, range 0 5 supported only in the ingress direction src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 src port range specify src port range, eg 1024 65535 supported only in the ingress direction dst port range specify dst port range, eg 1024 65535 supported only in the ingress direction src port exclude specify l4 source port, range 0 65535 supported only in the ingress direction dst port exclude specify l4 destination port, range 0 65535 supported only in the ingress direction dscp specify dscp of ip header, range 0 63 supported only in the ingress direction handle action add vlan add new vlan, range 1 4094 not support for multi redirections modify vlan modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan supported only in the ingress direction add timestamp add timestamp, ptp needs to open manually with cli commands, see adding timestamp supported only in the ingress direction modify destination mac modify dst mac nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction ex acl match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction dst mac specify destination mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction ethernet type specify ethernet protocol type, range 0 ffff supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 supported only in the ingress direction src ip specify source ip address a b c d(/mask) supported only in the ingress direction inner src ip specify inner source ip address a b c d(/mask) supported only in the ingress direction inner dst ip specify inner destination ip address a b c d(/mask) supported only in the ingress direction inner src ipv6 specify inner source ip a b(/mask) supported only in the ingress direction inner dst ipv6 specify inner destination ip a b(/mask) supported only in the ingress direction inner ip protocol specify inner ip protocol, range 0 255 supported only in the ingress direction inner src port specify inner source port, range 0 65535 supported only in the ingress direction inner dst port specify inner destination port, range 0 65535 supported only in the ingress direction tcp flags specify tcp flags, range 0 ff(flags)/0 ff(masks) supported only in the ingress direction vni specify vni, range 1 16777215 supported only in the ingress direction add timestamp add timestamp, ptp needs to open manually with cli commands, see timestamp function description supported only in the ingress direction modify destination mac modify dst mac nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction handle action add vlan add new vlan, range 1 4094 not support for multi redirections modify vlan modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan supported only in the ingress direction add timestamp add timestamp, ptp needs to open manually with cli commands, see adding timestamp supported only in the ingress direction modify destination mac modify dst mac nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction em acl key words description of parameters notes src ip specify source ip address a b c d(/mask) dst ip specify destination ip address a b c d(/mask) ip protocol specify ip protocol, range0 255 src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 emv6 acl key words description of parameters notes src ipv6 specify source ip address a b(/mask) ip protocol specify ip protocol, range0 255 src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 notes the range of vlan is 1 4094, when matching vlan, the default vlan will be hit at the same time, such as vlan 1 forwarding mode supports adding, deleting, and changing vlans on acl rules, as well as uniformly modifying all vlan actions on the current policy the add vlan in rspan mode is not related to the acl rule, so it will not be displayed on the rule; for the case of message modification, vlan action and modification of destination mac are not supported on acl in mirroring mode confirm policy confirm policy when the policy configuration is complete, click confirm all to finish issuing the configuration the state of the policy the state of the policy rules and policies in the forwarding policy exist in several states, which are not issued yet ： new or modified rules and policies will become undistributed state, when clicking distribute all only the content of the undistributed state will be distributed, the page of undistributed rules will disappear after refreshing or switching issuing when logging in from multiple web uis, you may see the status of issuing, any policy or rule exists in the status of issuing, all rules and policies are not allowed to be added, modified or deleted success enabled policies and rules that have been successfully issued will show successful issuance stash disabled policies and rules that have been successfully issued will show stash issuance failed to issue after the failure of issuing for some reasons, the page will keep the rules that failed to issue, the rules that failed to issue need to be processed before other rules can be added, there are two ways to deal with it, one is to modify the rules that failed to issue, so that the status will be changed to unissued and then reissued all, the other is to do not modify the rules, check the box on the failed rule or strategy and click on the policy that is selected for issuing, and only the rules or strategies that failed to be issued will be issued again the other is not to modify the rule, check the failed rule or policy and click downgrade the selected policy, only the failed rule or policy will be re issued bulk checking of policies bulk checking of policies when you want to delete range rules in bulk, you can click on the bulk tick button to check them in bulk the batch selection setting interface supports multi selecting different rules across multiple policies after confirmation, the selection status will sync to the web ui, enabling operations like rule deletion and hitcount statistics clearing by default, clearing statistics removes all hit counts click the ellipsis ( ) to either clear hit counts for selected policies refresh hit count rule deletion search rule search rule click the serch rule button on the policy page to query by condition and display only the query, the current query is a full match, fuzzy queries are not supported copy policy copy policy supports quick copying of existing policies the format of the copied policy name is {original policy name} cp, while the rest of the input interface, output interface, and rule onfigurations are exactly the same as the original policy after adjusting the configuration, it can be issued normally adjusting priority adjusting priority the general priority order of the current policies is em/emv6 > l2/ex > l3/l3v6 within the same policy category, except for em/emv6 which does not involve priority comparison, priority can be adjusted based on the policy a larger priority id indicates a higher priority when the policy is issued, it will be reordered, and the one with the higher priority will be displayed at the top adjust the priority is based on the policy, you can move a group of policy priority to the highest priority, or to the lowest priority, or relatively higher or lower than the priority of a strategy where the highest priority, the lowest priority is overwritten each time it is set a new policy is by default the lower priority of the current policy, but the priority will be higher than the lowest priority previously configured in the same policy group, rules are prioritized from top to bottom you cannot adjust the lowest priority policy to be lower than the other priorities adding timestamp adding timestamp the ability to add timestamps can be enabled on acls, this feature needs to be used with the ptp command line, configure on the command line sonic# configure sonic(config)# ptp profile 1588v2 please wait to clear all ptp configurations sonic(config)# ptp enable sonic(config)# interface ethernet 1 sonic(config if 1)# ptp enable sonic(config if 1)# the output traffic will carry the timestamp the timestamp exists behind the source mac of the original message with 0xffff as the flag, and 0x8000 as the interval followed by four bytes for nanoseconds, take the above figure as an example, the nanosecond timestamp is 0x37df04ce, and then 0x0000 as the interval followed by four bytes for the seconds, the seconds timestamp is 0x685389e6, and the two bytes behind it are 0x0000 as the interval, and thenfollowed by the ether type of the original message, the final timestamp for the seconds timestamp + nanosecond timestamp, where the seconds timestamp is converted to the current date of 2025/06/19 11 54 (converted to decimal after the distance from the utc time of 1 january 1970 seconds), nanoseconds timestamped to 937362638 nanoseconds (converted to decimal), so that the message's precisetimestamp is 2025/06/19 11 54 937362638 egress filter list egress filter list key words description policyname name for policy policy id policy id is associated with acl name for cli commands; this field is initially set to the same value as the policy name upon first configuration and cannot be modified thereafter egress port(s) support redirecting to an interface or multi interfaces or a lag or lags ports and lags can be added together deny deny means the packet is not forwarded but can be normally trapped; not deny means permit color support to highlight policy with different colors and support to filter policy with color the egress rule configuration is similar to that of the ingress policy only the forward method is supported to release or discard the traffic on the outgoing interface and only some of the fields of l3/l3v6 are supported l3 acl match fields key words description of parameters notes outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ip specify source ip address a b c d(/mask) dst ip specify destination ip address a b c d(/mask) src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 l3v6 acl match fields key words description of parameters notes outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ipv6 specify source ip address a b(/mask) dst ipv6 specify destination ip address a b(/mask) src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 logically, you need to select the physical interface to be filtered and configure the corresponding rules to discard high priority rules or release low priority rules; if you do not configure the rules for the outgoing interface, the default is to release all the rules mirror configuration mirror configuration mirror configuration is different from span/rspan in the forwarding policy in that it does not rely on acls, but completely relies on the port's mirroring ability to forward more complex messages through mirroring, in which span can have multiple egresses and multiple egresses are replicated, and rspan can add a vlan on top of span, but can only have one egress currently supports a maximum of 7 sessions and shares sessions with span/rspan in the forwarding policy can support message truncation, fixed truncation to 128 bytes other notes other notes filtering qinq messages for quintuple requires command line configuration of qinq protocol 0x88a8 and qinq enable use ip as the filtering condition to filter arp messages at the same time configure l3/ex rule configuration can hit the rule, both have hit counts but the final output will go to the high priority ex rule use span/rspan to egress traffic, use the egress interface rule filtering is not effective when using vlan matching, for messages with or without an outer vlan, it will match the default vlan1 or the access vlan on the port by default, and if an outer vlan exists, it will match the outer vlan, independent of whether the tunnel is stripped egress port group egress port group hash mode hash mode selects the load balancing algorithm for traffic distribution global configuration (applies to all ports) configured hashing modes are visible per port in the port settings custom hashing modes (support to apply on specify port) symmetric hash key key words description of parameters notes mac symmetric symmetric hash of source mac and destination mac ipv4 symmetric symmetric hash of source ipv4 and destination ipv4 ipv6 symmetric symmetric hash of source ipv6 and destination ipv6 l4 symmetric symmetric hash of source and destination ports ipv4 symmetric src ip usually used in conjunction with ipv4 symmetric dst ip on different ports, as long as the ports fetch the same ip address, it will be loaded to the same output port the key is not used with any other key on the same port ipv6 symmetric src ip usually used in conjunction with ipv6 symmetric dst ip on different ports as long as the ports fetch the same ip address, they are loaded onto the same output port this key is not used with any other key on the same port note with ipv4 symmetric src ip/ipv4 symmetric dst ip/ipv6 symmetric src ip/ipv6 symmetric src ip turned on for the cx102s device, you can use l3 rules to match source ip/destination ip/source port/destination port/ip protocol for other devices, you can use l3/l3v6 to match source ip/destination ip/source port/destination port/ip protocol after configuring a custom hash mode, you can change the hash mode of each port to the custom hash mode on the port configuration page hash seed hash seed hash seed adjust inner/outer hash factors hash factor range 0 4294967295 create lag create lag when a single output port bandwidth can not meet the output requirements, you can bundle multiple ports to form a load group, the traffic from the load group output will be based on the hash method to select different key for load balancing, and you can adjust the hash seed to ensure that different levels of equipment to process the same message and use the same key can achieve different load balancing effects prevent the problem of multi level device load balancing when the load can not be loaded a port can only be added to one load balancing group load type can be selected in four modes static when a port member goes down, the hash value of the port is recalculated flex when a port member goes down, only the traffic of the downed port is reloaded, while the traffic of other ports retains the previous load result weight based on the elasticity, you can set the weight ratio of each port, and the sum of the weight ratios of each port should not be greater than 64 standby you can additionally configure the master and standby ports and some lacp functions on top of the weights the traffic will be redirected to the standby port when the master port is down standby lag configuration key words description of parameters notes weight distribute traffic based on weights the sum of the weight ratios of each port is not greater than 64 priority set the priority for the members of the added standy lag, the greater the priority the higher the priority, the smaller the port id the higher the priority when the priority is the same preemption priority selection priority set to select the standby ports with the same weight according to the port priority sorting, and the standby ports without the same weight are not switched speed the device prioritizes the selection of standby ports with the same weight according to the rate and priority, and if there is no same rate, the standby ports are selected according to the priority spare ports without the same weight are not switched min active the number of members of the smallest up in the lag, when it is less than this value, the lag is down as a whole max active the number of members of the largest up in the lag, when it is greater than this value, the other ports with low priority will be used as the standby ports activate preemptive mode if port preemption enabled, after the primary port switches to the standby port, when the primary port is up again, it will cut back to the primary port preemption delay if port preemption enabled, after the primary port switches to the standby port, when the primary port is up again, it will cut back to the primary port until delay time over global config global config enabled for mpls/mpls + pw messages can filter inner layer fields supported rule matching fields for mpls packets supported rule matching fields for mpls packets after enabling mpls decoding, the rule matching items supported by common mpls packets are as follows table 2 table 2 supported rule matching fields for mpls packets supported rule matching fields for mpls packets mpls packets supported rule matching items description mpls + ipv4 l2, ex, l3(src ip, dst ip, src port, dst port, ip protocol) mpls + eth +(vlans)+ ipv4 l2, ex, l3(src mac, dst mac, ethertype, src ip, dst ip, src port, dst port, ip protocol) mpls + pw + eth +(vlans)+ ipv4 l2, ex, l3(src mac, dst mac, ethertype, src ip, dst ip, src port, dst port, ip protocol) mpls + eth + lacp l2, ex, l3(src mac, dst mac, ethertype) mpls + ipv6 l2, ex, l3v6(src ip, dst ip, src port, dst port, ip protocol) only support l2,ex,l3 default forward on cx102s mpls + pw + eth +(vlans)+ ipv6 l2, ex, l3v6(src mac, dst mac, ethertype, src ip, dst ip, src port, dst port, ip protocol) mpls + eth +(vlans)+ ipv6 l2, ex, l3v6(src mac, dst mac, ethertype, src ip, dst ip, src port, dst port, ip protocol)