Forwarding Policy

policy policy policy overview policy overview policies are the main part of data aggregation and triage, and are used to configure the flow of traffic from input, to filtering, and to output in a completed process to complete the forwarding you need to create a set of policies, click the create policy button, you can configure the policy name, inbound interface, outbound interface, mirroring direction, and optionally add a specified vlan two models of policy two models of policy currently there are two modes of forwarding strategy, one is mirroring mode and the other is forwarding mode mirror mode the entrance will be based on acl matching an additional mirror traffic, does not affect the original non acl service, if the original service has an acl rule, then the acl will confirm the priority to decide which acl rule to hit, when the entrance is more will affect the performance (4 8 ports), span, rspan are mirror mode forwarding mode ingress rx traffic will be forwarded directly by acl, acl priority is higher than layer 2 and layer 3 forwarding, so it may affect the original service, but the performance is higher, forward belongs to the forwarding mode in the forwarding policy must be completed, the web ui will display the current forwarding policy mode, forwarding mode can not be switched can only be deleted and reconfigured the following are the differences in the function of several types of policies true 359,104 71005917159763,104 71005917159763,106 57988165680473#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type the following constraints are imposed by port type for different policy modes true 88,146 75,151 75,144 25,144 25#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type policy configure policy configure policy creation policy creation when creating a policy, drag the mouse to + to select a policy mode, and select a rule type, including l3 rules can filter the network layer key of the ipv4 message, or which transmits some non ip messages l3v6 rules can filter the network layer key of the ipv6 message l2 rules can filter the link layer key such as mac, vlan, ether type ( multiple ether type filtering the innermost layer) ex rules are extensions of l2 rules that can additionally filter ipv4 source ips or tcp flag, vni, and so on regardless of the ip version after the policy is created, an initial rule will be added by default, and you can make desired changes to the initial rule or click + after the mode to add a new rule to the policy, and the keys of different modes of the policy are slightly different after the strategy is created, it is set to enabled mode by default it can be switched to disabled mode, and then it will only be stashed on the web and will not be issued to the device's underlying layer policy configure policy configure true 136,539#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type rule configure rule configure the supported match fields for different types of acl tables vary, and the specific match fields for each type of acl table are described below l2 acl match fields true 146,352 5,176 5#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type l3 acl match fields true 128,369 85229357798164,177 14770642201836#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type l3v6 acl match fields true 159,342 1304347826087,173 8695652173913#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type ex acl match fields true 153,338 29615384615386,183 70384615384614#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type notes the range of vlan is 1 4094, when matching vlan, the default vlan will be hit at the same time, such as vlan 1 forwarding mode supports adding, deleting, and changing vlans on acl rules, as well as uniformly modifying all vlan actions on the current policy the add vlan in rspan mode is not related to the acl rule, so it will not be displayed on the rule; for the case of message modification, vlan action and modification of destination mac are not supported on acl in mirroring mode confirm policy confirm policy when the policy configuration is complete, click confirm all to finish issuing the configuration the state of the policy the state of the policy rules and policies in the forwarding policy exist in several states, which are not issued yet ： new or modified rules and policies will become undistributed state, when clicking distribute all only the content of the undistributed state will be distributed, the page of undistributed rules will disappear after refreshing or switching issuing when logging in from multiple web uis, you may see the status of issuing, any policy or rule exists in the status of issuing, all rules and policies are not allowed to be added, modified or deleted success enabled policies and rules that have been successfully issued will show successful issuance stash disabled policies and rules that have been successfully issued will show stash issuance failed to issue after the failure of issuing for some reasons, the page will keep the rules that failed to issue, the rules that failed to issue need to be processed before other rules can be added, there are two ways to deal with it, one is to modify the rules that failed to issue, so that the status will be changed to unissued and then reissued all, the other is to do not modify the rules, check the box on the failed rule or strategy and click on the policy that is selected for issuing, and only the rules or strategies that failed to be issued will be issued again the other is not to modify the rule, check the failed rule or policy and click downgrade the selected policy, only the failed rule or policy will be re issued bulk checking of policies bulk checking of policies when you want to delete range rules in bulk, you can click on the bulk tick button to check them in bulk the batch selection setting interface supports multi selecting different rules across multiple policies after confirmation, the selection status will sync to the web ui, enabling operations like rule deletion and hitcount statistics clearing by default, clearing statistics removes all hit counts click the ellipsis ( ) to either clear hit counts for selected policies refresh hit count rule deletion search rule search rule click the serch rule button on the policy page to query by condition and display only the query, the current query is a full match, fuzzy queries are not supported copy policy copy policy supports quick copying of existing policies the format of the copied policy name is {original policy name} cp, while the rest of the input interface, output interface, and rule onfigurations are exactly the same as the original policy after adjusting the configuration, it can be issued normally adjusting priority adjusting priority when matching different policies on the same interface, the same message may be matched by different policies at this time, you can prioritize based on the policy, the larger the priority id, the higher the priority, when the policy is issued, it will be reordered, and the one with the higher priority will be displayed at the top adjust the priority is based on the policy, you can move a group of policy priority to the highest priority, or to the lowest priority, or relatively higher or lower than the priority of a strategy where the highest priority, the lowest priority is overwritten each time it is set a new policy is by default the lower priority of the current policy, but the priority will be higher than the lowest priority previously configured in the same policy group, rules are prioritized from top to bottom you cannot adjust the lowest priority policy to be lower than the other priorities adding timestamp adding timestamp the ability to add timestamps can be enabled on acls, this feature needs to be used with the ptp command line, configure on the command line sonic# configure sonic(config)# ptp profile 1588v2 please wait to clear all ptp configurations sonic(config)# ptp enable sonic(config)# interface ethernet 1 sonic(config if 1)# ptp enable sonic(config if 1)# the output traffic will carry the timestamp the timestamp exists behind the source mac of the original message with 0xffff as the flag, and 0x8000 as the interval followed by four bytes for nanoseconds, take the above figure as an example, the nanosecond timestamp is 0x37df04ce, and then 0x0000 as the interval followed by four bytes for the seconds, the seconds timestamp is 0x685389e6, and the two bytes behind it are 0x0000 as the interval, and thenfollowed by the ether type of the original message, the final timestamp for the seconds timestamp + nanosecond timestamp, where the seconds timestamp is converted to the current date of 2025/06/19 11 54 (converted to decimal after the distance from the utc time of 1 january 1970 seconds), nanoseconds timestamped to 937362638 nanoseconds (converted to decimal), so that the message's precisetimestamp is 2025/06/19 11 54 937362638 egress filter list egress filter list true 129,546#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type the egress rule configuration is similar to that of the ingress policy only the forward method is supported to release or discard the traffic on the outgoing interface and only some of the fields of l3/l3v6 are supported l3 acl match fields true 134,386 5,154 5#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type l3v6 acl match fields true 130,353 2767857142857,191 72321428571428#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type logically, you need to select the physical interface to be filtered and configure the corresponding rules to discard high priority rules or release low priority rules; if you do not configure the rules for the outgoing interface, the default is to release all the rules mirror configuration mirror configuration mirror configuration is different from span/rspan in the forwarding policy in that it does not rely on acls, but completely relies on the port's mirroring ability to forward more complex messages through mirroring, in which span can have multiple egresses and multiple egresses are replicated, and rspan can add a vlan on top of span, but can only have one egress currently supports a maximum of 7 sessions and shares sessions with span/rspan in the forwarding policy can support message truncation, fixed truncation to 128 bytes other notes other notes filtering qinq messages for quintuple requires command line configuration of qinq protocol 0x88a8 and qinq enable use ip as the filtering condition to filter arp messages at the same time configure l3/ex rule configuration can hit the rule, both have hit counts but the final output will go to the high priority ex rule use span/rspan to egress traffic, use the egress interface rule filtering is not effective when using vlan matching, for messages with or without an outer vlan, it will match the default vlan1 or the access vlan on the port by default, and if an outer vlan exists, it will match the outer vlan, independent of whether the tunnel is stripped egress port group egress port group hash mode hash mode selects the load balancing algorithm for traffic distribution global configuration (applies to all ports) configured hashing modes are visible per port in the port settings custom hashing modes (support to apply on specify port) symmetric hash key true 141,404 96654275092936,129 03345724907064#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type note with ipv4 symmetric src ip/ipv4 symmetric dst ip/ipv6 symmetric src ip/ipv6 symmetric src ip turned on for the cx102s device, you can use l3 rules to match source ip/destination ip/source port/destination port/ip protocol for other devices, you can use l3/l3v6 to match source ip/destination ip/source port/destination port/ip protocol after configuring a custom hash mode, you can change the hash mode of each port to the custom hash mode on the port configuration page hash seed hash seed hash seed adjust inner/outer hash factors hash factor range 0 4294967295 create lag create lag when a single output port bandwidth can not meet the output requirements, you can bundle multiple ports to form a load group, the traffic from the load group output will be based on the hash method to select different key for load balancing, and you can adjust the hash seed to ensure that different levels of equipment to process the same message and use the same key can achieve different load balancing effects prevent the problem of multi level device load balancing when the load can not be loaded a port can only be added to one load balancing group load type can be selected in four modes static when a port member goes down, the hash value of the port is recalculated flex when a port member goes down, only the traffic of the downed port is reloaded, while the traffic of other ports retains the previous load result weight based on the elasticity, you can set the weight ratio of each port, and the sum of the weight ratios of each port should not be greater than 64 standby you can additionally configure the master and standby ports and some lacp functions on top of the weights the traffic will be redirected to the standby port when the master port is down standby lag configuration true 97,485,93#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type global config global config enabled for mpls/mpls + pw messages can filter inner layer fields notes for cx102s devices, you can use l3 rules to match source ip/destination ip/source port/destination port/ip protocol of mpls/mpls+pw messages for other devices, you can use l3/l3v6 to match source ip/destination ip/source port/destination port/ip protocol of mpls/mpls+pw messages