1.1.7 Notes on using filters
- <Structure of this section>
(1) Filters on frames with VLAN Tag
Either of the following conditions must be satisfied to filter the frames with two VLAN tags on the receiving side by an Ethernet type for a MAC condition, an IPv4 condition, or an IPv6 condition as a flow detection condition:
-
The VLAN tunneling functionality is not active on the Switch.
-
The VLAN tunneling functionality is active on the Switch but frames were received by a trunk port.
(2) Filters for IPv4 fragment packets
If you filter by using a TCP/UDP header or ICMP header specified as a flow detection condition for a fragmented IPv4 packet, the second and subsequent fragments cannot be detected because the TCP/UDP header and ICMP header are not in those packets. To filter frames that include fragmented packets, specify the MAC header or IP header in the flow detection conditions.
(3) Filtering IPv6 Packets with Extension Headers
For IPv6 packets whose IPv6 extension header is not a single-stage Hop-by-Hop Options, filtering cannot be performed on the receiving side using TCP/UDP header or ICMP header as the flow-detection condition. To filter the applicable packets, specify MAC and IPv6 headers as the flow detection conditions.
On the sending side, IPv6 packets with IPv6 extension headers cannot be filtered with TCP/UDP header or ICMP header as the flow-detection condition. To filter the applicable packets, specify MAC and IPv6 headers as the flow detection conditions.
(4) Operation when a filter entry is applied
When filter entries are applied to the interfaces on the Switch#, packets may be detected by other filter entries including an implicit discard entry until the specified filter entries are applied. In this case, statistics for the filter entries including the implicit discard entry that detected the packets are collected.
- #
-
-
When an access list containing one or more entries is applied to the interface by using the access group command
-
When an access list is applied by using the access group command to add an entry
-
When a filter entry is applied when the switch is started, the copy operation command is executed, or the restart vlan operation command is executed
-
(5) Behavior when changing filter entries
If a filter entry applied to an interface is changed on the Switch, detectable frames cannot be detected until the change has been applied. Consequently, such frames are detected as if they matched another filter entry or the implicit discard entry.
(6) Simultaneous operation with other functions
(a) sFlow statistics and filter statistics when port mirroring is used together
If a sender filter is applied to a VLAN interface and the Ethernet interface belonging to VLAN is used to transmit sampling of sFlow statistics, and if port mirroring is specified as the monitor port of the transmit mirror, many statistics of the applicable filter may be added.