This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Missing Policy rule precedence for classification type "IP socket"

Missing Policy rule precedence for classification type "IP socket"

aloeffle
Contributor

ā€Ž03-30-2017 07:47 AM

Dear all.

I need to reorder the default policy rule precedence in our setup.
Our goal is, that rules match "ip destination socket" are handeled before "ip destination" then "tcp port destination" rules.

udpdestportIP 53:10.0.0.10 mask 48 forward
ipdestsocket 10.0.0.0 mask 24 drop

Checking the default rule precedence, there is no parameter for "ip destination socket".

SSA Chassis(su)->show policy profile 5
...
Rule Precedence :1-2,29,3-19,23,20-22,25-28,31
:MACSource (1), MACDest (2), Application (29),
:IPXSource (3), IPXDest (4), IPXSrcSocket (5),
:IPXDstSocket (6), IPXClass (7), IPXType (8),
:IPv6Source (9), IPv6Dest (10), IPv6Flow (11),
:IPSource (12), IPDest (13), IPFrag (14),
:UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
:TCPDestPort (18), ICMPType (19), ICMP6Type (23),
:TTL (20), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :ge.1.20
Oper Profile Usage :ge.1.20
Dynamic Profile Usage :none

Does anyone have an idea how to handle this?

EOS: 08.62.01.0034
EMC: 7.1.1.9

Thanks and best regards
Alex
0 Kudos
6 REPLIES 6

Patrick_Koppen
Contributor

ā€Ž03-30-2017 03:35 PM

Hi Alex,

IPDest (13) is what you are looking for...

S- K- and 7100-Series Configuration Guide Firmware Version 8.61

Table 155: Administrative Policy and Policy Rule Traffic Classifications

ipdestsocket Classifies based on destination IP address. 13

But there's no difference between ip destination and ip destination with post-fixed port.
Maybe it's help's that the ip destination rule has a shorter mask. So if you change the
precedence to 16,13,18 the order will be:

    udpdestportIP(data: ab[:c.d.e.f]; mask 1-48) ipdestsocket (data: a.b.c.d[:ab]; mask: 1-48) tcpdestportIP (data: ab[:c.d.e.f]; mask: 1-48)
Regards
Patrick

(edit: never change the rule precedence....)
0 Kudos

TylerMarcotte
Extreme Employee

ā€Ž03-30-2017 01:03 PM

Hi aloeffle,

Changing the policy precedence is generally discouraged. Could you explain your use case a bit more? Perhaps we can find a more elegant way to accomplish what you're looking to do.

Thanks,

Tyler
0 Kudos
GTM-P2G8KFN