Per Stream Filtering and Policing
1. Introduction
Per Stream Filtering and Policing (PSFP) can be used for filtering and policing of ingress frames classified to specific streams.
Ingress frames are processed as shown in the diagram including these elements:
-
Stream Identification (based on ingress port and frame fields).
-
Stream Filters (MaxSDU filter, gate mapping, meter mapping, counters).
-
Stream Gates (gate control list).
-
Flow Meters (dual leaky bucket policers).
+--------+ +--------+
| Stream | | Flow |
| Gates | | Meters |
+--------+ +--------+
^ ^
| |
| |
+--------------------+
| Stream |
| Filters |
+--------------------+
^
|
|
+--------------------+
| Stream |
| Idenfification |
+--------------------+
^
| Ingress frames
|
An example of relations between the elements is shown below:
-
Streams, filters, gates and meters are identified by 1-based IDs.
-
Multiple streams may map to the same filter via the stream-handle.
-
Multiple streams may have the same handle.
-
Maximum one filter may use a given handle.
-
-
Multiple filters may map to the same gate via the stream-gate-ref.
-
Multiple filters may map to the same meter via the flow-meter-ref.
Streams Filters Gates +----------+ +----------+ +----------+ | ID 1 | | ID 1 | | | | | +------->| Handle 6 | +------->| ID 1 | | Handle 6 |--------+ | Gate 1 |--------+ | | +----------+ | Meter 0 | +----------+ | ID 2 | +----------+ | | | | | ID 2 | +--+------->| ID 2 | | Handle 7 |------+--------->| Handle 7 | | | | | +----------+ | | Gate 2 |-----+ | +----------+ | ID 3 | | | Meter 1 |-----------+ | | | +----------| | | | Handle 7 |------+ | ID 3 | | | Meters +----------+ +------->| Handle 8 | | | +----------+ | ID 4 | | | Gate 2 |--------+ | | | | | | | Meter 1 |-----------+---->| ID 1 | | Handle 8 |--------+ +----------+ | | +----------+ | ID 4 | +----------+ | ID 5 | +------->| Handle 9 | | | | | | | Gate 0 | +------->| ID 2 | | Handle 9 |--------+ | Meter 2 |--------+ | | +----------+ +----------+ +----------+
2. Stream Identification
These stream identifications are supported:
-
Null stream identification: The (DMAC, VLAN) identify the stream.
-
SMAC and VLAN stream identification: The (SMAC, VLAN) identify the stream.
-
IP stream identification: The (DMAC, VLAN, SIP, DIP, DSCP, Protocol, SPORT, SPORT) identify the stream.
2.1. Null Stream Identification
The example below shows how to add a NULL stream identification for a multicast DMAC.
IPATCH request message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
null-stream-identification:
destination-mac: 01-02-03-04-05-06The rule is retrieved as shown below.
FETCH request message:
- "/ieee802-dot1cb-stream-identification:stream-identity[index='1']"FETCH response message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
null-stream-identification:
destination-mac: 01-02-03-04-05-06
tagged: all
vlan: 02.2. SMAC Stream Identification
The example below shows how to add a SMAC stream identification for a unicast SMAC.
IPATCH request message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
smac-vlan-stream-identification:
source-mac: 00-01-02-03-04-05The rule is retrieved as shown below.
FETCH request message:
- "/ieee802-dot1cb-stream-identification:stream-identity[index='1']"FETCH response message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
smac-vlan-stream-identification:
source-mac: 00-01-02-03-04-05
tagged: all
vlan: 02.3. IP Stream Identification
The example below shows how to add an IP stream identification for a multicast DMAC and SIP.
IPATCH request message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
ip-stream-identification:
destination-mac: 01-02-03-04-05-06
ip-source: 1.2.3.4The rule is retrieved as shown below.
FETCH request message:
- "/ieee802-dot1cb-stream-identification:stream-identity[index='1']"FETCH response message:
- ? "/ieee802-dot1cb-stream-identification:stream-identity"
: index: 1
handle: 2
out-facing:
input-port:
- '1'
ip-stream-identification:
destination-mac: 01-02-03-04-05-06
tagged: all
vlan: 0
ip-source: 1.2.3.4
ip-destination: 0.0.0.0
dscp: 64
next-protocol: none
source-port: 0
destination-port: 03. Stream Filters
The example below shows how to add a stream filter with maximum SDU size 1024.
IPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-filters/\
stream-filter-instance-table"
: stream-filter-instance-id: 1
stream-handle: 2
max-sdu-size: 1024
stream-gate-ref: 1
flow-meter-ref: 1The filter is retrieved as shown below.
The output also includes stream filter counters after sending one frame passing the filter.
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-filters/\
stream-filter-instance-table[stream-filter-instance-id='1']"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:stream-filters/\
stream-filter-instance-table"
: stream-filter-instance-id: 1
stream-handle: 2
priority-spec: wildcard
max-sdu-size: 1024
stream-blocked-due-to-oversize-frame-enabled: false
stream-blocked-due-to-oversize-frame: false
stream-gate-ref: 1
matching-frames-count: '1'
passing-frames-count: '1'
not-passing-frames-count: '0'
red-frames-count: '0'
passing-sdu-count: '1'
not-passing-sdu-count: '0'
flow-meter-ref: 14. Stream Gates
4.1. Stream Gate
The following example adds a stream gate instance with cycle time 1/5000 second (200 usec).
IPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/stream-gate-instance-table"
: stream-gate-instance-id: 1
gate-enable: true
admin-gate-states: open
admin-cycle-time:
numerator: 1
denominator: 5000
admin-base-time: {}The gate is retrieved as shown below.
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:stream-gates/stream-gate-instance-table"
: stream-gate-instance-id: 1
gate-enable: true
admin-gate-states: open
admin-ipv: 'null'
oper-gate-state: open
oper-ipv: 'null'
admin-control-list:
gate-control-entry: []
admin-cycle-time:
numerator: 1
denominator: 5000
admin-cycle-time-extension: 0
admin-base-time:
seconds: '0'
nanoseconds: 0
config-change: false
config-change-time:
seconds: '0'
nanoseconds: 0
current-time:
seconds: 10
nanoseconds: 0
config-pending: false
gate-closed-due-to-invalid-rx-enable: false
gate-closed-due-to-invalid-rx: false
gate-closed-due-octets-exceeded-enable: false
gate-closed-due-octets-exceeded: false4.2. Stream Gate Control List
The following example adds two entries to the Gate Control List:
-
The first is open with a 100 usec time interval.
-
The second is closed with a 100 usec time interval.
IPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']/\
admin-control-list/gate-control-entry"
: index: 1
time-interval-value: 100000
gate-state-value: open
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']/\
admin-control-list/gate-control-entry"
: index: 2
time-interval-value: 100000
gate-state-value: closedThe Gate Control List is retrieved as shown below.
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']/\
admin-control-list/gate-control-entry[index='1']"
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']/\
admin-control-list/gate-control-entry[index='2']"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:stream-gates/stream-gate-instance-table/\
admin-control-list/gate-control-entry"
: index: 1
time-interval-value: 100000
gate-state-value: open
ipv-spec: 'null'
interval-octet-max: 0
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:stream-gates/stream-gate-instance-table/\
admin-control-list/gate-control-entry"
: index: 2
time-interval-value: 100000
gate-state-value: closed
ipv-spec: 'null'
interval-octet-max: 04.3. Stream Gate Activation
The Gate Control List is activated as shown below.
IPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']/\
config-change"
: trueThe full gate information is retrieved as shown below:
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:stream-gates/\
stream-gate-instance-table[stream-gate-instance-id='1']"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:stream-gates/stream-gate-instance-table"
: stream-gate-instance-id: 1
gate-enable: true
admin-gate-states: open
admin-ipv: 'null'
oper-gate-state: open
oper-ipv: 'null'
admin-control-list:
gate-control-entry:
- index: 1
time-interval-value: 100000
gate-state-value: open
ipv-spec: 'null'
interval-octet-max: 0
- index: 2
time-interval-value: 100000
gate-state-value: closed
ipv-spec: 'null'
interval-octet-max: 0
admin-cycle-time:
numerator: 1
denominator: 5000
admin-cycle-time-extension: 0
admin-base-time:
seconds: '0'
nanoseconds: 0
config-change: true
config-change-time:
seconds: 11
nanoseconds: 0
current-time:
seconds: 12
nanoseconds: 0
config-pending: false
gate-closed-due-to-invalid-rx-enable: false
gate-closed-due-to-invalid-rx: false
gate-closed-due-octets-exceeded-enable: false
gate-closed-due-octets-exceeded: false5. Flow Meters
The example below adds a flow meter with single leaky bucket policer CIR of 1 Mbps.
IPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:flow-meters/flow-meter-instance-table"
: flow-meter-instance-id: 1
committed-information-rate: '1000000'The meter is retrieved as shown below:
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
ieee802-dot1q-psfp-bridge:flow-meters/\
flow-meter-instance-table[flow-meter-instance-id='1']"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
ieee802-dot1q-psfp-bridge:flow-meters/flow-meter-instance-table"
: flow-meter-instance-id: 1
committed-information-rate: '1000000'
committed-burst-size: 0
excess-information-rate: '0'
excess-burst-size: 0
coupling-flag: zero
color-mode: color-blind
drop-on-yellow: false
mark-all-frames-red-enable: false
mark-all-frames-red: false