VPF Tables¶
VPF tables are collections of items which allow VPF Filter Rules and VPF NAT Rules to act on groups of items in a single rule using a custom name, allowing for simpler and more descriptive rulesets. Tables also make it easy to update items in one place rather than having to edit multiple rules.
Table Types¶
VPF supports two types of tables: Prefix tables and port tables.
Each prefix table contains one or more prefix entries, which can be a single IP address or an entire subnet.
Each port table contains one or more port entries.
Note
Port tables can only be used for matching actions. For example, on NAT rules they can only match ports on packets, and they cannot be used for controlling translation.
Prefix Table Management¶
To create a new prefix table, run the vpf prefix-table <name> command in
config mode, which enters config-vpf-prefix-table mode.
The following commands are available inside config-vpf-prefix-table mode:
- description <text>:
Adds an optional description for the table, such as an explanation of its contents or purpose.
- prefix <ip-prefix> [description <text>]:
Defines an IP prefix to include in this table. Each prefix is composed of an IPv4 or IPv6 address and a CIDR mask/prefix length. For example,
10.0.0.0/8orff00::/8.To define a single host, use a
/32CIDR for IPv4 or a/128prefix length for IPv6.- description <text>:
Adds an optional description specific to this individual prefix.
Warning
When defining a network, use an appropriate network boundary as the starting address. For example, to define a prefix for an IPv4 network including the address
10.1.2.1/24, the prefix must be defined using the network address of that subnet,10.1.2.0/24.Warning
A table cannot contain overlapping prefixes. Ensure each entry is distinct and has the correct prefix length.
Port Table Management¶
To create a new port table, run the vpf port-table <name> command in
config mode, which enters config-vpf-port-table mode.
The following commands are available inside config-vpf-port-table mode:
- description <text>:
Adds an optional description for the table, such as an explanation of its contents or purpose.
- port <number> [description <text>]:
Defines a port number entry to include in the table.
- description <text>:
Adds an optional description specific to this individual port.
Examples¶
A prefix table to cover private network IP addresses:
tnsr(config)# vpf prefix-table PrivateNets
tnsr(config-vpf-prefix-table)# description Private IPv4 Networks
tnsr(config-vpf-prefix-table)# prefix 10.0.0.0/8
tnsr(config-vpf-prefix-table)# prefix 172.16.0.0/12
tnsr(config-vpf-prefix-table)# prefix 192.168.0.0/16
tnsr(config-vpf-prefix-table)# exit
A prefix table with multiple single IP addresses and descriptions:
tnsr(config)# vpf prefix-table ExternalNAT
tnsr(config-vpf-prefix-table)# prefix 203.0.113.230/32 description General use
tnsr(config-vpf-prefix-table)# prefix 203.0.113.231/32 description PBX
tnsr(config-vpf-prefix-table)# prefix 203.0.113.232/32 description SMTP server
tnsr(config-vpf-prefix-table)# exit
A port table to cover HTTP and HTTPS for web servers:
tnsr(config)# vpf port-table WebPorts
tnsr(config-vpf-port-table)# port 80 description HTTP
tnsr(config-vpf-port-table)# port 443 description HTTPS
tnsr(config-vpf-port-table)# exit