Acl Filter Policy Overview - Alcatel-Lucent 7450 Configuration Manual

ACL Filter Policy Overview

ACL Filter Policy Overview
ACL Filter policies, also referred to as Access Control Lists (ACLs) or filters for short, are sets of
ordered rule entries specifying packet match criteria and actions to be performed to a packet upon a
match. Filter policies are created with a unique filter ID, but each filter can also have a unique filter
name configured once the filter policy has been created. Either filter ID or filter name can be used
throughout the system to manage filter policies and assign them to interfaces.
There are three main types of filter policies: IPv4and MAC filter policies. Additionally MAC filter
policies support three sub-types: (configure filter mac-filter type {normal | isid | vid}). These
sub-types allow operators to configure different L2 match criteria for a L2 MAC filter.
There are different kinds of filter policies as defined by the filter policy scope:
•
•
•
•
Once created, filter policies must then be associated with interfaces/services/subscribers or with
other filter policies (if the created policy cannot be directly deployed on interface/services/
subscriber), so the incoming/outgoing traffic can be subjected to filter rules. Filter policies are
associated with interfaces/services/subscribers separately in ingress and in egress direction. A
policy deployed on ingress and egress direction can be same or different. In general, it is
recommended to use different filter policies per-ingress and per-egress directions and to use
different filter policies per service type, since filter policies support different match criteria and
different actions for different direction/service contexts. A filter policy is applied to a packet in the
ascending rule entry order. When a packet matches all the parameters specified in a filter entry's
match criteria, the system takes the action defined for that entry. If a packet does not match the
entry parameters, the packet is compared to the next higher numerical filter entry rule and so on. If
Page 438
An exclusive filter allows defining policy rules explicitly for a single interface. An
exclusive filter allows highest-level of customization but uses most resources, since each
exclusive filter consumes H/W resources on line cards the interface exists.
A template filter allows usage of identical set of policy rules across multiple interfaces.
Template filters use a single set of resources per line card, regardless of how many
interfaces use a given template filter policy on that line card. Template filter policies used
on access interfaces, consume resources on line cards only if at least one access interface
for a given template filter policy is configured on a given line card.
An embedded filter allows defining common set of policy rules that can then be used
(embedded) by other exclusive or template filters in the system. This allows optimized
management of filter policies.
A system filter policy allows defining common set of policy rules that can then be
activated within other exclusive/template filters. A system filter policy is intended mainly
for system-level blacklisting rules but can be used for other applications as well. This
allows optimized management of common rules (similarly to embedded filters); however,
active system filter policy entries are not duplicated inside each policy that actives the
system policy (as is the case when embedding is used). The active system policy is
downloaded once to line cards, and activating filter policies are chained to it.
7450 ESS Router Configuration Guide