Table of Contents
Advertisement
Filter Policy Configuration Overview
Filter policies, also referred to as Access Control Lists (ACLs) or filter for short, are sets of
ordered rules specifying packet match criteria and actions to be performed upon a match. Filters
are applied to services or network ports to control network traffic into (ingress) or out of (egress) a
service access port (SAP) or network. There are three main types of filter policies: and MAC filter
policies. Filters can be used on several interfaces. The same filter can be applied to ingress traffic,
egress traffic, or both. Ingress filters affect only inbound traffic destined for the routing complex,
and egress filters affect only outbound traffic sent from the routing complex.
Configuring an entity with a filter policy is optional. By default, there are no filters associated with
services or interfaces, and therefore, all traffic is allowed on the ingress and egress interfaces. They
must be explicitly created and associated. There are different types of filter policies as defined by
the scope argument of the filter policy. An exclusive filter is intended to be used by a single SAP/
interface, while a template filter is intended to be shared by multiple SAP/interfaces in the system.
Filter policies are created with a unique filter id but each filter has also a unique filter name
argument that can be defined once the filter policy has been created. Either filter id or filter name
can then be used throughout the system to manage filter policies and their associations.
On a Layer 2 SAP, either a single IP (v4 or v6) or a single MAC filter policy can be applied in a
given direction. On a Layer 3 SAP, a single IP (v4 or v6) can be applied in a given direction. The
ingress and egress direction policies can be same or different. For dual stack IPv4/IPv6 SAPs/
interfaces, if both IPv4 and IPv6 filter policies are defined, the policy applied will be based on the
outer IP header of the packet. Note that non-IP packets are not hitting an IP filter policy, so the
default action in the IP filter policy will not apply to these packets.
Service and Network Port-Based Filtering
IPv4 IPv6 policies specify ordered set of entries each defining match criteria and action to be
performed when match criteria are met. Examples of actions include forward, redirect, drop, NAT,
and others; Examples of match criteria include IP address, protocol number, TCP/UDP port
number and others.
Filter entry match criteria can be as general or specific as required, but all conditions in the entry
must be met in order for the packet to be considered an entry match and the specified entry action
performed. The filter policy evaluation process stops when the first complete match is found and
triggers the execution of the action defined.
Page 346
7450 ESS OS Router Configuration Guide
Advertisement
Table of Contents
