Embedded Filters - Alcatel-Lucent 7450 Configuration Manual

Filter Policy Advanced Topics

Embedded Filters

When a large number of standard filter policies are configured in a system, a set of policies will
often contain one or more common blocks of entries that define, for example, system-wide and/or
service-wide security rules. Prior to introduction of the embedded filters, such common rules
would have to be configured separately in each exclusive/template policy.
To simplify management of such common rules across multiple filter policies, operator can now
use embedded filter policies. An embedded filter policy is a special type of a filter policy that
cannot be deployed directly but instead is used to define a common filter policy rules that are then
included in (embedded by) other filter policies in the system. Thanks to embedding, a common set
of rules can now be defined and changed in a single place but deployed across multiple filter
policies. The following main rules apply when embedding an embedded filter policy:
1. An operator can explicitly define an offset at which to embed a given embedded filter into a
given embedding filter—the embedded filter entry number X becomes an entry (X + offset)
in the embedding filter.
2. An exclusive/template filter policy may embed multiple embedded filter policies as long as
the embedded entries do not overlap.
3. A single embedded filter policy may be embedded in many exclusive/template filter policies.
4. When embedding an embedded filter, an operator may wish to change or deactivate an
embedded filter policy entry in one of the embedding filter, thus allowing for customizing of
the common embedded filter policy rules by the embedding filter. This can be achieved by
either defining an entry in the embedding filter that will match ahead of the embedded filter
entry or by overwriting the embedded filter entry in the embedding filter.
For example: If embedded filter 99 has entry 20 that drops packets that match IP source
address src_address, and filter 200 embeds filter 99 at offset 100, then to deactivate the
embedded entry 20, an operator could define an entry 120 (embedded entry number 20 + off-
set 100) in filter policy 200, that has the same match criteria and has either no action defined
(this will deactivate the embedded entry and allow continued evaluation of filter policy 200),
or has action forward defined (packets will match the new entry and will be forwarded
instead of dropped, evaluation of filter policy 200 will stop).
5. Any embedded policy rule edits are automatically applied to all filter policies that embed that
embedded filter policy.
6. The system verifies whether system and h/w resources exist when a new embedded filter pol-
icy is created, changed or embedded. If resources are not available, the configuration is
rejected. In rare cases, filter policy resource check may pass but filter policy can still fail to
load due to a resource exhaustion on a line card (for example when other filter policy entries
are dynamically configured by applications like RADIUS in parallel). If that is the case, the
embedded filter policy configured will be de-activated (configuration will be changed from
activate to inactivate).
Page 450 7450 ESS Router Configuration Guide