Filter Policy Configuration Overview; Service And Network Port-Based Filtering - Alcatel-Lucent 7710 SR OS Configuration Manual

Filter Policy Configuration Overview

Filter policies, also referred to as Access Control Lists (ACLs) or filter for short, are sets of
ordered rules specifying packet match criteria and actions to be performed upon a match. Filters
are applied to services or network ports to control network traffic into (ingress) or out of (egress) a
service access port (SAP) or network. There are three main types of filter policies: IPv6, and MAC
filter policies. Filters can be used on several interfaces. The same filter can be applied to ingress
traffic, egress traffic, or both. Ingress filters affect only inbound traffic destined for the routing
complex, and egress filters affect only outbound traffic sent from the routing complex.
Configuring an entity with a filter policy is optional. By default, there are no filters associated with
services or interfaces, and therefore, all traffic is allowed on the ingress and egress interfaces. They
must be explicitly created and associated. There are different types of filter policies as defined by
the scope argument of the filter policy. An exclusive filter is intended to be used by a single SAP/
interface, while a template filter is intended to be shared by multiple SAP/interfaces in the system.
Filter policies are created with a unique filter id but each filter has also a unique filter name
argument that can be defined once the filter policy has been created. Either filter id or filter name
can then be used throughout the system to manage filter policies and their associations.
On a Layer 2 SAP, either a single IP (v4 or v6) or a single MAC filter policy can be applied in a
given direction. On a Layer 3 SAP and network interfaces, a single IP (v4 or v6) can be applied in
a given direction. The ingress and egress direction policies can be same or different. For dual stack
IPv4/IPv6 SAPs/interfaces, if both IPv4 and IPv6 filter policies are defined, the policy applied will
be based on the outer IP header of the packet. Note that non-IP packets are not hitting an IP filter
policy, so the default action in the IP filter policy will not apply to these packets.

Service and Network Port-Based Filtering

IPv4, IPv6, and MAC filter policies specify ordered set of entries each defining match criteria and
action to be performed when match criteria are met. Examples of actions include forward, redirect,
drop, NAT, and others; Examples of match criteria include source/destination MAC or IP address,
protocol number, TCP/UDP port number and others.
Filter entry match criteria can be as general or specific as required, but all conditions in the entry
must be met in order for the packet to be considered an entry match and the specified entry action
performed. The filter policy evaluation process stops when the first complete match is found and
triggers the execution of the action defined.
Page 328 7710 SR OS Router Configuration Guide