ACL Filter Policy Overview
468 Router Configuration Guide
- Filter Policies and Dynamic Policy-Driven Interfaces
- Filter Policy-based ESM Service Chaining
- Policy-Based Forwarding for Deep Packet Inspection in VPLS
ACL Filter Policy Overview
ACL Filter policies, also referred to as Access Control Lists (ACLs) or filters for short, are
sets of ordered rule entries specifying packet match criteria and actions to be performed to a
packet upon a match. Filter policies are created with a unique filter ID, but each filter can also
have a unique filter name configured once the filter policy has been created. Either filter ID
or filter name can be used throughout the system to manage filter policies and assign them to
interfaces.
There are three main types of filter policies: IPv4, IPv6, and MAC filter policies. Additionally
MAC filter policies support three sub-types: (configure>filter>mac-filter >type {normal |
isid | vid}). These sub-types allow operators to configure different L2 match criteria for a
MAC filter.
There are different kinds of filter policies as defined by the filter policy scope:
•An exclusive filter allows defining policy rules explicitly for a single interface. An
exclusive filter allows highest-level of customization but uses most resources, since
each exclusive filter consumes H/W resources on line cards on which the interface
exists.
•A template filter allows usage of identical set of policy rules across multiple
interfaces. Template filters use a single set of resources per line card, regardless of
how many interfaces use a given template filter policy on that line card. Template
filter policies used on access interfaces, consume resources on line cards only if at
least one access interface for a given template filter policy is configured on a given
line card.
•An embedded filter allows defining common set of policy rules that can then be used
(embedded) by other exclusive or template filters in the system. This allows
optimized management of filter policies.
•A system filter policy allows defining common set of policy rules that can then be
activated within other exclusive/template filters. A system filter policy is intended
mainly for system-level blacklisting rules but can be used for other applications as
well. This allows optimized management of common rules (similarly to embedded
filters); however, active system filter policy entries are not duplicated inside each
policy that actives the system policy (as is the case when embedding is used). The
active system policy is downloaded once to line cards, and activating filter policies
are chained to it.
To Next Page
Loading...
