ACL Filter Policy Overview
470 Router Configuration Guide
• An ACL filter policy entry with match criteria defined but no action configured, is
considered incomplete and inactive (an entry is not downloaded to the line card). A
filter policy must have at least single entry active for the policy to be considered
active.
• An ACL filter entry with no match conditions defined matches all packets.
• Because an ACL filter policy is an order list, entries should be configured
(numbered) from the most explicit to the least explicit.
IPv4/IPv6 Filter Policy Entry Match Criteria
The IPv4 and IPv6 match criteria supported by the SR OS routers/switches is listed below.
The criteria are evaluated against outer IPv4/IPv6 header and a L4 header that follows (if
applicable). Support for a given match criteria may depend on H/W and/or filter direction as
per below description. It is recommended not to configure a filter in a direction or on a H/W
where a given match condition is not supported as this may lead to undesired behavior. Some
match criteria may be grouped in match lists and may be auto-generated based on router
configuration – see Filter Policy Advanced Topics for more details.
Basic L3 match criteria:
• dscp — Match for the specified DSCP value against the Differentiated Services Code
Point/Traffic Class field in the IPv4/v6 packet header.
• src-ip/dst-ip — Match for the specified source/destination IPv4/IPv6 address-prefix
against the source/destination IPv4/IPv6 address field in the IPv4/IPv6 packet
header. Operator can optionally configure a mask to be used in a match.
• flow-label — Match for the specified flow label against the Flow label field in IPv6
packets. Operator can optionally configure a mask to be used in a match. Supported
for ingress filters on FP-2-based line cards only. Requires minimum chassis mode C.
Conditional action match criteria:
• hop-limit — Match for the specified hop-limit value/range against the Hop Limit
field in IPv6 packet header. This match condition is supported for drop action only
and is part of action evaluation – i.e. after packet is determined to match the entry
based on other match criteria configured. Packets that match all match criteria for a
given filter policy entry are dropped if the hop-limit match criterion is met and
forwarded if the hop-limit match criterion is not met. When a filter entry with a hop-
limit condition is used as a mirror source, only forwarded packets are mirrored. When
a filter entry with a hop-limit condition is used in cflowd processing, the hop-limit
condition is ignored for cflowd processing. Supported for ingress filters only.
Requires minimum FP-2-based line cards. The hop-limit match condition is always
true if a filter is configured on egress or on older hardware.
To Next Page
Loading...
