ACL Filter Policy Overview
480 Router Configuration Guide
• If source or destination address of the log messages does not match an entry already
present in the table, the source/destination address is stored in a free entry in the mini-
table.
• In case the mini-table has no more free entries, only total counter is incremented.
• At expiry of the summarization interval, the mini-table for each type is flushed to the
syslog destination.
Operational note:
• Conditional action match criteria filter entries for ttl, hop-limit, packet-length, and
payload-length support logging and statistics when the condition is met, allowing
visibility of filter matched and action executed. If the condition is not met, packets
are not logged and statistics against the entry are not incremented.
Filter Policy cflowd Sampling
Filter policies can be used to control how cflowd sampling is performed on an IP interface. If
an IP interface has cflowd sampling enabled, an operator can exclude some flows for interface
sampling by configuring filter policy rules that match the flows and by disabling interface
sampling as part of the filter policy entry configurations (interface-disable-sample). If an IP
interface has cflowd sampling disabled, an operator can enable cflowd sampling on a subset
of flows by configuring filter policy rules that match the flows and by enabling cflowd
sampling as part of the filter policy entry configurations (filter-sample).
The above cflowd filter sampling behavior is exclusively driven by match criteria: The
sampling logic applies regardless of whether an action was executed or not (including
evaluation of conditional action match criteria, for example, packet-length or ttl).
Filter Policy Management
Modifying Existing Filter Policy
There are several ways to modify an existing filter policy. A filter policy can be modified
through configuration change or can have entries populated through dynamic, policy-
controlled dynamic interfaces like Radius or OpenFlow or Flowspec or Gx for example.
Although in general, the SR OS ensures filter resources exist before a filter can be modified,
because of a dynamic nature of the policy-controlled interfaces, a configuration that was
accepted may not be applied in H/W due to lack of resources. When that happens, an error is
raised.
To Next Page
Loading...
