ACL Filter Policy Overview
488 Router Configuration Guide
For example: If embedded filter 99 has entry 20 that drops packets that match IP
source address src_address, and filter 200 embeds filter 99 at offset 100, then to
deactivate the embedded entry 20, an operator could define an entry 120 (embedded
entry number 20 + offset 100) in filter policy 200, that has the same match criteria
and has either no action defined (this will deactivate the embedded entry and allow
continued evaluation of filter policy 200), or has action forward defined (packets will
match the new entry and will be forwarded instead of dropped, evaluation of filter
policy 200 will stop).
5. Any embedded policy rule edits are automatically applied to all filter policies that
embed that embedded filter policy.
6. The system verifies whether system and h/w resources exist when a new embedded
filter policy is created, changed or embedded. If resources are not available, the
configuration is rejected. In rare cases, filter policy resource check may pass but filter
policy can still fail to load due to a resource exhaustion on a line card (for example
when other filter policy entries are dynamically configured by applications like
RADIUS in parallel). If that is the case, the embedded filter policy configured will
be deactivated (configuration will be changed from activate to inactivate).
7. An embedded filter is never embedded partially into an exclusive/template filter; that
is, resources must exist to embed all embedded filter entries in a given exclusive/
template filter. Although a partial embedding into a single filter will not take place,
an embedded filter may be embedded only in a subset of embedding filters (only
those where there are sufficient resources available).
Figure 19 shows implementation of embedded filter policy using IPv4 ACL filter policy
example with an embedded filter 10 being used to define common filter rules that are then
embedded into filter 1 and 20 (with filter 20 overwriting rule at offset 50).
Figure 19: Embedded Filter Policy
Entry 10
Entry 20
Entry 50
Entry 70
Entry 10
Entry 20
Entry 50
Entry 70
Entry 100
Entry 300
Entry 80
Entry 10
Entry 50
ip-filter 1
embed-filter 10 offset 0
ip-filter 10
scope embedded
ip-filter 20
embed-filter 10 offset 0
al_0167
To Next Page
Loading...
