Filter Policies
Router Configuration Guide 489
System-level IPv4/IPv6 Line Card Filter Policy
A system filter policy allows the definition of a common set of policy rules that can then be
activated within other exclusive/template filters. IPv4/IPv6 system filter policies supports all
IPv4/IPv6 filter policy match rules and actions respectively but system policy entries cannot
be the sources of mirroring.
System filter policy cannot be used directly; the active system policy is deployed by
activating it within any IPv4 or IPv6 exclusive/template filter policy (chaining the system
policy and a given interface policy). When an IPv4/IPv6 filter policy is chained to the active
IPv4/IPv6 system filter, system filter rules are evaluated first before any rules of the chaining
filter are evaluated (i.e. chaining filter's rules are only matched against if no system filter
match took place).
A system filter policy is intended mainly for system-level blacklisting rules, thus it is
recommended to use system policies with drop/forward actions. Other actions like, for
example, PBR actions, or redirect to ISAs should not be used unless the system filter policy
is activated only in filters used by services that support such action. The “nat” action is not
supported and should not be configured. Failure to observe these restrictions can lead to
undesired behavior as system filter actions are not verified against the services the chaining
filters are deployed for.
System filter policies can be populated using CLI/SNMP/Netconf management interfaces
and Openflow policy interface. System filter policy entries cannot be populated using
flowspec, Radius, or Gx.
System filter policy scale is identical to a corresponding IPv4 or IPv6 filter policy scale.
System filter policy consumes single set of H/W resources on each line card as soon as it is
activated, regardless of how many IPv4/IPv6 filters chain to that system policy. This
optimizes resource allocation when multiple filter policies activate a given system policy.
System filter policy requires chassis mode D.
An example (IPv4) configuration is shown below:
*A:vm1>config>filter#
# Configure system-policy
ip-filter 1 create
scope system
entry 5 create
match protocol *
fragment true
Note: Embedded filter policies are supported for line card IP(v4) and IPv6 filter policies only.
To Next Page
Loading...
