ACL Filter Policy Overview
504 Router Configuration Guide
• deployments that use a single interface for VAS connectivity (optional, no local
subscriber-to-subscriber VAS traffic support)
→ to-from-both
- both upstream traffic arriving from access interfaces and downstream traffic
arriving from the network is redirected to a PBR target reachable over this
interface for upstream/downstream VAS processing
- after VAS processing, traffic must arrive on this interface (optional for
upstream), so that the traffic is subject to regular routing but is not subject to
AA divert, nor to egress subscriber PBR
- the interface must be used for downstream pre-VAS traffic; otherwise
routing loops will occur
The ESM filter policy-based service chaining allows operators to do the following:
• Steer upstream and downstream traffic per-subscriber with full ACL-flow-defined
granularity without the need to specify match conditions that identify subscriber or
tier-of-service
• Steer both upstream and downstream traffic on a single Res-GW
• Flexibly assign subscribers to tier-of-service by changing the ACL filter policy a
given subscriber uses
• Flexibly add new services to a subscriber or tier-of-service by adding the subscriber-
independent filter rules required to achieve steering
• Achieve isolation of VAS steering from other ACL functions like security through
the use of embedded filters
• Deploy integrated Application Assurance (AA) as part of a VAS service chain - both
upstream and downstream traffic is processed by AA before a VAS redirect
• Select whether to use IP-Src/IP-Dst address hash or IP-Src/IP-Dst address plus TCP/
UDP port hash when LAG/ECMP connectivity to DC is used. L4 inputs are not used
in hash with IPv6 packets with extension headers present.
ESM filter policy-based traffic steering supports the following:
• IPv4 and IPv6 steering of unicast traffic using IPv4 and IPv6 ACLs
• action forward redirect-policy or action forward next-hop router for IP steering
with TCAM-based load-balancing, fail-to-wire, and sticky destination
• action forward esi sf-ip vas-interface router for an integrated service chaining
solution
Operational notes:
To Next Page
Loading...
