Filter Policies
Router Configuration Guide 505
• Downstream traffic steered towards a VAS on the subscriber-facing IOM is
reclassified (FC and profile) based on the subscriber egress QoS policy, and is
queued towards the VAS based on the network egress QoS configuration. Packets
sent toward VAS will not have DSCP remarked (since they are not yet forwarded to
a subscriber). DSCP remarking based on subscriber's egress QoS profile will only
apply to traffic ultimately forwarded to the subscriber (after VAS or not subject to
VAS).
• If mirroring of subscriber traffic is configured using ACL entry/subscriber/SAP/port
mirror, the mirroring will apply to traffic ultimately forwarded to subscriber (after
VAS or not subject to VAS). Traffic that is being redirected to VAS cannot be
mirrored using an ACL filter implementing PBR action (the same egress ACL filter
entry being a mirror source and specifying egress PBR action is not supported).
• Use dedicated ingress and egress filter policies to prevent accidental match of an
ingress PBR entry on egress and vice-versa that will result in forwarding/dropping of
traffic matching the entry (based on the filter's default action configuration).
Caveats:
• This feature requires chassis mode D
• This feature is not supported with HSMDAs on subscriber ingress
• This feature is not supported when the traffic is subject to non-AA ISA on Res-GW
• Traffic that matches an egress filter entry with an egress PBR action cannot be
mirrored, cannot be sampled using cflowd, and cannot be logged using filter logging
while being redirected to VAS on a sub-facing line card.
• This feature is not supported with LAC/LNS ESM (PPPoE subscriber traffic
encapsulated into or de-encapsulated from L2TP tunnels)
• This feature is not supported for system filter policies
Policy-Based Forwarding for Deep Packet Inspection in VPLS
The purpose policy-based forwarding is to capture traffic from a customer and perform a deep
packet inspection (DPI) and forward traffic, if allowed, by the DPI.
In the following example, the split horizon groups are used to prevent flooding of traffic.
Traffic from customers enter at SAP 1/1/5:5. Due to the mac-filter 100 that is applied on
ingress, all traffic with dot1p 07 marking will be forwarded to SAP 1/1/22:1, which is the
DPI.
DPI performs packet inspection/modification and either drops the traffic or forwards the
traffic back into the box through SAP 1/1/21:1. Traffic will then be sent to spoke-sdp 3:5.
To Next Page
Loading...
