3.4. Configuring Filter Policies with CLI

This section provides information to configure filter policies using the CLI.

3.5. Basic Configuration

The most basic IP and MAC filter policies must have the following:

  1. a filter ID
  2. template scope, either exclusive or template
  3. default action, either drop or forward
  4. at least one filter entry
    1. specified action, either drop or forward
    2. specified matching criteria
  5. allocates the required amount of resources for ingress and egress filter policies

The following is a sample configuration output of allocation of ingress internal CAM resources for ingress policy for 7210 SAS-D.

*A:SASD>config>system>res-prof>ing-internal-tcam# info detail 
----------------------------------------------
                acl-sap-ingress 2
                    ipv4-match-enable max
                    no ipv6-64-only-match-enable
                    no ipv4-ipv6-128-match-enable
                    mac-match-enable 2
                exit
                no eth-cfm
----------------------------------------------
*A:SASD>config>system>res-prof>ing-internal-tcam# acl-sap-ingress 
 

The following is a sample configuration output of allocation of egress internal CAM resources for egress policy for 7210 SAS-D.

A:SASD>config>system>res-prof>egr-internal-tcam# info detail 
----------------------------------------------
                acl-sap-egress 2
                    mac-ipv4-match-enable 2
                    ipv6-128bit-match-enable 0
                    mac-ipv6-64bit-match-enable 0
                    mac-match-enable 0
                exit
----------------------------------------------
*A:SASD>config>system>res-prof>egr-internal-tcam# acl-sap-egress 
 

The following is a sample configuration output of an IP filter policy. The configuration blocks all incoming TCP session except Telnet and allows all outgoing TCP sessions from IP net 10.67.132.0/24. CAM resources must be allocated to IPv4 criteria before associating the filter with a SAP. Figure 6 shows the interface to apply the filter.

A:ALA-1>config>filter# info
----------------------------------------------
        ip-filter 3 create
            entry 10 create
                match protocol 6
                    dst-port eq 23
                    src-ip 10.67.132.0/24
                exit
                action
                    forward
            exit
            entry 20 create
                match protocol 6
                    tcp-syn true
                    tcp-ack false
                exit
                action
                    drop
            exit
        exit
----------------------------------------------
A:ALA-1>config>filter#
 

Figure 6 shows the IP filter applied to an ingress interface.

Figure 6:  Applying an IP Filter to an Ingress Interface 

3.6. Common Configuration Tasks

This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands.

3.6.1. Allocating Resources for Filter Policies (Ingress and Egress)

The following provides an example of allocation of CAM hardware resources for use with filter policies that use IPv4 and MAC criteria:

3.6.2. Creating an IP Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (IP)
  2. a filter policy ID
  3. a default action
  4. filter policy scope specified, either exclusive or template
  5. at least one filter entry with matching criteria specified
  6. configure CAM hardware resource for use by the filter policy match-criteria

3.6.2.1. IP Filter Policy

The following is a sample exclusive filter policy configuration output.

A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 12 create
            description "IP-filter"
            scope exclusive
        exit
...
----------------------------------------------
A:ALA-7>config>filter#

3.6.2.2. IP Filter Entry

Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria.

Use the following syntax to create an IP filter entry.

CLI Syntax:
config>filter# ip-filter filter-id [create]
entry entry-id [time-range time-range-name] [create]
description description-string

The following is a sample IP filter entry configuration output.

A:ALA-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                exit
                no action
            exit
        exit
----------------------------------------------
A:ALA-7>config>filter>ip-filter#

3.6.2.3. IP Entry Matching Criteria

Use the following syntax to configure IP filter matching criteria:

The following is a sample IP filter matching configuration output.

*A:ALA-48>config>filter>ip-filter# info
----------------------------------------------
            description "filter-mail"
            scope exclusive
            entry 10 create
                description "no-91"
 
 
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.103/24
                exit
                action
                    forward 
            exit
----------------------------------------------
*A:ALA-48>config>filter>ip-filter#
 

3.6.3. Creating an IPv6 Filter Policy (applicable only for 7210 SAS-D and 7210 SAS-Dxp)

Configuring and applying IPv6 filter policies is optional. Each filter policy must have the following:

  1. The IPv6 filter type specified.
  2. An IPv6 filter policy ID.
  3. A default action, either drop or forward.
  4. Template scope specified, either exclusive or template.
  5. At least one filter entry with matching criteria specified.

3.6.3.1. IPv6 Filter Entry

Within an IPv6 filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded.

  1. Enter an IPv6 filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria.

The following is a sample IPv6 filter entry configuration output.

*A:7210SAS>config>filter>ipv6-filter# info detail
----------------------------------------------
            default-action drop
            no description
            scope template
            entry 1 create
                no description
                match next-header none
                    no dscp
                    no dst-ip
                    no dst-port
                    src-ip 1::1/128
                    no src-port
                    no tcp-syn
                    no tcp-ack
                    no icmp-type
                    no icmp-code
                exit
                action
                    forward
            exit
*A:7210SAS>config>filter>ipv6-filter#

3.6.4. Creating a MAC Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. The filter type specified (MAC).
  2. A filter policy ID.
  3. A default action, either drop or forward.
  4. Filter policy scope, either exclusive or template.
  5. At least one filter entry.
  6. Matching criteria specified.

3.6.4.1. MAC Filter Policy

The following is a sample MAC filter policy configuration output.

A:ALA-7>config>filter# info
----------------------------------------------
...
        mac-filter 90 create
            description “filter-west"
            scope exclusive
        exit
----------------------------------------------
A:ALA-7>config>filter#

3.6.4.2. MAC Filter Entry

Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria.

The following displays a MAC filter entry configuration output.

A:sim1>config>filter# info
----------------------------------------------
        mac-filter 90 create
            entry 1 create
                description "allow-104" 
                match 
                exit 
                action
                    drop
            exit 
        exit 
----------------------------------------------
A:sim1>config>filter# 

3.6.4.3. MAC Entry Matching Criteria

The following is a sample filter matching configuration output.

A;ALA-7>config>filter>mac-filter# info
----------------------------------------------
            description "filter-west"
            scope exclusive
            entry 1 create
                description "allow-104"
                match
                    src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
                    dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
                exit
                action
                    drop
            exit
----------------------------------------------

3.6.4.4. Apply IP and MAC Filter Policies

The following example shows an example of applying an IP and a MAC filter policy to an Epipe service:

CLI Syntax:
config>service# epipe service-id
sap sap-id
egress
filter {ip ip-filter-id | mac mac-filter-id}
ingress
filter {ip ip-filter-id | mac mac-filter-id}

The following is a sample output for IP and MAC filters assigned to an ingress and egress SAP.

A:ALA-48>config>service>epipe# info
----------------------------------------------
            sap 1/1/1.1.1 create
                ingress
                    filter ip 10
                exit
                egress
                    filter mac 92
                exit
            exit
            no shutdown
----------------------------------------------
A:ALA-48>config>service>epipe#

3.6.4.5. Apply Filter Policies to an IES Interface

IP filter policies can be applied to an IP interface created in an IES service. These filter policies apply to the routed management traffic.

CLI Syntax:
config>service>ies# interface ip-int-name
address ip-address
sap sap-id
ingress
filter ip ip-filter-id

The following is a sample output for an IP filter applied to an IES sap at ingress.

A:ALA-48>config>service>ies# info
----------------------------------------------
            interface "to-104" create
                address 10.1.2.1/24
                sap lag-2:0.* create
                      ingress
                            filter ip 10
                exit
            exit
...
----------------------------------------------
A:ALA-48>config>service>ies#

3.7. Filter Management Tasks

This section discusses the filter policy management tasks.

3.7.1. Renumbering Filter Policy Entries

The system exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence can be rearranged. Entries should be numbered from the most explicit to the least explicit.

Use the following syntax to renumber existing MAC or IP filter entries to re-sequence filter entries.

CLI Syntax:
config>filter
ip-filter filter-id
renum old-entry-number new-entry-number
mac-filter filter-id
renum old-entry-number new-entry-number
Example:
config>filter>ip-filter# renum 10 15
config>filter>ip-filter# renum 20 10
config>filter>ip-filter# renum 40 1

The following is a sample original filter entry order on the left side and the reordered filter entries on the right side.

A:ALA-7>config>filter# info

----------------------------------------------

...

ip-filter 11 create

description "filter-main"

scope exclusive

entry 10 create

description "no-91"

               match

dst-ip 10.10.10.91/24

src-ip 10.10.10.103/24

exit

action forward

exit

entry 20 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.100/24

exit

action drop

exit

entry 30 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.200/24

exit

action forward

exit

entry 40 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.106/24

exit

action drop

exit

exit

...

----------------------------------------------

A:ALA-7>config>filter#

A:ALA-7>config>filter# info

----------------------------------------------

...

ip-filter 11 create

description "filter-main"

scope exclusive

entry 1 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.10.106/24

exit

action drop

exit

entry 10 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.100/24

exit

action drop

exit

entry 15 create

description "no-91"

               match

dst-ip 10.10.10.91/24

src-ip 10.10.10.103/24

exit

action forward

            exit

entry 30 create

match

dst-ip 10.10.10.91/24

src-ip 10.10.0.200/24

exit

action forward

exit

exit

...

----------------------------------------------

A:ALA-7>config>filter#

3.7.2. Modifying an IP Filter Policy

To access a specific IP filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.

Example:
config>filter>ip-filter# description "New IP filter info"
config>filter>ip-filter# entry 2 create
config>filter>ip-filter>entry$ description "new entry"
config>filter>ip-filter>entry# action drop
config>filter>ip-filter>entry# match dst-ip 10.10.10.104/32
config>filter>ip-filter>entry# exit
config>filter>ip-filter#

The following is a sample modified IP filter output.

 
A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "New IP filter info"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
                description "new entry"
                match
                    dst-ip 10.10.10.104/32
                exit
                action
                    drop
            exit
            entry 10 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action
                    drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.103/24
                exit
                action
                    forward
            exit
            entry 30 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action
                    forward
            exit
        exit
..
----------------------------------------------
A:ALA-7>config>filter#
 

3.7.3. Modifying a MAC Filter Policy

To access a specific MAC filter, you must specify the filter ID. Use the no form of this command to remove the command parameters or return the parameter to the default setting.

Example:
config>filter# mac-filter 90
config>filter>mac-filter# description "New filter info"
config>filter>mac-filter# entry 1
config>filter>mac-filter>entry# description "New entry info"
config>filter>mac-filter>entry# action forward
config>filter>mac-filter>entry# exit
config>filter>mac-filter# entry 2 create
config>filter>mac-filter>entry$ action drop
config>filter>mac-filter>entry# match
config>filter>mac-filter>entry>match# dot1p 7 7

The following is a sample modified MAC filter output.

 
A:ALA-7>config>filter# info
----------------------------------------------
...
        mac-filter 90 create
            description "New filter info"
            scope exclusive
            entry 1 create
                description "New entry info"
                match
                    src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
                    dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
                exit
                action
                    forward
            exit
            entry 2 create
                match
                    dot1p 7 7
                exit
                action
                    drop
            exit
        exit
...
----------------------------------------------
A:ALA-7>config>filter#
 

3.7.4. Deleting a Filter Policy

Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs and network interfaces.

3.7.4.1. From an Ingress SAP

Use the following syntax to remove a filter from an ingress SAP.

CLI Syntax:
config>service# [epipe | ies | vpls] service-id
sap port-id[:encap-val]
ingress
   no filter
Example:
config>service# epipe 5
config>service>epipe# sap 1/1/2:3
config>service>epipe>sap# ingress
config>service>epipe>sap>ingress# no filter

3.7.4.2. From an Egress SAP

Use the following syntax to remove a filter from an egress SAP.

CLI Syntax:
config>service# [epipe | ies | vpls] service-id
sap port-id[:encap-val]
egress
   no filter
Example:
config>service# epipe 5
config>service>epipe# sap 1/1/2:3
config>service>epipe>sap# egress
config>service>epipe>sap>egress# no filter

3.7.4.3. From the Filter Configuration

Use the following syntax to delete the filter after you have removed the filter from the SAP.

CLI Syntax:
config>filter# no ip-filter filter-id
CLI Syntax:
config>filter# no mac-filter filter-id
Example:
config>filter# no ip-filter 11
config>filter# no mac-filter 13

3.7.5. Copying Filter Policies

When changes are made to an existing filter policy, they are applied immediately to all services where the policy is applied. If numerous changes are required, the policy can be copied so you can edit the “work in progress” version without affecting the filtering process. When the changes are completed, you can overwrite the work in progress version with the original version.

New filter policies can also be created by copying an existing policy and renaming the new filter.

CLI Syntax:
config>filter# copy filter-type src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite]

The following shows command usage to copy an existing IP filter (11) to create a new filter policy (12).

Example:
config>filter# copy ip-filter 11 to 12
A:ALA-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "This is new"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
...
        ip-filter 12 create
            description "This is new"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.106/24
                exit
                action
                    drop
            exit
            entry 2 create
...
----------------------------------------------
A:ALA-7>config>filter#