Basic configuration

The most basic IP and MAC filter policies must have the following:

a filter ID
template scope, either exclusive or template
default action, either drop or forward
at least one filter entry
- specified action, either drop or forward
- specified matching criteria
allocates the required amount of resources for ingress and egress filter policies

Example: Configuration output for ingress policy

The following is a sample configuration output of allocation of ingress internal CAM resources for ingress policy for 7210 SAS-D.

*A:SASD>config>system>res-prof>ing-internal-tcam# info detail 
----------------------------------------------
                acl-sap-ingress 2
                    ipv4-match-enable max
                    no ipv6-64-only-match-enable
                    no ipv4-ipv6-128-match-enable
                    mac-match-enable 2
                exit
                no eth-cfm
----------------------------------------------
*A:SASD>config>system>res-prof>ing-internal-tcam# acl-sap-ingress

Example: Configuration output for egress policy

The following is a sample configuration output of allocation of egress internal CAM resources for egress policy for 7210 SAS-D.

A:SASD>config>system>res-prof>egr-internal-tcam# info detail 
----------------------------------------------
                acl-sap-egress 2
                    mac-ipv4-match-enable 2
                    ipv6-128bit-match-enable 0
                    mac-ipv6-64bit-match-enable 0
                    mac-match-enable 0
                exit
----------------------------------------------
*A:SASD>config>system>res-prof>egr-internal-tcam# acl-sap-egress

Example: Configuration output of an IP filter policy

The following is a sample configuration output of an IP filter policy. The configuration blocks all incoming TCP session except Telnet and allows all outgoing TCP sessions from IP net 10.67.132.0/24. CAM resources must be allocated to IPv4 criteria before associating the filter with a SAP.

A:ALA-1>config>filter# info
----------------------------------------------
        ip-filter 3 create
            entry 10 create
                match protocol 6
                    dst-port eq 23
                    src-ip 10.67.132.0/24
                exit
                action
                    forward
            exit
            entry 20 create
                match protocol 6
                    tcp-syn true
                    tcp-ack false
                exit
                action
                    drop
            exit
        exit
----------------------------------------------
A:ALA-1>config>filter#

The following figure shows the IP filter applied to an ingress interface.

Figure: Applying an IP filter to an ingress interface