5.3. Configuring Filter Policies with CLI

This section provides information to configure and manage filter policies using the command line interface.

Topics in this section include:

  1. Basic Configuration
  2. Common Configuration Tasks
  3. Filter Management Tasks

5.4. Basic Configuration

The most basic IPv4, IPv6, MAC, and VLAN filter policy must have the following:

  1. a filter ID
  2. scope, either exclusive or template (VLAN filter policies always have a template scope)
  3. default action (drop or forward)
  4. at least one filter entry
    1. specified action, either drop or forward
    2. specified matching criteria

The most basic IP exception filter policy must have the following:

  1. an exception filter policy ID
  2. scope, either exclusive or template
  3. at least one filter entry with a specified matching criteria

5.5. Common Configuration Tasks

This section provides a brief overview of the tasks that must be performed for IP filter configuration and provides the CLI commands.

  1. Creating an IPv4 or IPv6 Filter Policy
  2. Creating a MAC Filter Policy
  3. Creating a VLAN Filter Policy
  4. Creating an IP Exception Filter Policy
  5. Configuring Filter Log Policies
  6. Configuring a NAT Security Profile
  7. Configuring a NAT Security Policy
  8. Applying IP and MAC Filter Policies to a Service
  9. Applying IP Filter Policies to Network Interfaces
  10. Applying VLAN Filter Policies to a Ring Port

5.5.1. Creating an IPv4 or IPv6 Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (IP)
  2. a filter policy ID
  3. a default action (drop or forward)
  4. scope specified, either exclusive or template
  5. at least one filter entry with matching criteria specified

5.5.1.1. IP Filter Policy

Use the following CLI syntax to create a template IPv4 or IPv6 filter policy:

CLI Syntax:
config>filter# ip-filter filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ip-filter 12 create
config>filter# description "IP-filter"
config>filter$ scope template
CLI Syntax:
config>filter# ipv6-filter ipv6-filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ipv6-filter 10 create
config>filter# description "ipv6-filter"
config>filter# scope template

The following example displays a template filter policy configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 12 create
            description "IP-filter"
            scope template
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

Use the following CLI syntax to create an exclusive IPv4 or IPv6 filter policy:

CLI Syntax:
config>filter# ip-filter filter-id
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ip-filter 11 create
config>filter# description "filter-main"
config>filter# scope exclusive
CLI Syntax:
config>filter# ipv6-filter ipv6-filter-id
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ipv6-filter 9 create
config>filter# description "ipv6-filter-main"
config>filter# scope exclusive

The following example displays an exclusive filter policy configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

5.5.1.2. IP Filter Entry

Within a filter policy, configure filter entries that contain criteria against which ingress, egress, and network traffic is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see IP Filter Entry Matching Criteria).

The forward next-hop command is used to implement policy-based routing. For details, see Policy-Based Routing. Use the indirect keyword to identify the indirect next-hop router to which packets with matching criteria will be forwarded. The forward fc command is used to implement multi-field classification. For details, see Multi-field Classification (MFC).

Use the following CLI syntax to create an IP filter entry:

CLI Syntax:
config>filter# ip-filter {filter-id | filter-name}
entry entry-id
description description-string
action [drop]
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
Example:
config>filter# ip-filter 11
config>filter>ip-filter# entry 10 create
config>filter>ip-filter>entry$ description "no-91"
config>filter>ip-filter>entry$ action drop
config>filter>ip-filter>entry# exit
CLI Syntax:
config>filter# ip-filter {filter-id | filter-name}
entry entry-id
description description-string
action {drop | forward}]
Example:
config>filter# ipv6-filter 9
config>filter>ipv6-filter# entry 10 create
config>filter>ipv6-filter>entry$ description "no-91"
config>filter>ipv6-filter>entry$ action drop
config>filter>ipv6-filter>entry# exit

The following example displays an IP filter entry configuration.

A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                action drop
                exit
            exit
----------------------------------------------

5.5.1.3. IP Filter Entry Matching Criteria

Use the following CLI syntax to configure IPv4 filter matching criteria:

CLI Syntax:
config>filter>ip-filter>entry#
match
dscp dscp-name
dst-ip {ip-address/mask | ip-address netmask}
dst-port {{lt | gt | eq} dst-port-number} | {range start end}
fragment {true | false}
icmp-code icmp-code
icmp-type icmp-type
ip-option ip-option-value [ip-option-mask]
multiple-option {true | false}
option-present {true | false}
src-ip {ip-address/mask | ip-address netmask}
src-port {{lt | gt | eq} src-port-number} | {range start end}
tcp-ack {true | false}
tcp-syn {true | false}
Example:
config>filter>ip-filter>entry# match
config>filter>ip-filter>entry>match# src-ip 10.10.10.10/32
config>filter>ip-filter>entry>match# dst-ip 10.10.10.91/24
config>filter>ip-filter>entry>match# exit

The following example displays a matching configuration.

A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward 
            exit
----------------------------------------------
A:ALU-7>config>filter>ip-filter#
Note:

IPv4 filter entries can specify one or more matching criteria, with one caveat. In order to support the maximum 256 entries for IPv4 filters, any entry that uses source port (src-port) and/or destination port (dst-port) ranges (lt, gt, or range keywords) as match criteria must be within the first 64 entries.

Use the following CLI syntax to configure IPv6 filter matching criteria:

CLI Syntax:
config>filter>ipv6-filter>entry#
match
dscp dscp-name
dst-ip {ip-address/prefix-length}
dst-port {{lt | gt | eq} dst-port-number} | {range start end}
icmp-code icmp-code
icmp-type icmp-type
src-ip {ip-address/prefix-length}
src-port {{lt | gt | eq} src-port-number} | {range start end}
tcp-ack {true | false}
tcp-syn {true | false}
Example:
config>filter>ipv6-filter>entry# match
config>filter>ipv6-filter>entry>match# src-ip
  11::12/128
config>filter>ipv6-filter>entry>match# dst-ip
  13::14/128
config>filter>ipv6-filter>entry>match# exit

The following example displays a matching configuration.

A:ALU-7>config>filter>ipv6-filter# info
----------------------------------------------
            description "ipv6-filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 13::14/128
                    src-ip 11::12128
                exit
                action forward exit

5.5.1.4. IP Filter Entry for PBR to a System IP or Loopback Address

A PBR rule can be set up to extract packets from the data path and send them to the CSM for debugging or slow path forwarding, by having the next-hop point to a system IP or loopback interface of the 7705 SAR.

The extracted traffic can be rerouted to a final destination based on a RIB lookup on the CSM. The traffic is reinjected to the datapath based on the next-hop address.

Table 74 summarizes the queuing parameters for this functionality. These parameters are for slow path queues created for PBR and are not user-configurable.

Table 74:  PBR CSM Extraction Queue Parameters  

Parameter

Maximum Value

PIR

1500 kb/s

CIR

100 kb/s

MBS

20 (non-buffer-chained adapter cards)

80 (buffer-chained adapter cards)

CBS

8 buffers

The following syntax shows an example of extracting and reinjecting packets to a system IP address. An example for a loopback address would be similar.

CLI Syntax:
config>filter# ip-filter {filter-id | filter-name}
entry entry-id
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
match
dscp dscp-name
Example:
config>filter# ip-filter 12
config>filter>ip-filter# entry 112 create
config>filter>ip-filter>entry$ action forward next-hop indirect 10.10.10.10
config>filter>ip-filter>entry# match
config>filter>ip-filter>entry>match# dscp be
config>filter>ip-filter>entry>match# exit
A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            scope exclusive
            entry 12 create
                match
                    dscp be
                exit
                action forward next-hop indirect 10.10.10.10 
            exit
----------------------------------------------
A:ALU-7>config>filter>ip-filter#

5.5.2. Creating a MAC Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (MAC)
  2. a filter policy ID
  3. a default action, either drop or forward
  4. filter policy scope, either exclusive or template
  5. at least one filter entry
  6. matching criteria specified

5.5.2.1. MAC Filter Policy

Use the following CLI syntax to configure a MAC filter with exclusive scope:

CLI Syntax:
config>filter>mac-filter filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter>mac-filter 90 create
config>filter>mac-filter# description filter-west
config>filter>mac-filter# scope exclusive
config>filter>mac-filter# default-action drop

The following example displays an exclusive scope configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
mac-filter 90 create
description "filter-west"
scope exclusive
default-action drop
exit
----------------------------------------------
A:ALU-7>config>filter#

5.5.2.2. MAC Filter Entry

Within a filter policy, configure filter entries that contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see MAC Entry Matching Criteria).

Use the following CLI syntax to configure a MAC filter entry:

CLI Syntax:
config>filter>mac-filter {filter-id | filter-name}
entry entry-id [create]
description description-string
action [drop]
action forward
exit
Example:
config>filter>mac-filter 90
config>filter>mac-filter# entry 1 create
config>filter>mac-filter>entry# description “allow-104”
config>filter>mac-filter>entry# action drop
config>filter>mac-filter>entry# exit

The following example displays a MAC filter entry configuration.

A:sim1>config>filter# info
----------------------------------------------
         mac-filter 90 create
              entry 1 create
                  description "allow-104"
                  match
                  exit
                  action drop
              exit
         exit
----------------------------------------------
A:sim1>config>filter#

5.5.2.3. MAC Entry Matching Criteria

Use the following CLI syntax to configure a MAC filter entry with matching criteria:

CLI Syntax:
config>filter>mac-filter {filter-id | filter-name}
entry entry-id
match [frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}]
src-mac ieee-address
dst-mac ieee-address
etype 0x0600..0xffff
Example:
config>filter>mac-filter 90
config>filter>mac-filter# entry 1
config>filter>mac-filter>entry# match frame-type
  802dot3
config>filter>mac-filter>entry>match# src-mac
  00:dc:98:1d:00:00
config>filter>mac-filter>entry>match# dst-mac
  02:dc:98:1d:00:01
config>filter>mac-filter>entry>match# etype 0x8100

The following example displays a filter matching configuration.

A;ALU-7>config>filter# info
----------------------------------------------
         description "filter-west"
         scope exclusive
         entry 1 create
              description "allow-104"
              match
                  src-mac 00:dc:98:1d:00:00
                  dst-mac 02:dc:98:1d:00:01
                  etype 0x8100
              exit
              action drop
         exit
----------------------------------------------
A:ALU-7>config>filter#

5.5.3. Creating a VLAN Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (VLAN)
  2. a filter policy ID
  3. a default action, either drop or forward
  4. at least one filter entry
  5. specified matching criteria (see VLAN Entry Matching Criteria)

5.5.3.1. VLAN Filter Policy

Use the following CLI syntax to configure a VLAN filter policy:

CLI Syntax:
config>filter>vlan-filter filter-id [create]
description description-string
default-action {drop | forward}
Example:
config>filter>vlan-filter 2 create
config>filter>vlan-filter# description VLAN_filter_2
config>filter>vlan-filter# default-action drop

The following example displays a VLAN filter configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
vlan-filter 2 create
description "VLAN_filter_2"
default-action drop
exit
----------------------------------------------
A:ALU-7>config>filter#

5.5.3.2. VLAN Filter Entry

Within a VLAN filter policy, configure filter entries that contain criteria against which ingress traffic on a ring port is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded. Forwarded packets are sent to the other ring port or the v-port, depending on the destination.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see VLAN Entry Matching Criteria).

Use the following CLI syntax to configure a VLAN filter entry:

CLI Syntax:
config>filter>vlan-filter {filter-id | filter-name}
entry entry-id [create]
description description-string
action {drop | forward}
exit
Example:
config>filter>vlan-filter 2
config>filter>vlan-filter# entry 2 create
config>filter>vlan-filter>entry# description “drop-104”
config>filter>vlan-filter>entry# action drop
config>filter>vlan-filter>entry# exit

The following example displays a VLAN filter entry configuration.

A:sim1>config>filter# info
----------------------------------------------
         vlan-filter 2 create
              entry 2 create
                  description "drop-104"
                  match
                  action drop
                  exit
              exit
         exit
----------------------------------------------
A:sim1>config>filter#

5.5.3.3. VLAN Entry Matching Criteria

Use the following CLI syntax to configure a VLAN filter entry with matching criteria:

CLI Syntax:
config>filter>vlan-filter {filter-id | filter-name}
entry entry-id
match vlan {lt|gt|eq} vlan-id
match vlan range vlan-id to vlan-id
match untagged
Example:
config>filter>vlan-filter 2
config>filter>vlan-filter# entry 2
config>filter>vlan-filter# description drop_104
config>filter>vlan-filter>entry# match vlan eq 104

The following example displays a filter matching configuration.

A;ALU-7>config>filter# info
----------------------------------------------
         description "drop-104"
         entry 2 create
              description "drop-104"
              match vlan eq 104
              action drop
              exit
         exit
----------------------------------------------
A:ALU-7>config>filter#

5.5.4. Creating an IP Exception Filter Policy

Configuring and applying IP exception filter policies is optional. Each exception filter policy must have the following:

  1. an exception filter policy ID
  2. scope specified, either exclusive or template
  3. at least one filter entry with matching criteria specified

5.5.4.1. IP Exception Filter Policy

Use the following CLI syntax to create an IP exception filter policy:

CLI Syntax:
config>filter# ip-exception filter-id [create]
description description-string
scope {exclusive | template}
Example:
config>filter# ip-exception 1 create
config>filter>ip-except# description "IP-exception"
config>filter>ip-except# scope template

The following example displays a template IP exception filter policy configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-exception 1 create
            description "IP-exception"
            scope template
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

5.5.4.2. IP Exception Entry Matching Criteria

Within an exception filter policy, configure exception entries that contain criteria against which ingress, egress, and network traffic is matched. Packets that match the entry criteria are allowed to transit the NGE domain in clear text.

  1. Enter an exception filter entry ID. The system does not dynamically assign a value.
  2. Specify matching criteria.

Use the following CLI syntax to configure IP exception filter matching criteria:

CLI Syntax:
config>filter# ip-exception filter-id
entry entry-id [create]
description description-string
match
dst-ip {ip-address/mask | ip-address ipv4-address-mask}
dst-port {lt | gt | eq} dst-port-number
dst-port range dst-port-number dst-port-number
icmp-code icmp-code
icmp-type icmp-type
src-ip {ip-address/mask | ip-address ipv4-address-mask}
src-port {lt | gt | eq} src-port-number
src-port range src-port-number src-port-number
Example:
config>filter>ip-except# entry 1 create
config>filter>ip-except>entry# match
config>filter>ip-except>entry>match# src-ip 10.10.10.10/32
config>filter>ip-except>entry>match# dst-ip 10.10.10.91/24
config>filter>ip-except>entry>match# exit

The following example displays a matching configuration.

A:ALU-7>config>filter>ip-exception# info
----------------------------------------------
            description "exception-main"
            scope exclusive
            entry 1
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
            exit
----------------------------------------------
A:ALU-7>config>filter>ip-except#

5.5.5. Configuring Filter Log Policies

Use the following CLI syntax to configure filter log policy:

CLI Syntax:
config>filter# log log-id
description description-string
destination memory num-entries
destination syslog syslog-id
summary
no shutdown
summary-crit dst-addr
summary-crit src-addr
wrap-around

The following example displays a filter log configuration.

A:ALU-48>config>filter>log# info detail
---------------------------------------------
          description "Test filter log."
          destination memory 1000
          wrap-around
          no shutdown
---------------------------------------------
A:ALU-48>config>filter>log#

5.5.6. Configuring a NAT Security Profile

To configure NAT, you must first:

  1. configure a NAT security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the tcp/udp/icmp protocols. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a NAT security policy, and specify the match criteria and the action to be applied to a packet if a match is found
  2. then configure a NAT zone and apply the policy ID to the zone

To configure a NAT security profile, you must create the profile ID. Once created, the profile ID is referenced when you set up a NAT policy.

CLI Syntax:
config>security# profile profile-id [create]
description description-string
name profile-name
timeouts
icmp-request minutes seconds
tcp-established days hours minutes seconds
tcp-syn days hours minutes seconds
tcp-time-wait minutes seconds
tcp-transitory days hours minutes seconds
udp days hours minutes seconds
udp-dns days hours minutes seconds
udp-initial minutes seconds

The following example displays a profile configuration.

Example:
config>security# begin
config>security# session-high-wmark 90
config>security# session-low-wmark 70
config>security# profile 2 create
config>security>profile# name "default"
config>security>profile# description "session timer check"
config>security>profile# timeouts
config>security>profile>timeouts# icmp-request sec 59
config>security>profile>timeouts# tcp-time-wait min 1
config>security>profile>timeouts# exit
config>security>profile# exit
config>security# commit

The following output displays a modified NAT profile.

A:ALU-7>config>security# info
----------------------------------------------
..
            session-high-wmark 90
            session-low-wmark 70
            profile 2 create
                 name "default"
                 description "For session timer check"
                 timeouts
                 exit
            exit
..
----------------------------------------------
A:ALU-7>config>security#

5.5.7. Configuring a NAT Security Policy

To configure NAT, you must first:

  1. configure a NAT security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the tcp/udp/icmp protocols. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a NAT security policy, and specify the match criteria and the action to be applied to a packet if a match is found
  2. then configure a NAT zone and apply the policy ID to the zone

To configure a NAT policy, you must create the policy ID.

CLI Syntax:
config>security# policy policy-id [create]
description description-string
entry entry-id [create]
description description-string
match [local] protocol protocol-id
direction {zone-outbound | zone-inbound | both}
dst-ip ip-address to ip-address
dst-port {lt | gt | eq} port range start end
icmp-code icmp-code
icmp-type icmp-type
src-ip ip-address to ip-address
src-port {lt | gt | eq} port range start end
action {forward | reject | nat}
action nat [destination ip-address port tcp-udp-port]
limit
concurrent-sessions number
profile profile-id | profile-name
name policy-name

For the action nat command, destination ip-address and port tcp-udp-port parameters apply only to static destination NAT (port forwarding).

The following example displays a policy configuration for source NAT.

Example:
config>security# begin
config>security# policy 1 create
config>security>policy# name "inbound policy"
config>security>policy# description "common egress policy"
config>security# entry 1 create
config>security>policy>entry# description "Source NAT"
config>security>policy>entry# match
config>security>policy>entry>match# direction zone-inbound
config>security>policy>entry>match# exit
config>security>policy>entry># limit
config>security>policy>entry># exit
config>security>policy>entry># action nat
config>security>policy>entry># profile 2
config>security>policy>entry># exit
config>security>policy># exit
config>security># commit

The following example displays a policy configuration for static destination NAT.

Example:
config>security# begin
config>security# policy 1 create
config>security# entry 2 create
config>security>policy>entry# description "Dest NAT"
config>security>policy>entry# match local protocol udp
config>security>policy>entry>match# dst-port eq 4000
config>security>policy>entry>match# exit
config>security>policy>entry># limit
config>security>policy>entry># exit
config>security>policy>entry># action nat destination 10.10.10.1 port 4000
config>security>policy>entry># profile 2
config>security>policy>entry># exit
config>security>policy># exit
config>security># commit

The following output displays a modified NAT policy output.

A:ALU-7>config>security# info
----------------------------------------------
..
            policy 1 create
               name "inbound policy"
               description "common egress policy"
               entry 1 create
                  description "Source NAT"
                  match
                     direction zone-inbound
                  exit
                  limit
                  action nat
                  profile 2
               exit
               entry 2 create
                  description "Dest NAT"
                  match local protocol udp
                     dst-port eq 4000
                  exit
                  limit
                  action nat destination 10.10.10.1 port 4000
                  profile 2
            exit
            commit
..
----------------------------------------------
A:ALU-7>config>security#

5.5.8. Applying IP and MAC Filter Policies to a Service

Filter policies must be created before they can be applied to a service. Create filter policies in the config>filter context.

The following CLI syntaxes show how to apply filter policies to services. Use the first CLI syntax to apply an IP or MAC filter policy to a VPLS SAP, mesh SDP, or spoke SDP. Use the second CLI syntax for Epipe or Ipipe services. Use the third CLI syntax for VPRN or IES interface SAPs and spoke SDPs. (For IES SAPs, IPv6 ingress and egress filters can also be applied.)

CLI Syntax:
config>service# vpls service-id
sap sap-id
egress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
mesh-sdp sdp-id:vc-id [vc-type {ether | vlan}]
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
spoke-sdp sdp-id:vc-id [vc-type {ether | vlan}]
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
CLI Syntax:
config>service# epipe service-id
sap sap-id
ingress
filter ip ip-filter-id
CLI Syntax:
config>service# vprn service-id
interface ip-int-name
sap sap-id
egress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
spoke-sdp sdp-id:vc-id
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id

The following example is for VPLS. A VPRN example includes the interface command (config>service>vprn>interface).

Example:
config>service# vpls 5000
config>service>vpls# sap 1/5/5
config>service>vpls>sap# ingress filter mac 92
config>service>vpls>sap# egress filter ip 10
config>service>vpls>sap# exit
config>service>vpls# mesh-sdp 15:5000
config>service>vpls>mesh-sdp# ingress filter mac 93
config>service>vpls>mesh-sdp# exit
config>service>vpls# spoke-sdp 15:5001
config>service>vpls>spoke-sdp# ingress filter mac 94
config>service>vpls>spoke-sdp# exit

The following example displays an IP and MAC filter assignment for a VPLS service configuration:

A:ALU-48>config>service>vpls# info
----------------------------------------------
...
     sap 1/5/5 create
          ingress
               filter mac 92
          exit
          egress
               filter ip 10
          exit
     exit
     mesh-sdp 15:5000 create
          ingress
               filter mac 93
          exit
     exit
     spoke-sdp 15:5001 create
          ingress
               filter mac 94
          exit
     exit
     no shutdown
...
----------------------------------------------
A:ALU-48>config>service>vpls#

5.5.9. Applying IP Filter Policies to Network Interfaces

IP filter policies can be applied to ingress and egress network IP interfaces.

IPv4 filters are supported on all ingress and egress network interfaces. IPv6 filters are supported on all Ethernet ingress and egress network interfaces (with null or dot1q encapsulation) and on ingress and egress interfaces on the 4-port OC3/STM1 Clear Channel Adapter card (with POS encapsulation).

Filter policies must be created before they can be applied to a network interface. Create filter policies in the config>filter context.

CLI Syntax:
config>router# interface ip-int-name
egress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
Example:
config>router# interface to-104
config>router>if# ingress
config>router>if>ingress# filter ip 10
config>router>if# exit
A:ALU-48>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
...
        interface "to-104"
            address 10.0.0.10/32
            port 1/1/1
            ingress
                filter ip 10
            exit
        exit
...
#------------------------------------------
A:ALU-48>config>router# 

5.5.10. Applying VLAN Filter Policies to a Ring Port

VLAN filter policies can be applied to a ring port on the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module. The filter operates on ingress traffic. Filter policies must be created before they can be applied. Create filter policies in the config>filter context.

CLI Syntax:
config>port>ethernet# vlan-filter filter-id
Example:
config>port>ethernet# vlan-filter 2
A:ALU-48>config>port>ethernet# info
#------------------------------------------
...
        vlan-filter 2 
...
#------------------------------------------
A:ALU-48>config>port>ethernet# 

5.6. Filter Management Tasks

This section discusses the following filter policy management tasks:

  1. Renumbering Filter Policy Entries
  2. Modifying an IP Filter Policy
  3. Modifying a MAC Filter Policy
  4. Modifying a VLAN Filter Policy
  5. Removing and Deleting a Filter Policy

5.6.1. Renumbering Filter Policy Entries

The 7705 SAR exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence can be rearranged. Entries should be numbered from the most explicit to the least explicit.

Use the following CLI syntax to resequence existing IP, MAC, and VLAN filter entries:

CLI Syntax:
config>filter
ip-filter {filter-id | filter-name}
renum old-entry-id new-entry-id
Example:
config>filter>ip-filter# renum 10 15
config>filter>ip-filter# renum 30 40
config>filter>ip-filter# renum 40 1
CLI Syntax:
config>filter
ipv6-filter {ipv6-filter-id | filter-name}
renum old-entry-id new-entry-id
Example:
config>filter>ipv6-filter# renum 10 15
config>filter>ipv6-filter# renum 30 40
config>filter>ipv6-filter# renum 40 1
CLI Syntax:
config>filter
mac-filter {filter-id | filter-name}
renum old-entry-id new-entry-id
Example:
config>filter>mac-filter# renum 10 15
config>filter>mac-filter# renum 30 40
config>filter>mac-filter# renum 40 1
CLI Syntax:
config>filter
vlan-filter {filter-id | filter-name}
renum old-entry-id new-entry-id
Example:
config>filter>vlan-filter# renum 10 15
config>filter>vlan-filter# renum 30 40
config>filter>vlan-filter# renum 40 1

The following output displays the original IP filter entry order followed by the reordered filter entries:

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward
            exit
            entry 30 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action drop
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action forward
            exit
            entry 40 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
        exit
...
----------------------------------------------
A:ALU-7>config>filter#
A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.10/32
                exit
                action forward
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.200/24
                exit
                action forward
            exit
            entry 40 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action drop
            exit
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

5.6.2. Modifying an IP Filter Policy

To access a specific IPv4 or IPv6 filter, you must specify the filter ID or the filter name (if a filter name is configured). Use the no form of the command to remove the command parameters or return the parameter to the default setting.

Example:
config>filter>ip-filter# description "New IP filter info"
config>filter>ip-filter# entry 2 create
config>filter>ip-filter>entry# description "new entry"
config>filter>ip-filter>entry# action drop
config>filter>ip-filter>entry# match dst-ip
  10.10.10.104/32
config>filter>ip-filter>entry# exit
config>filter>ip-filter#
config>filter>ipv6-filter# description "IPv6 filter info"
config>filter>ipv6-filter# entry 3 create
config>filter>ipv6-filter>entry# description "new entry"
config>filter>ipv6-filter>entry# action drop
config>filter>ipv6-filter>entry# match dst-ip
  10::12/128
config>filter>ipv6-filter>entry# exit
config>filter>ipv6-filter#

The following output displays a modified IP filter output.

A:ALU-7>config>filter# info
----------------------------------------------
..
        ip-filter 11 create
            description "New IP filter info"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
            entry 2 create
                description "new entry"
                match
                    dst-ip 10.10.10.104/32
                exit
                action drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action forward
            exit
        exit
..
----------------------------------------------
A:ALU-7>config>filter#

5.6.3. Modifying a MAC Filter Policy

To access a specific MAC filter, you must specify the filter ID or the filter name (if a filter name is configured). Use the no form of the command to remove the command parameters or return the parameter to the default setting. The example below changes the action to forward.

Example:
config>filter# mac-filter 90
config>filter>mac-filter# description "Mac_filter90"
config>filter>mac-filter# entry 1
config>filter>mac-filter>entry# description "Mac­_entry90_1"
config>filter>mac-filter>entry# action forward
config>filter>mac-filter>entry# exit

The following output displays the modified MAC filter output:

A:ALU-7>config>filter# info
----------------------------------------------
...
         mac-filter 90 create
              description "Mac_filter90"
              scope exclusive
              entry 1 create
                  description "Mac_entry90_1"
                  match
                       src-mac 00:dc:98:1d:00:00 
                       dst-mac 02:dc:98:1d:00:01 
                  exit
                  action forward
              exit
         exit
...
----------------------------------------------
A:ALU-7>config>filter#

5.6.4. Modifying a VLAN Filter Policy

To access a specific VLAN filter, you must specify the filter ID or the filter name (if a filter name is configured). Use the no form of the command to remove the command parameters or return the parameter to the default setting. The example below adds entry 65535.

Example:
config>filter# vlan-filter 2
config>filter>vlan-filter# entry 65535 create
config>filter>vlan-filter>entry# description "entry_65535"
config>filter>vlan-filter>entry# action forward
config>filter>vlan-filter>entry# match vlan range 2000 to 3000
config>filter>vlan-filter>entry# exit

The following output displays the modified VLAN filter output:

*A:7705custDoc:Sar18>config>filter>vlan-filter# info
----------------------------------------------
    description "VLAN_filter_2"
    entry 2 create
        description "vlan_fltr_entry2"
        action forward
        match vlan eq 104
    exit
    entry 65535 create
        description "entry_65535"
        action forward
        match vlan range 2000 to 3000
    exit
----------------------------------------------
*A:7705custDoc:Sar18>config>filter>vlan-filter#

5.6.5. Removing and Deleting a Filter Policy

Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs, ingress SDPs, and ingress network interfaces.

You can remove a filter policy and then delete it from the following entities:

  1. Removing a Filter from a Service
  2. Removing a Filter from a Network Interface
  3. Removing a Filter from a Ring Port
  4. Deleting a Filter

5.6.5.1. Removing a Filter from a Service

To remove an IP or MAC filter from a VPLS SAP or VPLS SDP (spoke or mesh), use the first CLI syntax (below). For a VPRN or IES interface SAP or spoke SDP, use the second CLI syntax:

CLI Syntax:
config>service# vpls service-id
sap sap-id
egress
no filter ip ip-filter-id
no filter ipv6 ipv6-filter-id
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id | mac mac-filter-id]
spoke-sdp sdp-id:vc-id
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id | mac mac-filter-id]
mesh-sdp sdp-id:vc-id
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id | mac mac-filter-id]
CLI Syntax:
config>service# vprn service-id
interface ip-int-name
sap sap-id
egress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id ]
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id ]
spoke-sdp sdp-id:vc-id
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id ]

The following example is for VPLS. A VPRN example includes the interface command (config>service>vprn>interface).

Example:
config>service# vpls 5000
config>service>vpls# sap 1/1/2
config>service>vpls>sap# ingress
config>service>vpls>sap>ingress# no filter ip 232
config>service>vpls>sap>ingress# exit
config>service>vpls>sap# exit
config>service>vpls>spoke-sdp 15:5001
config>service>vpls>spoke-sdp# ingress
config>service>vpls>spoke-sdp>ingress# no filter mac 55
config>service>vpls>spoke-sdp>ingress# exit
config>service>vpls>spoke-sdp# exit
config>service>vpls>mesh-sdp 15:5000
config>service>vpls>mesh-sdp# ingress
config>service>vpls>mesh-sdp>ingress# no filter mac 54

5.6.5.2. Removing a Filter from a Network Interface

To remove an IPv4 or IPv6 filter from a network interface, enter the following CLI commands:

CLI Syntax:
config>router# interface ip-int-name
egress
no filter [ip ip-filter-id]
no filter [ipv6 ipv6-filter-id]
ingress
no filter [ip ip-filter-id]
no filter [ipv6 ipv6-filter-id]
Example:
config>router# interface b11
config>router>if# egress
config>filter>if>egress# no filter ip 12
config>router>if>egress# exit
config>filter>if># ingress
config>filter>if>ingress# no filter ip 2
config>filter>if>ingress# exit

5.6.5.3. Removing a Filter from a Ring Port

To remove a VLAN filter from a ring port, enter the following CLI command. Including filter-id is optional because only one filter can be applied to a port.

CLI Syntax:
config>port>ethernet# no vlan-filter [filter-id]
Example:
config>port>ethernet# no vlan-filter 2

5.6.5.4. Deleting a Filter

After you have removed the filter from all the network interfaces, SAPs, and SDPs (spoke and/or mesh) where it was applied, use the following CLI syntax to delete the filter:

CLI Syntax:
config>filter# no ip-filter {filter-id | filter-name}
config>filter# no ipv6-filter {ipv6-filter-id | filter-name}
config>filter# no mac-filter {filter-id | filter-name}
config>filter# no vlan-filter {filter-id | filter-name}
Example:
config>filter# no ip-filter 2
config>filter# no mac-filter 55