4.2. Configuring Filter Policies with CLI
This section provides information to configure filter policies using the command line interface.
4.2.1. Common Configuration Tasks
This section provides a brief overview of the tasks that must be performed for all IPv4, IPv6, and MAC filter configurations and provides the CLI commands.
4.2.1.1. Creating an IPv4 Filter Policy
A filter policy has the following attributes:
- Policy ID and policy name
- Scope: template, exclusive, embedded, system
- Type: normal, src-mac, packet-length
- One or more filter entries defining match criteria and action
- Default action to define how packets that do not match any of the filter entries are handled
Use the following CLI syntax to create a template IPv4 filter policy:
4.2.1.1.1. IPv4 Filter Entry
Within a filter policy, configure filter entries which contain criteria against which ingress, egress traffic is matched. The action specified in the entry determine how the packets are handled, such as drop or forward.
- Enter a filter entry ID.
- Configure the filter action.
- Configure the filter matching criteria.
The following displays an IPv4 filter entry configuration example:
4.2.1.1.1.1. Cflowd Filter Sampling
Within a filter entry, you can specify that traffic matching the associated IPv4 filter entry is sampled if the IPv4 interface is set to cflowd acl mode. Enabling filter-sample enables the cflowd tool.
The following displays an IPv4 filter entry configuration example:
Within a filter entry, you can also specify that traffic matching the associated IPv4 filter entry is not sampled by cflowd if the IPv4 interface is set to cflowd interface mode. The following displays an IPv4 filter entry configuration example:
4.2.1.2. Creating an IPv6 Filter Policy
IPv6 filter policy configuration mimics IP filter policy configuration. See Creating an IPv4 Filter Policy.
4.2.1.3. Creating a MAC Filter Policy
Each filter policy must have the following:
- The filter policy type specified (MAC normal, MAC isid, MAC vid)
- A filter policy ID
- A default action, either drop or forward
- Filter policy scope, either exclusive or template
- At least one filter entry, with a match criterion defined
4.2.1.3.1. MAC Filter Policy
The following example shows a MAC filter policy configuration:
4.2.1.3.2. MAC ISID Filter Policy
The following example shows an ISID filter policy configuration:
4.2.1.3.3. MAC VID Filter Policy
The following example shows a VID filter policy configuration:
4.2.1.3.4. MAC Filter Entry
Within a filter policy, configure filter entries that contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determines how the packets are handled, such as dropping or forwarding.
- Enter a filter entry ID. The system does not dynamically assign a value.
- Assign an action.
- Specify matching criteria.
The following displays a MAC filter entry configuration example:
4.2.1.4. Creating an IPv4 Exception Filter Policy
Configuring and applying IPv4 exception filter policies is optional. Each exception filter policy must have the following:
- an exception filter policy ID
- scope specified, either exclusive or template
- at least one filter entry with matching criteria specified
4.2.1.4.1. IP Exception Filter Policy
Use the following CLI syntax to create an IP exception filter policy:
The following example displays a template IP exception filter policy configuration.
4.2.1.4.2. IP Exception Entry Matching Criteria
Within an exception filter policy, configure exception entries that contain criteria against which ingress, egress, and network traffic is matched. Packets that match the entry criteria are allowed to transit the NGE domain in clear text.
- Enter an exception filter entry ID. The system does not dynamically assign a value.
- Specify matching criteria.
Use the following CLI syntax to configure IP exception filter matching criteria:
The following example displays a matching configuration.
4.2.1.5. Creating an IPv6 Exception Filter Policy
Configuring and applying IPv6 exception filter policies is optional. Each exception filter policy must have the following:
- an exception filter policy ID
- at least one filter entry with matching criteria specified
4.2.1.5.1. IPv6 Exception Filter Policy
Use the following CLI syntax to create an IPv6 exception filter policy:
 | Note: In the ipv6-exception command, exception-id is equivalent to the ip-exception variable filter-id. |
The following example displays a template IPv6 exception filter policy configuration.
4.2.1.5.2. IPv6 Exception Entry Matching Criteria
Within an exception filter policy, configure exception entries that contain criteria against which ingress and network traffic is matched. Packets that match the entry criteria are allowed to transit the IPsec domain in clear text.
- Enter an exception filter entry ID. The system does not dynamically assign a value.
- Specify matching criteria.
Use the following CLI syntax to configure IPv6 exception filter matching criteria:
The following example displays a matching configuration.
4.2.1.6. Creating a Match List for Filter Policies
To create a match list you must:
- Specify a type of a match list (for example, an IPv4 address prefix list).
- Define a unique match list name (for example, an IPv4-Deny-List).
- Specify at least one entry in the list (for example, a valid IPv4 prefix).
The following example shows an IPv4 prefix list configuration and its usage in an IPv4 filter policy:
4.2.1.7. Applying Filter Policies
Filter policies can be associated with the entities listed in Table 10.
Table 10: Applying Filter Policies
IPv4 and IPv6 Filter Policies | MAC Filter Policies |
Epipe SAP, spoke SDP | Epipe SAP, spoke SDP |
Fpipe SAP, spoke SDP | — |
IES interface SAP, spoke SDP, R-VPLS | — |
Ipipe SAP, spoke SDP | — |
VPLS mesh SDP, spoke SDP, SAP | VPLS mesh SDP, spoke SDP, SAP |
VPRN interface SAP, spoke SDP, R-VPLS, network ingress | — |
Network interface | — |
4.2.1.7.1. Applying IPv4/IPv6 and MAC Filter Policies to a Service
IP and MAC filter policies are applied by associating them with a SAP and/or spoke-sdp in ingress and/or egress direction as needed. Filter ID is used to associate an existing filter policy, or if defined, a Filter Name for that filter policy can be used in the CLI.
The following output displays IP and MAC filters assigned to an ingress and egress SAP and spoke SDP:
The following output displays an IPv6 filters assigned to an IES service interface:
4.2.1.7.2. Applying IPv4/IPv6 Filter Policies to a Network Port
IP filter policies can be applied to network IPv4 and IPv6 interfaces. MAC filters cannot be applied to network IP interfaces or to routable IES services. Similarly to applying filter policies to service, IPv4/IPv6 filter policies are applied to network interfaces by associating a policy with ingress and egress direction as desired. Filter ID is used to associate an existing filter policy, or if defined, a filter name for that filter ID policy can be used in the CLI.
The following displays an IP filter applied to an interface at ingress.
The following displays IPv4 and IPv6 filters applied to an interface at ingress and egress.
4.2.1.8. Creating a Redirect Policy
Configuring and applying redirect policies is optional. Each redirect policy must have the following:
- A destination IP address
- A priority (default is 100)
Configuring a ping test is recommended.
The following displays a redirection policy configuration:
4.2.1.9. Configuring Filter-Based GRE Tunneling
Traffic matching an IP filter can be tunneled with GRE using the following mechanisms.
- Configure a GRE tunnel template.
- Associate the GRE tunnel template with the forwarding action of an IPv4 or IPv6 filter using the forward gre-tunnel gre-tunnel-template command.
The gre-tunnel-template defines the parameters to create the GRE header used to encapsulate matching IP traffic.
- One or more destination IP addresses must be defined in the gre-tunnel-template.
- If more than one destination is configured, then traffic is hashed across all available destinations.
- Traffic is routed to the selected destination address based on the route table in the forwarding context of the IP filter.
- The source address can be configured to any value and is not validated against a local IP address on the local router.
- The optional gre-key field can be populated with the ifIndex of the ingress interface on which the matching IP packet was received.
- An optional template parameter, skip-ttl-decrement, allows the TTL of the encapsulated IP packet to be not decremented when encapsulated into the GRE header.
The following is an example configuration:
4.3. Filter Management Tasks
This section describes filter policy management tasks.
4.3.1. Renumbering Filter Policy Entries
The system exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence may need to be rearranged. Entries should be numbered from the most explicit to the least explicit.
The following example shows renumbering of filter entries.
The following displays the original filter entry order, followed by the reordered filter entries:
4.3.2. Modifying a Filter Policy
There are several ways to modify an existing filter policy. A filter policy can be modified dynamically as part of subscriber management dynamic insertion or removal of filter policy entries (see the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide for details). A filter policy can be modified indirectly by configuration change to a match list the filter policy uses (as described earlier in this guide). In addition, a filter policy can be directly edited as described below.
To access a specific IP (v4/v6), or MAC filter, you must specify the filter ID, or if defined, filter name. Use the no form of the command to remove the command parameters or return the parameter to the default setting.
The following output displays the modified IP filter output:
4.3.3. Deleting a Filter Policy
Before deleting a filter, the filter associations must be removed from all the applied ingress and egress SAPs and network interfaces by executing no filter command in all context where the filter is used.
After you have removed the filter from the SAPs network interfaces, you can delete the filter as shown in the following example.
4.3.4. Modifying a Redirect Policy
To access a specific redirect policy, the policy name must be specified. Use the no form of the command to remove the command parameters or return the parameter to the default setting.
4.3.5. Deleting a Redirect Policy
Before a redirect policy can be deleted from the filter configuration, the policy association must be removed from the IP filter.
The following example shows the command usage to replace the configured redirect policy (redirect1) with a different redirect policy (redirect2) and then removing the redirect1 policy from the filter configuration.
4.3.6. Copying Filter Policies
When changes are to be made to an existing filter policy applied to a one or more SAPs or network interfaces, Nokia recommends to first copy the applied filter policy, then modify the copy and then overwrite the applied policy with the modified copy. This ensures that a policy being modified is not applied when partial changes are done as any filter policy edits are applied immediately to all services where the policy is applied.
New filter policies can also be created by copying an existing policy and renaming the new filter.
The following displays the command usage to copy an existing IP filter (11) to create a new filter policy (12) that can then be edited. And once edits are completed, it can be used to overwrite existing policy (11).