Filter policy entries can be statically configured using CLI, SNMP, or NETCONF or dynamically created using BGP FlowSpec, OpenFlow, VSD (XMPP), or RADIUS/Diameter for ESM subscribers.
Dynamic filter entries for flowspec, openflow, and vsd can be inserted in a filter policy of scope template or exclusive using the embed-filter command in IPv4 and IPv6 filter policies. Additionally, flowspec embedding is supported using a filter policy of scope system.
BGP flowspec
BGP FlowSpec routes are learned in a particular routing instance and can be used to dynamically create filter entries in a specific filter policy using the embed-filter flowspec command.
The following rules apply to FlowSpec embedding:
The operator explicitly defines both the offset at which to insert FlowSpec filter entries and the router instance the FlowSpec routes belong to. The embedded FlowSpec filter entry ID is chosen by the system following RFC 5575, Dissemination of Flow Specification Rules. Note that these entry IDs are not necessarily sequential and do not necessarily follow the order at which a rule is received.
The maximum number of FlowSpec filter entries in a specific filter policy is configurable by the operator at the router or VPRN level using the ip-filter-max-size and ipv6-filter-max-size commands. This limit defines the boundary for FlowSpec embedding in a filter policy (offset and ip-filter-max-size).
When using a filter policy of scope template or exclusive, the router instance defined in the embed-filter flowspec command must match the router interface that the filter policy is applied to and the router instance that the FlowSpec routes are received from.
When using a filter policy of scope system, embedding FlowSpec entries from different router instances is allowed and can be applied to any router interfaces.
See section IPv4/IPv6 filter policy entry match criteria on embedded filter scope for recommendations on filter entry ID spacing and overlapping of entries.
The following is a FlowSpec configuration example:
The maximum number of FlowSpec routes in the base router instance is configured for 50,000 entries using the ip-filter-max-size command.
The filter policy 100 of scope template is configured to embed FlowSpec routes from the base router instance at offset 100,000. The offset chosen in this example avoids overlapping with statically defined entries in the same policy. In this case, the statically defined entries can use the entry ID range 1-99999 and 149999-2M for defining static entries before or after the FlowSpec filter entries.
A:7750>config>router#
----------------------------------------------
flowspec
ip-filter-max-size 50000
exit
----------------------------------------------
A:7750>config>filter# info
----------------------------------------------
ip-filter 100 name "100" create
embed-filter flowspec router "Base" offset 100000
exit
----------------------------------------------
OpenFlow
The embedded filter infrastructure is used to insert OpenFlow rules into an existing filter policy. See Hybrid OpenFlow switch for more details. Policy-controlled auto-created filters are re-created on system reboot. Policy controlled filter entries are lost on system reboot and need to be re-programmed.
VSD
VSD filters are created dynamically using XMPP and managed using a Python script so rules can be inserted into or removed from the correct VSD template or embedded filters. XMPP messages received by the 7750 SR are passed transparently to the Python module to generate the appropriate CLI. For more information about VSD filter provisioning, automation, and Python scripting details see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN.
RADIUS/Diameter for Subscriber Management
The operator can assign filter policies or filter entries used by a subscriber within a preconfigured filter entry range defined for RADIUS or Diameter. See the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide and filter RADIUS-related commands for more details.