A router H-OFS instance is embedded into line card IPv4 and IPv6 filter policies to achieve OF-controlled Policy Based Routing (PBR). When H-OFS instance is created, embedded filters (IP and IPv6) required for that instance are automatically created. The filters are created with names, as follows:
‟_tmnx_ofs_<ofs_name>”, with the same name for IPv4 and IPv6 filters used.
If embedded filters cannot be allocated because of the lack of filter policy instances, the creation of an H-OFS instance fails. When the H-OFS instance is deleted, the corresponding embedded filters are freed.
The H-OFS can be embedded only in ingress filter policies on line cards/platforms supporting embedded filters and for services supporting H-OFS. Embedding of an H-OFS in filter policies on unsupported services is blocked. Embedding of an H-OFS in filter policies in unsupported direction or on unsupported hardware follows the general filter policy misconfiguration behavior and is not recommended. Unsupported match fields are ignored. Other match criteria may cause a packet to match an entry.
As soon as an H-OFS instance is created, the controller can program OF rules for that instance. For instance, the rules can be created before the H-OFS instance embedding into a filter policy or before a filter policy with H-OFS instance embedded being assigned to an interface. This allows the operator to either pre-program H-OFS steering rules, or to disable the rules without removing them from a flow table by removing the embedding. An error is returned to the controller if it attempts to program rules not supported by the system. The following lists examples of the errors returned:
unsupported instr: [OFPET_BAD_INSTRUCTION, OFPBIC_UNSUP_INST]
unsupported action: [OFPET_BAD_ACTION, OFPBAC_BAD_TYPE]?
unsupported output port: [OFPET_BAD_ACTION, OFPBAC_BAD_OUT_PORT]?
unsupported match field: [OFPET_BAD_MATCH, OFPBMC_BAD_FIELD]?
unsupported match value: [OFPET_BAD_MATCH, OFPBMC_BAD_VALUE]?
output port invalid/deleted after flow_mod is sent to filter: OFPET_BAD_ACTION, OFPBAC_BAD_OUT_PORT]?
When the OF controller updates traffic steering rules, the Hybrid OpenFlow Switch updates the flow table rules. This automatically triggers programming of the embedded filter, which consequently causes instantiation of the rules for all services/interfaces that have a filter policy embedding this H-OFS instance. Embedded filter policy configuration/operational rules apply also to embedded filters auto-created for an H-OFS instance (see Embedded Filter Support for ACL Filter Policies section of this guide). MPLS cannot be deleted if OFS rules are created that redirect to an LSP.
The auto-created embedded filters can be viewed through CLI but cannot be modified or deleted through filter policy CLI/SNMP. The operator can see the above embedded filters under show filter context, including the details about the filters, entries programmed, interface association, statistics, and so on.
Figure 29 shows the H-OFS to service operator-configurable mapping example.
For an H-OFS with the switch-defined-cookie command enabled, embedded filters are created for each unique context in the H-OFS instead.
The router allows mixing H-OFS rules from one or more H-OFS instances in a single filter policy. Co-existence of H-OFS rules in a single policy with CLI/SNMP programmed rules or BGP FlowSpec programmed rules in a single line card filter policy is also supported. When a management interface and an OF controller flow entry have the same filter policy entry, the management interface-created entry overrides the OF controller-created entry; see the embedded filter functional description. For mixing of the rules from multiple management entities, the controller should not program an entry in its Flow Table that would match all traffic, because this would stop evaluation of the filter policy.
The router supports HA for the OF Flow Table content and statistics. On an activity switch, the channel goes down and is reestablished by the newly active CPM. ‟Fail secure mode” operation takes place during channel reestablishment (OpenFlow rules continue to be applied to the arriving traffic). The OF controller is expected to resynchronize the OF table when the channel is reestablished. On a router reboot or H-OFS instance shutdown, H-OFS Flow Table rules and statistics are purged. An H-OFS instance cannot be deleted unless the H-OFS instance is first removed from all embedding filter policies.