Filter policy entries can be statically configured using CLI, SNMP, or NETCONF or dynamically created using BGP FlowSpec, OpenFlow, VSD (XMPP), or RADIUS/Diameter for ESM subscribers.
Dynamic filter entries for FlowSpec, OpenFlow, and VSD can be inserted into an IPv4 or IPv6 filter policy. The filter policy must be either exclusive or a template. Additionally, FlowSpec embedding is supported when using a filter policy that defines system-wide filter rules.
BGP FlowSpec routes are associated with a specific routing instance (based on the AFI/SAFI and possibly VRF import policies) and can be used to create filter entries in a filter policy dynamically.
Configure FlowSpec embedding using the following contexts:
MD-CLI
configure filter ip-filter embed flowspec
configure filter ipv6-filter embed flowspecclassic CLI
configure filter ip-filter embed-filter flowspec
configure filter ipv6-filter embed-filter flowspecThe following rules apply to FlowSpec embedding:
The user explicitly defines both the offset at which to insert FlowSpec filter entries and the router instance the FlowSpec routes belong to. The embedded FlowSpec filter entry ID is chosen by the system, in accordance with RFC 5575, Dissemination of Flow Specification Rules.
The user can configure the maximum number of FlowSpec filter entries in a specific filter policy at the router or VPRN level using the ip-filter-max-size and ipv6-filter-max-size commands. This limit defines the boundary for FlowSpec embedding in a filter policy (the offset and maximum number of IPv4 or IPv6 FlowSpec routes).
When the user configures a template or exclusive filter policy, the router instance defined in the dynamic filter entry for FlowSpec must match the router interface that the filter policy is applied to.
When using a filter policy that defines system-wide rules, embedding FlowSpec entries from different router instances is allowed and can be applied to any router interfaces.
See section IPv4/IPv6 filter policy entry match criteria on embedded filter scope for recommendations on filter entry ID spacing and overlapping of entries.
The following is a FlowSpec configuration example:
The maximum number of FlowSpec routes in the base router instance is configured for 50,000 entries using the ip-filter-max-size command.
The filter policy 100 (template) is configured to embed FlowSpec routes from the base router instance at offset 100,000. The offset chosen in this example avoids overlapping with statically defined entries in the same policy. In this case, the statically defined entries can use the entry ID range 1-99999 and 149999-2M for defining static entries before or after the FlowSpec filter entries.
[ex:/configure router "Base"]
A:admin@node-2# info
flowspec {
ip-filter-max-size 50000
}
[ex:/configure filter ip-filter "100"]
A:admin@node-2# info
embed {
flowspec offset 100000 {
}
}
A:7750>config>router#
----------------------------------------------
flowspec
ip-filter-max-size 50000
exit
----------------------------------------------
A:7750>config>filter# info
----------------------------------------------
ip-filter 100 name "100" create
embed-filter flowspec router "Base" offset 100000
exit
----------------------------------------------
The embedded filter infrastructure is used to insert OpenFlow rules into an existing filter policy. See Hybrid OpenFlow switch for more information. Policy-controlled auto-created filters are re-created on system reboot. Policy controlled filter entries are lost on system reboot and need to be reprogrammed.
VSD filters are created dynamically using XMPP and managed using a Python script so rules can be inserted into or removed from the correct VSD template or embedded filters. XMPP messages received by the 7750 SR are passed transparently to the Python module to generate the appropriate CLI. See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide for more information about VSD filter provisioning, automation, and Python scripting details.
RADIUS or Diameter for subscriber management:
The user can assign filter policies or filter entries used by a subscriber within a preconfigured filter entry range defined for RADIUS or Diameter. See the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide and filter RADIUS-related commands for more information.