Configuring Filter Policies with CLI

This section provides information to configure and manage filter policies using the command line interface.

Topics in this section include:

  1. Basic Configuration
  2. Common Configuration Tasks
  3. Filter Management Tasks

Basic Configuration

The most basic IPv4, IPv6, MAC, and VLAN filter policy must have the following:

  1. a filter ID
  2. scope, either exclusive or template (VLAN filter policies always have a template scope)
  3. default action (drop or forward)
  4. at least one filter entry
    1. specified action, either drop or forward
    2. specified matching criteria

Common Configuration Tasks

This section provides a brief overview of the tasks that must be performed for IP filter configuration and provides the CLI commands.

  1. Creating an IPv4 or IPv6 Filter Policy
  2. Creating a MAC Filter Policy
  3. Creating a VLAN Filter Policy
  4. Configuring Filter Log Policies
  5. Applying IP and MAC Filter Policies to a Service
  6. Applying IP Filter Policies to Network Interfaces
  7. Applying VLAN Filter Policies to a Ring Port

Creating an IPv4 or IPv6 Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (IP)
  2. a filter policy ID
  3. a default action (drop or forward)
  4. scope specified, either exclusive or template
  5. at least one filter entry with matching criteria specified

IP Filter Policy

Use the following CLI syntax to create a template IPv4 or IPv6 filter policy:

CLI Syntax:
config>filter# ip-filter filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ip-filter 12 create
config>filter# description "IP-filter"
config>filter$ scope template
CLI Syntax:
config>filter# ipv6-filter ipv6-filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ipv6-filter 10 create
config>filter# description "ipv6-filter"
config>filter# scope template

The following example displays a template filter policy configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 12 create
            description "IP-filter"
            scope template
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

Use the following CLI syntax to create an exclusive IPv4 or IPv6 filter policy:

CLI Syntax:
config>filter# ip-filter filter-id
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ip-filter 11 create
config>filter# description "filter-main"
config>filter# scope exclusive
CLI Syntax:
config>filter# ipv6-filter ipv6-filter-id
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
config>filter# ipv6-filter 9 create
config>filter# description "ipv6-filter-main"
config>filter# scope exclusive

The following example displays an exclusive filter policy configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

IP Filter Entry

Within a filter policy, configure filter entries that contain criteria against which ingress, egress, and network traffic is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see IP Filter Entry Matching Criteria).

The forward next-hop command is used to implement policy-based routing. For details, see Policy-Based Routing. Use the indirect keyword to identify the indirect next-hop router to which packets with matching criteria will be forwarded. The forward fc command is used to implement multi-field classification. For details, see Multi-field Classification (MFC).

Use the following CLI syntax to create an IP filter entry:

CLI Syntax:
config>filter# ip-filter filter-id [create]
entry entry-id
description description-string
action [drop]
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
Example:
config>filter# ip-filter 11
config>filter>ip-filter# entry 10 create
config>filter>ip-filter>entry$ description "no-91"
config>filter>ip-filter>entry$ action drop
config>filter>ip-filter>entry# exit
CLI Syntax:
config>filter# ip-filter ipv6-filter-id [create]
entry entry-id
description description-string
action {drop | forward}]
Example:
config>filter# ipv6-filter 9
config>filter>ipv6-filter# entry 10 create
config>filter>ipv6-filter>entry$ description "no-91"
config>filter>ipv6-filter>entry$ action drop
config>filter>ipv6-filter>entry# exit

The following example displays an IP filter entry configuration.

A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                action drop
                exit
            exit
----------------------------------------------

IP Filter Entry Matching Criteria

Use the following CLI syntax to configure IPv4 filter matching criteria:

CLI Syntax:
config>filter>ip-filter>entry#
match
dscp dscp-name
dst-ip {ip-address/mask | ip-address netmask}
dst-port {{lt | gt | eq} dst-port-number} | {range start end}
fragment {true | false}
icmp-code icmp-code
icmp-type icmp-type
ip-option ip-option-value [ip-option-mask]
multiple-option {true | false}
option-present {true | false}
src-ip {ip-address/mask | ip-address netmask}
src-port {{lt | gt | eq} src-port-number} | {range start end}
tcp-ack {true | false}
tcp-syn {true | false}
Example:
config>filter>ip-filter>entry# match
config>filter>ip-filter>entry>match# src-ip 10.10.10.10/32
config>filter>ip-filter>entry>match# dst-ip 10.10.10.91/24
config>filter>ip-filter>entry>match# exit

The following example displays a matching configuration.

A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward 
            exit
----------------------------------------------
A:ALU-7>config>filter>ip-filter#
Note:

IPv4 filter entries can specify one or more matching criteria, with one caveat. In order to support the maximum 256 entries for IPv4 filters, any entry that uses source port (src-port) and/or destination port (dst-port) ranges (lt, gt, or range keywords) as match criteria must be within the first 64 entries.

Use the following CLI syntax to configure IPv6 filter matching criteria:

CLI Syntax:
config>filter>ipv6-filter>entry#
match
dscp dscp-name
dst-ip {ip-address/prefix-length}
dst-port {{lt | gt | eq} dst-port-number} | {range start end}
icmp-code icmp-code
icmp-type icmp-type
src-ip {ip-address/prefix-length}
src-port {{lt | gt | eq} src-port-number} | {range start end}
tcp-ack {true | false}
tcp-syn {true | false}
Example:
config>filter>ipv6-filter>entry# match
config>filter>ipv6-filter>entry>match# src-ip
  11::12/128
config>filter>ipv6-filter>entry>match# dst-ip
  13::14/128
config>filter>ipv6-filter>entry>match# exit

The following example displays a matching configuration.

A:ALU-7>config>filter>ipv6-filter# info
----------------------------------------------
            description "ipv6-filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 13::14/128
                    src-ip 11::12128
                exit
                action forward exit

IP Filter Entry for PBR to a System IP or Loopback Address

A PBR rule can be set up to extract packets from the data path and send them to the CSM for debugging or slow path forwarding, by having the next-hop point to a system IP or loopback interface of the 7705 SAR.

The extracted traffic can be rerouted to a final destination based on a RIB lookup on the CSM. The traffic is reinjected to the datapath based on the next-hop address.

Table 45 summarizes the queuing parameters for this functionality. These parameters are for slow path queues created for PBR and are not user-configurable.

Table 45:  PBR CSM Extraction Queue Parameters   

Parameter

Maximum Value

PIR

1500 kb/s

CIR

100 kb/s

MBS

20 (non-buffer-chained adapter cards)

80 (buffer-chained adapter cards)

CBS

8 buffers

The following syntax shows an example of extracting and reinjecting packets to a system IP address. An example for a loopback address would be similar.

CLI Syntax:
config>filter# ip-filter filter-id [create]
entry entry-id
action forward [next-hop {ip-address | indirect ip-address}] [fc fc-name [priority low | high]]
match
dscp dscp-name
Example:
config>filter# ip-filter 12
config>filter>ip-filter# entry 112 create
config>filter>ip-filter>entry$ action forward next-hop indirect 10.10.10.10
config>filter>ip-filter>entry# match
config>filter>ip-filter>entry>match# dscp be
config>filter>ip-filter>entry>match# exit
A:ALU-7>config>filter>ip-filter# info
----------------------------------------------
            scope exclusive
            entry 12 create
                match
                    dscp be
                exit
                action forward next-hop indirect 10.10.10.10 
            exit
----------------------------------------------
A:ALU-7>config>filter>ip-filter#

Creating a MAC Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (MAC)
  2. a filter policy ID
  3. a default action, either drop or forward
  4. filter policy scope, either exclusive or template
  5. at least one filter entry
  6. matching criteria specified

MAC Filter Policy

Use the following CLI syntax to configure a MAC filter with exclusive scope:

CLI Syntax:
configure>filter>mac-filter filter-id [create]
description description-string
scope {exclusive | template}
default-action {drop | forward}
Example:
configure>filter>mac-filter 90 create
configure>filter>mac-filter# description filter-west
configure>filter>mac-filter# scope exclusive
configure>filter>mac-filter# default-action drop

The following example displays an exclusive scope configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
mac-filter 90 create
description "filter-west"
scope exclusive
default-action drop
exit
----------------------------------------------
A:ALU-7>config>filter#

MAC Filter Entry

Within a filter policy, configure filter entries that contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see MAC Entry Matching Criteria).

Use the following CLI syntax to configure a MAC filter entry:

CLI Syntax:
configure>filter>mac-filter filter-id
entry entry-id [create]
description description-string
action [drop]
action forward
exit
Example:
configure>filter>mac-filter 90
configure>filter>mac-filter# entry 1 create
configure>filter>mac-filter>entry# description “allow-104”
configure>filter>mac-filter>entry# action drop
configure>filter>mac-filter>entry# exit

The following example displays a MAC filter entry configuration.

A:sim1>config>filter# info
----------------------------------------------
         mac-filter 90 create
              entry 1 create
                  description "allow-104"
                  match
                  exit
                  action drop
              exit
         exit
----------------------------------------------
A:sim1>config>filter#

MAC Entry Matching Criteria

Use the following CLI syntax to configure a MAC filter entry with matching criteria:

CLI Syntax:
configure>filter>mac-filter filter-id
entry entry-id
match [frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}]
src-mac ieee-address
dst-mac ieee-address
etype 0x0600..0xffff
Example:
configure>filter>mac-filter 90
configure>filter>mac-filter# entry 1
configure>filter>mac-filter>entry# match frame-type
  802dot3
configure>filter>mac-filter>entry>match# src-mac
  00:dc:98:1d:00:00
configure>filter>mac-filter>entry>match# dst-mac
  02:dc:98:1d:00:01
configure>filter>mac-filter>entry>match# etype 0x8100

The following example displays a filter matching configuration.

A;ALU-7>config>filter# info
----------------------------------------------
         description "filter-west"
         scope exclusive
         entry 1 create
              description "allow-104"
              match
                  src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff
                  dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff
                  etype 0x8100
              exit
              action drop
         exit
----------------------------------------------
A:ALU-7>config>filter#

Creating a VLAN Filter Policy

Configuring and applying filter policies is optional. Each filter policy must have the following:

  1. the filter type specified (VLAN)
  2. a filter policy ID
  3. a default action, either drop or forward
  4. at least one filter entry
  5. specified matching criteria (see VLAN Entry Matching Criteria)

VLAN Filter Policy

Use the following CLI syntax to configure a VLAN filter policy:

CLI Syntax:
configure>filter>vlan-filter filter-id [create]
description description-string
default-action {drop | forward}
Example:
configure>filter>vlan-filter 2 create
configure>filter>vlan-filter# description VLAN_filter_2
configure>filter>vlan-filter# default-action drop

The following example displays a VLAN filter configuration.

A:ALU-7>config>filter# info
----------------------------------------------
...
vlan-filter 2 create
description "VLAN_filter_2"
default-action drop
exit
----------------------------------------------
A:ALU-7>config>filter#

VLAN Filter Entry

Within a VLAN filter policy, configure filter entries that contain criteria against which ingress traffic on a ring port is matched. The action specified in the entry determines how the packets are handled, either dropped or forwarded. Forwarded packets are sent to the other ring port or the v-port, depending on the destination.

  1. Enter a filter entry ID. The system does not dynamically assign a value.
  2. Assign an action, either drop or forward.
  3. Specify matching criteria (see VLAN Entry Matching Criteria).

Use the following CLI syntax to configure a VLAN filter entry:

CLI Syntax:
configure>filter>vlan-filter filter-id
entry entry-id [create]
description description-string
action {drop | forward}
exit
Example:
configure>filter>vlan-filter 2
configure>filter>vlan-filter# entry 2 create
configure>filter>vlan-filter>entry# description “drop-104”
configure>filter>vlan-filter>entry# action drop
configure>filter>vlan-filter>entry# exit

The following example displays a VLAN filter entry configuration.

A:sim1>config>filter# info
----------------------------------------------
         vlan-filter 2 create
              entry 2 create
                  description "drop-104"
                  match
                  action drop
                  exit
              exit
         exit
----------------------------------------------
A:sim1>config>filter#

VLAN Entry Matching Criteria

Use the following CLI syntax to configure a VLAN filter entry with matching criteria:

CLI Syntax:
configure>filter>vlan-filter filter-id
entry entry-id
match vlan {lt|gt|eq} vlan-id
match vlan range vlan-id to vlan-id
match untagged
Example:
configure>filter>vlan-filter 2
configure>filter>vlan-filter# entry 2
configure>filter>vlan-filter# description drop_104
configure>filter>vlan-filter>entry# match vlan eq 104

The following example displays a filter matching configuration.

A;ALU-7>config>filter# info
----------------------------------------------
         description "drop-104"
         entry 2 create
              description "drop-104"
              match vlan eq 104
              action drop
              exit
         exit
----------------------------------------------
A:ALU-7>config>filter#

Configuring Filter Log Policies

Use the following CLI syntax to configure filter log policy:

CLI Syntax:
config>filter# log log-id
description description-string
destination memory num-entries
destination syslog syslog-id
summary
no shutdown
summary-crit dst-addr
summary-crit src-addr
wrap-around

The following example displays a filter log configuration.

A:ALU-48>config>filter>log# info detail
---------------------------------------------
          description "Test filter log."
          destination memory 1000
          wrap-around
          no shutdown
---------------------------------------------
A:ALU-48>config>filter>log#

Applying IP and MAC Filter Policies to a Service

Filter policies must be created before they can be applied to a service. Create filter policies in the config>filter context.

The following CLI syntaxes show how to apply filter policies to services. Use the first CLI syntax to apply an IP or MAC filter policy to a VPLS SAP, mesh SDP, or spoke SDP. Use the second CLI syntax for Epipe or Ipipe services. Use the third CLI syntax for VPRN or IES interface SAPs and spoke SDPs. (For IES SAPs, IPv6 ingress and egress filters can also be applied.)

CLI Syntax:
config>service# vpls service-id
sap sap-id
egress
filter ip ip-filter-id
ingress
filter ip ip-filter-id
filter mac mac-filter-id
mesh-sdp sdp-id:vc-id [vc-type {ether | vlan}]
ingress
filter ip ip-filter-id
filter mac mac-filter-id
spoke-sdp sdp-id:vc-id [vc-type {ether | vlan}]
ingress
filter ip ip-filter-id
filter mac mac-filter-id
CLI Syntax:
config>service# epipe service-id
sap sap-id
ingress
filter ip ip-filter-id
CLI Syntax:
config>service# vprn service-id
interface ip-int-name
sap sap-id
egress
filter ip ip-filter-id
ingress
filter ip ip-filter-id
spoke-sdp sdp-id:vc-id
ingress
filter ip ip-filter-id

The following example is for VPLS. A VPRN example includes the interface command (config>service>vprn>interface).

Example:
config>service# vpls 5000
config>service>vpls# sap 1/5/5
config>service>vpls>sap# ingress filter mac 92
config>service>vpls>sap# egress filter ip 10
config>service>vpls>sap# exit
config>service>vpls# mesh-sdp 15:5000
config>service>vpls>mesh-sdp# ingress filter mac 93
config>service>vpls>mesh-sdp# exit
config>service>vpls# spoke-sdp 15:5001
config>service>vpls>spoke-sdp# ingress filter mac 94
config>service>vpls>spoke-sdp# exit

The following example displays an IP and MAC filter assignment for a VPLS service configuration:

A:ALU-48>config>service>vpls# info
----------------------------------------------
...
     sap 1/5/5 create
          ingress
               filter mac 92
          exit
          egress
               filter ip 10
          exit
     exit
     mesh-sdp 15:5000 create
          ingress
               filter mac 93
          exit
     exit
     spoke-sdp 15:5001 create
          ingress
               filter mac 94
          exit
     exit
     no shutdown
...
----------------------------------------------
A:ALU-48>config>service>vpls#

Applying IP Filter Policies to Network Interfaces

IP filter policies can be applied to ingress and egress network IP interfaces.

IPv4 filters are supported on all ingress and egress network interfaces. IPv6 filters are supported on all Ethernet ingress and egress network interfaces (with null or dot1q encapsulation) and on ingress and egress interfaces on the 4-port OC3/STM1 Clear Channel Adapter card (with POS encapsulation).

Filter policies must be created before they can be applied to a network interface. Create filter policies in the config>filter context.

CLI Syntax:
config>router# interface ip-int-name
egress
filter ip ip-filter-id
ingress
filter ip ip-filter-id
config>router# interface ip-int-name
egress
filter ipv6 ipv6-filter-id
ingress
filter ipv6 ipv6-filter-id
Example:
config>router# interface to-104
config>router>if# ingress
config>router>if>ingress# filter ip 10
config>router>if# exit
A:ALU-48>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
...
        interface "to-104"
            address 10.0.0.10/32
            port 1/1/1
            ingress
                filter ip 10
            exit
        exit
...
#------------------------------------------
A:ALU-48>config>router# 

Applying VLAN Filter Policies to a Ring Port

VLAN filter policies can be applied to a ring port on the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module. The filter operates on ingress traffic. Filter policies must be created before they can be applied. Create filter policies in the config>filter context.

CLI Syntax:
config>port>ethernet# vlan-filter filter-id
Example:
config>port>ethernet# vlan-filter 2
A:ALU-48>config>port>ethernet# info
#------------------------------------------
...
        vlan-filter 2 
...
#------------------------------------------
A:ALU-48>config>port>ethernet# 

Filter Management Tasks

This section discusses the following filter policy management tasks:

  1. Renumbering Filter Policy Entries
  2. Modifying an IP Filter Policy
  3. Modifying a MAC Filter Policy
  4. Modifying a VLAN Filter Policy
  5. Removing and Deleting a Filter Policy
  6. Configuring a NAT Security Profile
  7. Configuring a NAT Security Policy

Renumbering Filter Policy Entries

The 7705 SAR OS exits the matching process when the first match is found and then executes the actions in accordance with the specified action. Because the ordering of entries is important, the numbering sequence can be rearranged. Entries should be numbered from the most explicit to the least explicit.

Use the following CLI syntax to resequence existing IP, MAC, and VLAN filter entries:

CLI Syntax:
config>filter
ip-filter filter-id
renum old-entry-id new-entry-id
Example:
config>filter>ip-filter# renum 10 15
config>filter>ip-filter# renum 30 40
config>filter>ip-filter# renum 40 1
CLI Syntax:
config>filter
ipv6-filter ipv6-filter-id
renum old-entry-id new-entry-id
Example:
config>filter>ipv6-filter# renum 10 15
config>filter>ipv6-filter# renum 30 40
config>filter>ipv6-filter# renum 40 1
CLI Syntax:
config>filter
mac-filter filter-id
renum old-entry-id new-entry-id
Example:
config>filter>mac-filter# renum 10 15
config>filter>mac-filter# renum 30 40
config>filter>mac-filter# renum 40 1
CLI Syntax:
config>filter
vlan-filter filter-id
renum old-entry-id new-entry-id
Example:
config>filter>vlan-filter# renum 10 15
config>filter>vlan-filter# renum 30 40
config>filter>vlan-filter# renum 40 1

The following output displays the original IP filter entry order followed by the reordered filter entries:

A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
            entry 10 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward
            exit
            entry 30 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action drop
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action forward
            exit
            entry 40 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
        exit
...
----------------------------------------------
A:ALU-7>config>filter#
A:ALU-7>config>filter# info
----------------------------------------------
...
        ip-filter 11 create
            description "filter-main"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.10/32
                exit
                action forward
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.200/24
                exit
                action forward
            exit
            entry 40 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.100/24
                exit
                action drop
            exit
        exit
...
----------------------------------------------
A:ALU-7>config>filter#

Modifying an IP Filter Policy

To access a specific IPv4 or IPv6 filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting.

Example:
config>filter>ip-filter# description "New IP filter info"
config>filter>ip-filter# entry 2 create
config>filter>ip-filter>entry# description "new entry"
config>filter>ip-filter>entry# action drop
config>filter>ip-filter>entry# match dst-ip
  10.10.10.104/32
config>filter>ip-filter>entry# exit
config>filter>ip-filter#
config>filter>ipv6-filter# description "IPv6 filter info"
config>filter>ipv6-filter# entry 3 create
config>filter>ipv6-filter>entry# description "new entry"
config>filter>ipv6-filter>entry# action drop
config>filter>ipv6-filter>entry# match dst-ip
  10::12/128
config>filter>ipv6-filter>entry# exit
config>filter>ipv6-filter#

The following output displays a modified IP filter output.

A:ALU-7>config>filter# info
----------------------------------------------
..
        ip-filter 11 create
            description "New IP filter info"
            scope exclusive
            entry 1 create
                match
                    dst-ip 10.10.10.0/29
                    src-ip 10.10.10.106/24
                exit
                action drop
            exit
            entry 2 create
                description "new entry"
                match
                    dst-ip 10.10.10.104/32
                exit
                action drop
            exit
            entry 15 create
                description "no-91"
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.10.10/32
                exit
                action forward
            exit
            entry 35 create
                match
                    dst-ip 10.10.10.91/24
                    src-ip 10.10.0.200/24
                exit
                action forward
            exit
        exit
..
----------------------------------------------
A:ALU-7>config>filter#

Modifying a MAC Filter Policy

To access a specific MAC filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting. The example below changes the action to forward.

Example:
config>filter# mac-filter 90
config>filter>mac-filter# description "Mac_filter90"
config>filter>mac-filter# entry 1
config>filter>mac-filter>entry# description "Mac­_entry90_1"
config>filter>mac-filter>entry# action forward
config>filter>mac-filter>entry# exit

The following output displays the modified MAC filter output:

A:ALU-7>config>filter# info
----------------------------------------------
...
         mac-filter 90 create
              description "Mac_filter90"
              scope exclusive
              entry 1 create
                  description "Mac_entry90_1"
                  match
                       src-mac 00:dc:98:1d:00:00 
                       dst-mac 02:dc:98:1d:00:01 
                  exit
                  action forward
              exit
         exit
...
----------------------------------------------
A:ALU-7>config>filter#

Modifying a VLAN Filter Policy

To access a specific VLAN filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting. The example below adds entry 65535.

Example:
config>filter# vlan-filter 2
config>filter>vlan-filter# entry 65535 create
config>filter>vlan-filter>entry# description "entry_65535"
config>filter>vlan-filter>entry# action forward
config>filter>vlan-filter>entry# match vlan range 2000 to 3000
config>filter>vlan-filter>entry# exit

The following output displays the modified VLAN filter output:

*A:7705custDoc:Sar18>config>filter>vlan-filter# info
----------------------------------------------
    description "VLAN_filter_2"
    entry 2 create
        description "vlan_fltr_entry2"
        action forward
        match vlan eq 104
    exit
    entry 65535 create
        description "entry_65535"
        action forward
        match vlan range 2000 to 3000
    exit
----------------------------------------------
*A:7705custDoc:Sar18>config>filter>vlan-filter#

Removing and Deleting a Filter Policy

Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs, ingress SDPs, and ingress network interfaces.

You can remove a filter policy and then delete it from the following entities:

  1. Removing a Filter from a Service
  2. Removing a Filter from a Network Interface
  3. Removing a Filter from a Ring Port
  4. Deleting a Filter

Removing a Filter from a Service

To remove an IP or MAC filter from a VPLS SAP or VPLS SDP (spoke or mesh), use the first CLI syntax (below). For a VPRN or IES interface SAP or spoke SDP, use the second CLI syntax:

CLI Syntax:
config>service# vpls service-id
sap sap-id
egress
no filter ip ip-filter-id
ingress
no filter [ip ip-filter-id | mac mac-filter-id]
spoke-sdp sdp-id:vc-id
ingress
no filter [ip ip-filter-id | mac mac-filter-id]
mesh-sdp sdp-id:vc-id
ingress
no filter [ip ip-filter-id | mac mac-filter-id]
CLI Syntax:
config>service# vprn service-id
interface ip-int-name
sap sap-id
egress
no filter [ip ip-filter-id]
ingress
no filter [ip ip-filter-id]
spoke-sdp sdp-id:vc-id
ingress
no filter

The following example is for VPLS. A VPRN example includes the interface command (config>service>vprn>interface).

Example:
config>service# vpls 5000
config>service>vpls# sap 1/1/2
config>service>vpls>sap# ingress
config>service>vpls>sap>ingress# no filter ip 232
config>service>vpls>sap>ingress# exit
config>service>vpls>sap# exit
config>service>vpls>spoke-sdp 15:5001
config>service>vpls>spoke-sdp# ingress
config>service>vpls>spoke-sdp>ingress# no filter mac 55
config>service>vpls>spoke-sdp>ingress# exit
config>service>vpls>spoke-sdp# exit
config>service>vpls>mesh-sdp 15:5000
config>service>vpls>mesh-sdp# ingress
config>service>vpls>mesh-sdp>ingress# no filter mac 54

Removing a Filter from a Network Interface

To remove an IPv4 or IPv6 filter from a network interface, enter the following CLI commands:

CLI Syntax:
config>router# interface ip-int-name
egress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id]
ingress
no filter [ip ip-filter-id | ipv6 ipv6-filter-id]
Example:
config>router# interface b11
config>router>if# egress
config>filter>if>egress# no filter ip 12
config>router>if>egress# exit
config>filter>if># ingress
config>filter>if>ingress# no filter ip 2
config>filter>if>ingress# exit

Removing a Filter from a Ring Port

To remove a VLAN filter from a ring port, enter the following CLI command. Including filter-id is optional because only one filter can be applied to a port.

CLI Syntax:
config>port>ethernet# no vlan-filter [filter-id]
Example:
config>port>ethernet# no vlan-filter 2

Deleting a Filter

After you have removed the filter from all the network interfaces, SAPs, and SDPs (spoke and/or mesh) where it was applied, use the following CLI syntax to delete the filter:

CLI Syntax:
config>filter# no ip-filter filter-id
config>filter# no ipv6-filter ipv6-filter-id
config>filter# no mac-filter filter-id
config>filter# no vlan-filter filter-id
Example:
config>filter# no ip-filter 2
config>filter# no mac-filter 55

Configuring a NAT Security Profile

To configure NAT, you must first:

  1. configure a NAT security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the tcp/udp/icmp protocols. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a NAT security policy, and specify the match criteria and the action to be applied to a packet if a match is found
  2. then configure a NAT zone and apply the policy ID to the zone

To configure a NAT security profile, you must create the profile ID. Once created, the profile ID is referenced when you set up a NAT policy.

CLI Syntax:
config>security# profile profile-id [create]
description description-string
name profile-name
timeouts
icmp-request days hours minutes seconds
tcp-established days hours minutes seconds
tcp-syn days hours minutes seconds
tcp-time-wait days hours minutes seconds
tcp-transitory days hours minutes seconds
udp days hours minutes seconds
udp-dns days hours minutes seconds
udp-initial days hours minutes seconds

The following example displays a profile configuration.

Example:
config>security# begin
config>security# session-high-wmark 90
config>security# session-low-wmark 70
config>security# profile 2 create
config>security>profile# name "default"
config>security>profile# description "session timer check"
config>security>profile# timeouts
config>security>profile>timeouts# icmp-request seconds 59
config>security>profile>timeouts# tcp-time-wait minutes 1
config>security>profile>timeouts# exit
config>security>profile# exit
config>security# commit

The following output displays a modified NAT profile.

A:ALU-7>config>security# info
----------------------------------------------
..
            session-high-wmark 90
            session-low-wmark 70
            profile 2 create
                 name "default"
                 description "For session timer check"
                 timeouts
                 exit
            exit
..
----------------------------------------------
A:ALU-7>config>security#

Configuring a NAT Security Policy

To configure NAT, you must first:

  1. configure a NAT security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the tcp/udp/icmp protocols. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a NAT security policy, and specify the match criteria and the action to be applied to a packet if a match is found
  2. then configure a NAT zone and apply the policy ID to the zone

To configure a NAT policy, you must create the policy ID.

CLI Syntax:
config>security# policy policy-id [create]
description description-string
entry entry-id [create]
description description-string
match [local] protocol protocol-id
direction {zone-outbound | zone-inbound | both}
dst-ip ip-address to ip-address
dst-port {lt | gt | eq} tcp/udp port range start end
icmp-code icmp-code
icmp-type icmp-type
src-ip ip-address to ip-address
src-port {lt | gt | eq} tcp/udp port range start end
action {forward | reject | nat}
action nat [destination ip-address port tcp-udp-port]
limit
concurrent-sessions number
profile profile-id | profile-name
name policy-name

For the action nat command, destination ip-address and port tcp-udp-port parameters apply only to static destination NAT (port forwarding).

The following example displays a policy configuration for source NAT.

Example:
config>security# begin
config>security# policy 1 create
config>security>policy# name "inbound policy"
config>security>policy# description "common egress policy"
config>security# entry 1 create
config>security>policy>entry# description "Source NAT"
config>security>policy>entry# match
config>security>policy>entry>match# direction zone-inbound
config>security>policy>entry>match# exit
config>security>policy>entry># limit
config>security>policy>entry># exit
config>security>policy>entry># action nat
config>security>policy>entry># profile 2
config>security>policy>entry># exit
config>security>policy># exit
config>security># commit

The following example displays a policy configuration for static destination NAT.

Example:
config>security# begin
config>security# policy 1 create
config>security# entry 2 create
config>security>policy>entry# description "Dest NAT"
config>security>policy>entry# match local protocol udp
config>security>policy>entry>match# dst-port eq 4000
config>security>policy>entry>match# exit
config>security>policy>entry># limit
config>security>policy>entry># exit
config>security>policy>entry># action nat destination 10.10.10.1 port 4000
config>security>policy>entry># profile 2
config>security>policy>entry># exit
config>security>policy># exit
config>security># commit

The following output displays a modified NAT policy output.

A:ALU-7>config>security# info
----------------------------------------------
..
            policy 1 create
               name "inbound policy"
               description "common egress policy"
               entry 1 create
                  description "Source NAT"
                  match
                     direction zone-inbound
                  exit
                  limit
                  action nat
                  profile 2
               exit
               entry 2 create
                  description "Dest NAT"
                  match local protocol udp
                     dst-port eq 4000
                  exit
                  limit
                  action nat destination 10.10.10.1 port 4000
                  profile 2
            exit
            commit
..
----------------------------------------------
A:ALU-7>config>security#