Choose Policies→Filter→ACL IP Filter from the NFM-P main menu. The ACL IP Filter Policies form opens.

Click Create or select an existing policy and click Properties. The ACL IP Filter (Create|Edit) form opens.

Configure the parameters as required.

Note: If you are creating an ACL IP filter that you will embed in another filter policy, then you must set the Scope parameter to embedded. This is referred to as an embedded filter.

If you are creating an ACL IP filter that will contain an embedded filter or will enable flowspec as an embedded filter, then you must set the Scope parameter to either of the following: template, exclusive, or system. This is referred to as an embedding filter.

If you copy an embedded filter policy (Scope: embedded), the copied policy will also have a Scope of embedded. Filter entries from the embedded policy are also copied, and will have an Entry Type of Normal. See To copy filter policy filter entries for information on copying filter entries.

Note: If you are configuring an active system filter, then you must set the Scope parameter to system. The Chain to System Filter parameter must not be enabled. See To configure a System Filter for system filter information.

If you are configuring a chained system filter, then you must set the Scope parameter to either template or exclusive. The Chain to System Filter parameter must also be enabled. See To configure a System Filter for system filter information.

To change an existing filter policy’s Scope parameter to or from the system option, the policy must have no Filter Entries configured.

Note: To perform traffic management, you must set the Scope parameter to cpm. After the ACL IP and ACL IPv6 filter policies deploy to the 7250 IXR NEs with the Scope parameter set to cpm, then the IP Administrative Status and IPv6 Administrative Status parameters can be set to Up in the CPM filter policy; see the NSP System Administrator Guide for more information about configuring a CPM filter policy.

Note: NEs that support next-generation CLI use the policy name as the key identifier for internal system reference. For policies on these NEs, you must configure a policy name (typically the service name or a numerical string). Policy IDs are also supported. You must configure a numerical range on the NE for auto-assigned policy IDs; see To configure an Auto-ID range for policies.

Filtering for packet length can be configured as an action condition, or, on supporting NEs, as a match criterion. If you are configuring a policy with filter entries that use Match Criteria for packet length filtering, you must set the IP Filter Type parameter to the Packet-Length option.

If you need to configure the parameters on the Embedded Filters tab, including the enabling of flowspec, refer to To configure an embedding filter with embedded filter policies .

Click on the Insertion Blocks tab.

If required, enable the check box in the Host Shared Filter Configuration panel and configure the High Watermark or Low Watermark parameters.

Configure the parameters as required in the Group Entry Insertion Configuration panel.

Configure a filter entry.

1. Click on the Filter Entries tab and click Create.The Entry, ACL IP Filter (Create) form opens.

2. Configure the required parameters.

3. Click Select to assign a Log ID to the ACL IP filter entry.

4. Click Select in the Time Range panel to assign a time range for the ACL IP filter entry or click Create to create a new time range. The Select Time Range - IP FilterEntry list form opens. Otherwise, go to Step 8 , substep 6.

5. Select a time range entry and click OK. The Entry, ACL IP Filter (Create) form refreshes with the time range information.

   Note: ACL filters that include ACL filter entries to which you have assigned a time range cannot be assigned to a time of day suite policy.

   Time ranges with which you have associated a ACL filter within a time of day suite policy cannot be assigned to ACL filter entries of that ACL filter.

6. Click on the Filter Properties tab.

7. Configure the Primary Action panel.

   Configure the Action parameter. The form refreshes to display the parameters, panels, and sub-tabs applicable to the option you choose.

   Configure the parameters (and sub-tab parameters, if applicable) associated with the chosen Action parameter option, as required.

   The Forward (ESI) option provides the ability to steer traffic using an ESI value in an EVPN data center. The required traffic flow is identified using ACL IP, ACL IPv6, or ACL MAC filters, and then the action associated with the filter steers the traffic towards the service functions hosted on the EVPN data center. Forward ESI is supported only if a device is in chassis mode D (as applicable).

   The Rate Limit option provides the ability to protect a network against DDoS attacks by specifying a TTL value (or hop-limit for IPv6), or packet length. When the specified value is exceeded, the transit traffic is dropped.

   The Forward (GRE Tunnel) option allows you to assign a GRE tunnel template that defines the encapsulation parameters; see To configure a GRE tunnel template.

   The Forward (SAP) option requires VPLS L2 Access Interfaces. See To create a VPLS or MVPLS L2 access interface for information on associating an ACL IP filter to a VPLS SAP.

   The Forward Next Hop (Router) option allows you to associate the filter to a VPRN L3 Access Interface. See To configure an L3 access interface on a VPRN site for more information.

   The Forward (Pattern) option provides the ability to forward packets that contain a predefined UDP signature that conforms to the configured pattern parameters, essentially “whitelisting” authorized packets.

   When the Action parameter is set to Drop, Rate Limit, or Forward (Pattern), parameters are available for pattern matching on supporting devices. Pattern matching can help identify DDoS attacks.

   If you set the IP Filter Type parameter to the Packet-Length option in Step 3, do not configure packet length options and parameters in the Primary Action panel. Instead, configure packet length options in the Match Criteria panel in Step 8, substep 11.

8. For certain Primary Action options, you can set an Extended Action parameter (and associated parameters, as applicable) to enable a supplementary action to the Primary Action. Configure as required.

9. Configure a Secondary Action to specify two PBR targets as part of a single filter policy entry. This provides redundancy and load-sharing capacities on steered traffic. When primary and secondary actions are both configured, PBR uses the primary action if its target is operationally up, or the secondary action if its target is operationally up.

   If both PBR targets are down, the default behavior you configure for the primary action is used, unless you configure the PBR Down Action Override parameter otherwise. In addition, you can set a sticky destination Hold Time for a given redundant filter entry.

   Choosing a Secondary Action will also display additional sub-tabs and parameters that you must configure as required. Note that a Primary Action must be configured prior to setting a Secondary Action.

   When you configure the Secondary Action to Forward (VPRN Target), the Secondary VPRN Target tab opens.

10. For certain Secondary Action options, you can set an Extended Action parameter (and associated parameters, as applicable) to enable a supplementary action to the Secondary Action. Configure as required.

11. Configure the remaining parameters on the Filter Properties tab as required. Note the following:

    • You can assign a configured protocol list policy; see To configure a protocol list policy . When you assign a protocol list policy, you must set the Protocol parameter to NONE.

    • The Source Port, Destination Port, and Port related parameters are configurable when the Protocol parameter value is TCP or UDP.

    • If you select the Source and Destination option for the Configuration Type parameter, you can configure the Source and Destination ports separately, specifying either a Mask, Range, or Port List for each. If you select the Port option for the Configuration Type, then the Mask, Range, or Port List you specify will apply to both the source and destination.

    • Configuring the Src Mask and Src Net Mask parameters is mutually exclusive.

    • Configuring the Dst Mask and Dst Net Mask parameters is mutually exclusive.

    • When the Protocol parameter is set to TCP, the TCP Properties panel is available for enabling TCP flags on supporting NEs. When you distribute the policy, ensure that the NE supports the required TCP flags.

    • The ICMP Code and ICMP Type parameters are configurable when the Protocol parameter value is IPv6_ICMP.

    • The Egress PBR parameter can only be configured when the Action parameter is set to one of the following: Forward (Redirect Filter), TCP MSS Adjust, Ignore Match, Forward (ESI), Forward Next Hop, or Forward Next Hop (Router).

    • The Bonding Connection ID parameter must be configured when the Primary Action parameter is set to Forward (Bonding Connection).

    • Match Criteria Packet Length options are supported only when the IP Filter Type is set to Packet-Length in Step 3. The Packet Length Option parameter is mutually exclusive with the DSCP, IP Option, IP Opt Mask, Option Present, Multliple Option, and Source Route Option match criteria.

    • The Match Criteria Time-To-Live option is supported only when the IP Filter type is set to Packet-Length in Step 3. Before you change the IP Filter type, you must delete any filter entry that has the Time-To-Live option selected.

    • Select a GRE tunnel template as required.

12. Click on the Cflowd tab and configure the parameters as required.

    For the Sample Profile ID parameter, enter the ID number of an existing Cflowd sample profile. For information about Cflowd sample profiles see To enable and configure global Cflowd sampling on an NE.

13. Click on the Forwarding VRPN Target tab.

14. Configure the required parameters.

15. Click on the Secondary VPRN Target tab.

16. Configure the required parameters and select a router and LSP.

17. Save your changes and close the form.

To create an additional filter entry, repeat Step 8.

To define the order in which the policy tries to match filter entries with packets, perform the following steps for each filter entry.

1. Click Refresh to find an existing filter entry. The list of filter entries is displayed.

2. Select a filter entry and click Renumber ID. The Renumber Entry ID form opens.

3. Configure the New Entry ID parameter.

4. Save your changes. The Entry ID column displays the new identifier assigned to the entry.

Save your changes. The ACL IP Filter Policies form reappears.

CAUTION Service Disruption

Distributing a global ACL IP filter policy with no filter entries (either because none have been created or all existing ones have been deleted) can cause a service outage. You should ensure that the policy has at least one filter entry, or you must be certain that distributing an empty policy is what you really intend to do. A global policy will be distributed to all of the policy’s local definitions.

If you attempt the manual distribution of an empty policy, two warning confirmations will be issued. The first warning is issued when you change the policy’s Configuration Mode on the General tab from Draft to Released. You can either choose to proceed by clicking Yes, or abort the Configuration Mode change by clicking No.

The second warning is issued if you changed the policy’s Configuration Mode to Released and then try to proceed with the actual distribution in the Distribute form. You can either choose to proceed by clicking Yes, or abort the distribution by clicking No.

If you attempt to release an ACL IP filter policy that has been initialized from an NE, you will also receive a warning confirmation, since the global policy may be partially updated from the local policy. The Discovery State indicator on the General tab displays this Initialized condition, and the Origin indicator identifies the NE. You should manually synchronize with a specific local policy before changing the Configuration Mode from Draft to Released.

Click Search, select the policy in the list and click Distribute to manually distribute the policy locally to devices. See To release and distribute a policy for more information. Policies are also automatically distributed to devices when they are used by resources on the device.

Select the distributed policy and click Properties. The ACL IP Filter Global Policy (Edit) form opens.

Click on the Local Definitions tab and select a local definition from the list and click Properties. The ACL IP Filter Local Policy (Edit) form opens.

Click on the Insertion Blocks tab.

If required, enable the check box in the Host Shared Filter Configuration panel and configure the High Watermark or Low Watermark parameters.

Configure the parameters as required.

Note: The Group Entries Inserted panel displays the number of entries inserted on this filter range.

Click Sort Group Insertions and click OK.

To view filter entry data.

1. Click on the Filter Entries tab, then the Credit Control Entries tab or the RADIUS Entries tab.

2. Click Search and select an entry from the list and click Properties.

3. Close the form.

Close all open forms.

End of steps