To configure a System Filter

Purpose

A system filter allows operators to configure a filter chain for packet matching. In this chain, the active system filter policy rules are evaluated first. If no match occurs, only then are the rules of any chained filter policies evaluated.

The system filter policies supports all IPv4/IPv6 filter policy match rules and actions. However, system policy entries cannot be LI or mirror sources. A system filter policy also does not support Radius, flowspec, or Gx inserted entries. In addition, a system filter policy also requires chassis mode D to be set on an NE to which it is deployed.

See Filter policies for more information on system filters.

Steps
 

Perform one of the following procedures to configure and distribute an IP filter policy for use as a system filter policy on the required NEs:

  1. To configure an ACL IP filter policy for an ACL IP filter policy

  2. To configure an ACL IPv6 filter policy for an ACL IPv6 filter policy

    Whether the policy you create will be an active system filter policy or a chained system filter policy is determined by setting the Scope and Chain to System Filter parameters.

Note: If you are configuring an active system filter policy, then you must set the Scope parameter to system when you create the new filter policy.

If you are configuring a chained system filter policy, then you must set the Scope parameter to either template or exclusive when you create the new filter policy. The Chain to System Filter parameter must also be enabled.

To change an existing filter policy’s Scope parameter to or from the system option, the policy must have no Filter Entries configured.

Perform one of the following:

  1. To create or configure an Active System Filter, go to Step 3.

  2. To view or configure a Chained Filter, go to Step 10.

Create or configure an Active System Filter
 

On the equipment tree, right-click on the NE to which you want to apply the active system filter and choose Properties. The Network Element (Edit) form opens.

Click on the Globals tab and then the System Filter tab.

Click on the Active System Filters tab and then click Create. The System Filter (Create) form opens.

Select either IP or IPv6 as the required System Filter Type.

Select the IP filter policy you created or configured in Step 1 as the System Filter.

Click OK to apply the configuration and close the System Filter (Create) form. The new active system filter appears in the list.

Note: You can also delete or configure the properties of an existing active system filter from this form.

Close the form.

View or configure a chained system filter
 
10 

On the equipment tree, right-click on the NE to which you distributed the chained system filter and choose Properties. The Network Element (Edit) form opens

11 

Click on the Globals tab and then the System Filter tab.

12 

Click on the Chained Filters tab and then either the IP or IPv6 tab, as required.

All ACL IP template or exclusive filter policies that have been distributed to this NE and have an enabled Chain to System Filter parameter are displayed. No further action is required. These are the chained system filters.

13 

To change the configuration of an existing chained system filter, select it from the list and click Properties.

Refer to either To configure an ACL IP filter policy or To configure an ACL IPv6 filter policy for configuration details, as required.

Note: You cannot delete a chained system filter from this form. Chained system filters can only be deleted using the ACL IP or ACL IPv6 Filter Policy selection form.

14 

Close the form.

End of steps