SYNC Interface Filter Rules

The rules for the SYNC interface specifically allow the VPF HA state synchronization traffic as well as anything else outbound from TNSR itself. A dedicated synchronization interface like this may be a direct cross-connection from the peer, in which case it can be safe to omit these rules. However, it is still a best practice to ensure that TNSR only allows expected traffic on the interface.

Danger

Do not use stateful on rules for VPF HA synchronization. Tracking state on these rules will cause VPF HA to enter a loop updating the peer with data about its own state synchronization traffic which will consume large amounts of resources.

VPF HA data is stateless, and the sender does not check for nor does it get any indication that the peer received the data. As such there are no return packets that would match a state, so keeping state is unnecessary.

Create Ruleset

Create the SYNC interface filter ruleset on both nodes:

tnsr(config)# vpf filter ruleset SYNC-filter
tnsr(config-vpf-filter-ruleset)# description Filter Rules for SYNC

Allow VPF HA Outbound

This rule allows VPF HA state synchronization traffic outbound from this node to the peer:

tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Allow outbound VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 8000
tnsr(config-vpf-filter-rule)# exit

Allow VPF HA Inbound

This rule allows VPF HA state synchronization traffic inbound to this node from the peer:

tnsr(config-vpf-filter-ruleset)# rule 11
tnsr(config-vpf-filter-rule)# description Allow inbound VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# from port 9000
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 8000
tnsr(config-vpf-filter-rule)# exit

Allow Egress Traffic

This rule allows any other traffic outbound from TNSR itself on the SYNC interface:

tnsr(config-vpf-filter-ruleset)# rule 100
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to SYNC
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# exit

Activate Ruleset

Exit out to complete the ruleset:

tnsr(config-vpf-filter-ruleset)# exit

Next, activate the SYNC filter ruleset:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface SYNC filter-ruleset SYNC-filter
tnsr(config-vpf-option)# exit