SYNC Interface Filter Rules

The rules for the SYNC interface specifically allow the VPF HA state synchronization traffic as well as anything else outbound from TNSR itself. A dedicated synchronization interface like this may be a direct cross-connection from the peer, in which case it can be safe to omit these rules. However, it is still a best practice to ensure that TNSR only allows expected traffic on the interface.

Danger

Do not use stateful on rules for VPF HA synchronization. Tracking state on these rules will cause VPF HA to enter a loop updating the peer with data about its own state synchronization traffic which will consume large amounts of resources.

VPF HA data is stateless, and the sender does not check for nor does it get any indication that the peer received the data. However, there are heartbeat packets that take the return path, so additional rules are necessary to pass these packets without keeping state.

Create Ruleset

Create the SYNC interface filter ruleset on both nodes:

tnsr(config)# vpf filter ruleset SYNC-filter
tnsr(config-vpf-filter-ruleset)# description Filter Rules for SYNC

Allow VPF HA Outbound

These rules allow VPF HA state synchronization traffic outbound from this node to the peer and return traffic from the peer for the same service:

tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Allow outbound VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# from port 9000
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 8000
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 20
tnsr(config-vpf-filter-rule)# description Allow outbound return VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# from port 8000
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 9000
tnsr(config-vpf-filter-rule)# exit

Allow VPF HA Inbound

These rules allow VPF HA state synchronization traffic inbound to this node from the peer and the return traffic from the peer for the same service:

tnsr(config-vpf-filter-ruleset)# rule 30
tnsr(config-vpf-filter-rule)# description Allow inbound VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# from port 9000
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 8000
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 40
tnsr(config-vpf-filter-rule)# description Allow inbound return VPF state synchronization
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol udp
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# from port 8000
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.1.0/30
tnsr(config-vpf-filter-rule)# to port 9000
tnsr(config-vpf-filter-rule)# exit

Allow Egress Traffic

This rule allows any other traffic outbound from TNSR itself on the SYNC interface:

tnsr(config-vpf-filter-ruleset)# rule 100
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to SYNC
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# exit

Activate Ruleset

Exit out to complete the ruleset:

tnsr(config-vpf-filter-ruleset)# exit

Next, activate the SYNC filter ruleset:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface SYNC filter-ruleset SYNC-filter
tnsr(config-vpf-option)# exit