Anchor filters and dynamic filters

After a Security Association is negotiated, the ipsec -f display command shows the addition of two dynamic filters that were created when the Security Association was created, corresponding to the inbound and outbound anchor filters. Dynamic filters are placed ahead of the anchor filters in the filter table, so dynamic filters are searched first when IP filtering is performed. In the following sample output, note that two dynamic filters have been added to the filter table subsequent to the activation of a phase 2 Security Association. The Type field indicates whether the filter is a dynamic anchor filter or a dynamic filter:

ipsec -f dis -n Rule2Admin

CS V2R1 ipsec  Stack Name: TCPCS  Tue Feb 14 11:23:54 2012
Primary:  Filter          Function: Display            Format:   Detail
Source:   Stack Policy    Scope:    Current            TotAvail: 139
Logging:  On              Predecap: Off                DVIPSec:  Yes
NatKeepAlive:  20         FIPS140:  No
Defensive Mode: Inactive

FilterName:                   Rule2Admin
FilterNameExtension:          1
GroupName:                    Admin
LocalStartActionName:         n/a
VpnActionName:                Silver-TransportMode
TunnelID:                     Y4
Type:                         Dynamic
DefensiveType:                n/a
State:                        Active
Action:                       Permit
Scope:                        Local
Direction:                    Outbound
OnDemand:                     No
SecurityClass:                0
Logging:                      Deny
LogLimit:                     n/a
Protocol:                     All
ICMPType:                     n/a
ICMPTypeGranularity:          n/a
ICMPCode:                     n/a
ICMPCodeGranularity:          n/a
OSPFType:                     n/a
TCPQualifier:                 n/a
ProtocolGranularity:          n/a
SourceAddress:                9.1.1.1
SourceAddressPrefix:          n/a
SourceAddressRange:           n/a
SourceAddressGranularity:     n/a
SourcePort:                   n/a
SourcePortRange:              n/a
SourcePortGranularity:        n/a
DestAddress:                  9.1.1.2
DestAddressPrefix:            n/a
DestAddressRange:             n/a
DestAddressGranularity:       n/a
DestPort:                     n/a
DestPortRange:                n/a
DestPortGranularity:          n/a
OrigRmtConnPort:              n/a
RmtIDPayload:                 n/a
RmtUdpEncapPort:              n/a
CreateTime:                   n/a
UpdateTime:                   n/a
DiscardAction:                Silent
MIPv6Type:                    n/a
MIPv6TypeGranularity:         n/a
TypeRange:                    n/a
CodeRange:                    n/a
RemoteIdentityType:           n/a
RemoteIdentity:               n/a
FragmentsOnly:                No
FilterMatches:                1
LifetimeExpires:              n/a
AssociatedStackCount:         n/a
***********************************************************************
FilterName:                   Rule2Admin
FilterNameExtension:          1
GroupName:                    Admin
LocalStartActionName:         n/a
VpnActionName:                Silver-TransportMode
TunnelID:                     Y0
Type:                         Dynamic Anchor
DefensiveType:                n/a
State:                        Active
Action:                       Permit
Scope:                        Local
Direction:                    Outbound
OnDemand:                     No
SecurityClass:                0
Logging:                      Deny
LogLimit:                     n/a
Protocol:                     All
ICMPType:                     n/a
ICMPTypeGranularity:          n/a
ICMPCode:                     n/a
ICMPCodeGranularity:          n/a
OSPFType:                     n/a
TCPQualifier:                 n/a
ProtocolGranularity:          Rule
SourceAddress:                9.1.1.1
SourceAddressPrefix:          n/a
SourceAddressRange:           n/a
SourceAddressGranularity:     Packet
SourcePort:                   n/a
SourcePortRange:              n/a
SourcePortGranularity:        n/a
DestAddress:                  9.1.1.2
DestAddressPrefix:            n/a
DestAddressRange:             n/a
DestAddressGranularity:       Packet
DestPort:                     n/a
DestPortRange:                n/a
DestPortGranularity:          n/a
OrigRmtConnPort:              n/a
RmtIDPayload:                 n/a
RmtUdpEncapPort:              n/a
CreateTime:                   2012/02/14 10:49:48
UpdateTime:                   2012/02/14 11:07:20
DiscardAction:                Silent
MIPv6Type:                    n/a
MIPv6TypeGranularity:         n/a
TypeRange:                    n/a
CodeRange:                    n/a
RemoteIdentityType:           n/a
RemoteIdentity:               n/a
FragmentsOnly:                No
FilterMatches:                1
LifetimeExpires:              n/a
AssociatedStackCount:         n/a
***********************************************************************
FilterName:                   Rule2Admin
FilterNameExtension:          2
GroupName:                    Admin
LocalStartActionName:         n/a
VpnActionName:                Silver-TransportMode
TunnelID:                     Y4
Type:                         Dynamic
DefensiveType:                n/a
State:                        Active
Action:                       Permit
Scope:                        Local
Direction:                    Inbound
OnDemand:                     No
SecurityClass:                0
Logging:                      Deny
LogLimit:                     n/a
Protocol:                     All
ICMPType:                     n/a
ICMPTypeGranularity:          n/a
ICMPCode:                     n/a
ICMPCodeGranularity:          n/a
OSPFType:                     n/a
TCPQualifier:                 n/a
ProtocolGranularity:          n/a
SourceAddress:                9.1.1.2
SourceAddressPrefix:          n/a
SourceAddressRange:           n/a
SourceAddressGranularity:     n/a
SourcePort:                   n/a
SourcePortRange:              n/a
SourcePortGranularity:        n/a
DestAddress:                  9.1.1.1
DestAddressPrefix:            n/a
DestAddressRange:             n/a
DestAddressGranularity:       n/a
DestPort:                     n/a
DestPortRange:                n/a
DestPortGranularity:          n/a
OrigRmtConnPort:              n/a
RmtIDPayload:                 n/a
RmtUdpEncapPort:              n/a
CreateTime:                   n/a
UpdateTime:                   n/a
DiscardAction:                Silent
MIPv6Type:                    n/a
MIPv6TypeGranularity:         n/a
TypeRange:                    n/a
CodeRange:                    n/a
RemoteIdentityType:           n/a
RemoteIdentity:               n/a
FragmentsOnly:                No
FilterMatches:                1
LifetimeExpires:              n/a
AssociatedStackCount:         n/a
***********************************************************************
FilterName:                   Rule2Admin
FilterNameExtension:          2
GroupName:                    Admin
LocalStartActionName:         n/a
VpnActionName:                Silver-TransportMode
TunnelID:                     Y0
Type:                         Dynamic Anchor
DefensiveType:                n/a
State:                        Active
Action:                       Permit
Scope:                        Local
Direction:                    Inbound
OnDemand:                     No
SecurityClass:                0
Logging:                      Deny
LogLimit:                     n/a
Protocol:                     All
ICMPType:                     n/a
ICMPTypeGranularity:          n/a
ICMPCode:                     n/a
ICMPCodeGranularity:          n/a
OSPFType:                     n/a
TCPQualifier:                 n/a
ProtocolGranularity:          Rule
SourceAddress:                9.1.1.2
SourceAddressPrefix:          n/a
SourceAddressRange:           n/a
SourceAddressGranularity:     Packet
SourcePort:                   n/a
SourcePortRange:              n/a
SourcePortGranularity:        n/a
DestAddress:                  9.1.1.1
DestAddressPrefix:            n/a
DestAddressRange:             n/a
DestAddressGranularity:       Packet
DestPort:                     n/a
DestPortRange:                n/a
DestPortGranularity:          n/a
OrigRmtConnPort:              n/a
RmtIDPayload:                 n/a
RmtUdpEncapPort:              n/a
CreateTime:                   2012/02/14 10:49:48
UpdateTime:                   2012/02/14 11:07:20
DiscardAction:                Silent
MIPv6Type:                    n/a
MIPv6TypeGranularity:         n/a
TypeRange:                    n/a
CodeRange:                    n/a
RemoteIdentityType:           n/a
RemoteIdentity:               n/a
FragmentsOnly:                No
FilterMatches:                1
LifetimeExpires:              n/a
AssociatedStackCount:         n/a
***********************************************************************

4 entries selected