Netfence filters
Netfencing (network fencing) filters facilitate granular control over traffic steering decisions, allowing you to map requesting clients to specific endpoints based on the requester's IP address or autonomous system number (ASN). When processing incoming requests, these filters reference the ASN or IP prefix metadata defined in each answer and eliminate answers not matching the requester's IP address.
Filter | Description | Related metadata |
---|---|---|
Netfence ASN filter | This filter eliminates answers whose ASN metadata does not match the one associated with the requester's IP address. Answers without ASN metadata remain in the list unless the Remove answers without ASN on match option is enabled. | AS Number(s) |
Netfence Prefix filter | This filter eliminates answers whose IP prefix list does not contain the requester's IP
address. Answers without ip_prefixes metadata remain in the list unless the
Remove answers without ASN on match option is enabled. |
IP Prefix List |
Example: Netfence by ASN
Suppose you have a DNS record (type A) with two answers. You set the AS Number(s) metadata values for the first answer to 2914 and 3257. You leave the ASN metadata blank for the second answer. Then, you create a Filter Chain that includes the Netfence by ASN filter. In this example:
- Requests from an IP in AS2914 receive both answers.
- Requests from an IP in AS701 receive only the answer with no ASN value set.
- If you enable the Remove answers without ASN on match option, requests from an IP in AS2914 receive only the answer with the matching ASN metadata value, and the answer with the unset metadata value is eliminated.
Example: Netfence by IP prefix
Suppose you have a record with two answers. You set the IP Prefix List metadata for the first answer to 1.2.3.0/24, 2.3.4.0/24. You do not specify an IP prefix list for the second answer. In this example:
- Requests from 1.2.3.4 receive both answers.
- Requests from 5.6.7.8 only receive the second answer. If you want requests from 1.2.3.4 only to receive the first answer, enable the Remove answers without ASN on match option.
- If you want requests from 1.2.3.4 only to receive the first answer, enable the Remove answers without ASN on match option.
- If you select Remove answers without ASN on match, answers are removed
only if at least one answer contains an
ip_prefix
that matches the requester. If no answers meet this requirement, answers with noip_prefix
values are returned.