Filters with ipsec actions are flagged as anchor filters. Anchor filters are neither permit or deny rules, but rather serve as place holders for dynamic filters in the ordered list of filter rules. A dynamic filter is an extension of an anchor filter and is created when a phase 2 Security Association is created. Each phase 2 Security Association that is negotiated is associated with two dynamic filters, an inbound filter and an outbound filter. When an IP packet matches an anchor filter rule, there is a secondary search for a matching dynamic filter rule. If one is not found, the packet is denied, unless the packet is an outbound packet and on-demand negotiations are allowed. In that case, an IKE negotiation ensues to create a Security Association and the matching dynamic filter. If a dynamic filter already exists, the action taken is to permit with IPSec processing applied. The dynamic filter rule indicates which Security Association should be used when applying IPSec processing, because there is a one-to-one correspondence between dynamic filter pairs (inbound and outbound) and phase 2 Security Associations. For a sample display of anchor and dynamic filters, see Displaying active filters with the ipsec command.