Allied Telesis X900-12XT/S, x908 manual AlliedWare PlusTM OS

Page 1

AlliedWare PlusTM OS

How To Configure Hardware Filters on SwitchBlade x908, x900-12XT/S, and x900-24 Series Switches

Introduction

The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful hardware based packet-filtering facility.

These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and perform a variety of different actions on the packets that match the filters.

Because the filters are hardware-based, they put no load on the CPU of the switch, and do not affect the throughput of the switch. It is possible to configure over 1000 different filters, and still have complete wire speed throughput on the switch.

On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using hardware ACLs (Access Control Lists). The following configuration methods are available:

1.To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type, you simply create one or more ACLs and apply them to a port.

You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL to allow traffic from a source IP address to a destination address, then a second ACL to drop all (other) traffic from that source IP address).

This How To Note calls ACLs that are applied to ports interface ACLs.

2.To make a filter based on a range of other packet settings, you use QoS match commands in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to apply the class-maps to a policy-map and port.

This note describes both approaches. Then it gives a series of examples, and ends by discussing how many filters you can make.

C613-16119-00 REV A

www.alliedtelesis.com

Page 1 Page 2
Image 1
Page 1 Page 2
Contents AlliedWare PlusTM OS Which products and software version does this Note apply to? Creating IP hardware ACLs Creating hardware ACLsDestination-ip-address TCP and UDP You can filter TCP and UDP packets on the basis Creating MAC address hardware ACLs Effects of the action keywords in ACLsACLs Making filters by applying hardware ACLs to portsMaking filters by using QoS class-maps Specifying what the class-map will match on Creating a class-mapMatching on inner keywords for nested VLANs Matching on TCP flag So will the following single match commandApplying the policy-map to ports Applying the class-maps to a policy-mapMatching on eth-format and protocol Combining interface ACLs and QoS class-maps Logic of the operation of the hardware filtersBlocking all multicast traffic ExamplesMirroring Http and Smtp traffic Blocking all multicast traffic except one addressMirroring ARP packets This example uses two QoS class-maps Blocking TCP sessions in one directionFilter rules table How many filters can you create?Profile mask Are there enough bytes for your set of filters? Some protocols also use filters, so use some of the length
Related manuals
Manual 8 pages 39.31 Kb Manual 52 pages 56.44 Kb
Top Page Image Contents