Displaying Packet Filters | 3Com 2200 manual

Displaying Packet Filters

12-3

Displaying Packet Filters

	Top-Level Menu
	system						list
	system
	ethernet display
	ethernet display					➧display
	fddi					➧display
	fddi		ipFragmentation
							create
	➧bridge		ipxSnapTranslation
	➧bridge						delete
	ip		addressThreshold
	ip		agingTime				edit
	snmp		agingTime				edit
	snmp		stpState				load
	analyzer						load
	analyzer						assign
	script		stpPriority				assign
	script		stpMaxAge unassign
	logout		stpMaxAge unassign
	logout						addressGroup
			stpHelloTime
							portGroup
			stpForwardDelay

stpGroupAddress port

➧packetFilter

When displaying the contents of a single packet ﬁlter, you select the packet ﬁlter using the ﬁlter id (which you can obtain by listing the packet ﬁlters as described in the previous section). The packet ﬁlter instructions are displayed; however, any comments in the original packet ﬁlter deﬁnition ﬁle are not displayed because they are not saved with the packet ﬁlter.

To display the contents of a packet ﬁlter:

1From the top level of the Administration Console, enter:

bridge packetFilter display

You are prompted for the number of the packet ﬁlter you want to display.

2Enter the packet ﬁlter id number.

The contents of the packet ﬁlter are displayed. An example of the output generated by this command is shown next. The packet ﬁlter id and name are displayed, followed by a listing of the packet ﬁlter instructions.

Select packet filter to be displayed [1-n]: 2

Packet filter 2 - Type > 900 or Multicast

name “Type > 900 or Multicast”
pushLiteral.w	0x900
pushField.w	12
gt
reject
pushField.b	0
pushLiteral.b	0x01
and
not

Creating Packet You create custom packet ﬁlters by writing a packet ﬁlter deﬁnition. Each

Filterspacket-processing path on a port may have a unique packet ﬁlter deﬁnition or may share a deﬁnition with other ports. Packet ﬁlter deﬁnitions are written in the packet ﬁlter language. This language allows you to construct complex logical expressions.

After writing a packet ﬁlter deﬁnition, you load it into a Switch 2200 and the corresponding port assignments are preserved in the nonvolatile memory (NVRAM) of the system. This ensures that the packet ﬁlter conﬁguration for each system is saved across system reboots and power failures.

Image 140

3Com 2200 manual Displaying Packet Filters

Contents

Superstack II Switch Administration Console User Guide 3Com Corporation 5400 Bayfront Plaza Santa Clara, California Contents Administration Console Interface Parameters Remote Access ParametersSetting Up an IP Interface for Management Online Help Setting Passwords Rebooting the SystemAbout Setting Baselines Setting Baselines Setting tmaxLowerBound Setting lerAlarm Setting lerCutoffSetting the Aging Time Starting Port Monitoring Setting the Bridge Priority 10-710-8 10-9 Using Groups in Packet Filters Listing Groups 13-3Opcodes A-1 Destination Address Filter A-9 Access by Modem Support from 3ComWorld Wide Web Site 3ComForum on CompuServe Returning Products for Repair About this Guide IntroductionFamiliarity with communications protocols that are used on Interconnected LANs This Guide How to UseSwitch 2200. The parts of the guide are described in Table Conventions This guide Documents, contact your sales representative for assistance SwitchDocumentation Comments Introduction Conﬁguration Tasks Administration OverviewAbout Switch Administration General System Commands Task Quick Command For Details, See Adjust the console screen height for your terminal To the system, or reset nonvolatile data to defaults Change the factory default baud rate of the Console port Configurations, and spanning tree configurations System Management Setup Commands Task Quick CommandBridging Commands Task Quick Command For Details, See Administer bridge port addresses 12-1 and followingDisplay bridge port information Set the multicast packet firewall threshold 9-2 to Ethernet Commands Task Quick Command For Details, SeeA summarized or detailed format Fddi Commands Task Quick Command 8-3 HOW to USE Initial User AccessAccess Levels of User Select access level read, write, administer Password Using Menus to Perform Tasks System-level Functions Menu Hierarchy for Administer Access Fddi Menu Bridge Menu Bridging Menu Hierarchy for Administer Access IP Menu Snmp Menu Analyzer Menu Most abbreviated version of the same command string is Menu options are not case sensitive Entering Values Parameters AdjustingConsole Interface Disabling Reboot Abort Keys System consoleLock Enter the telnet timeout interval 30 minutes to 60 minutes Running Scripts Administration Console TasksSetting Timeout Interval for Remote Sessions HOW to USE the Administration Console Running Scripts of Administration Console Tasks Console GettingHelp Exiting returns you to the password prompt To exit from the Administration ConsoleExiting There, by pressing the ESC key SYSTEM-LEVEL Functions Page Management Access to the SystemAbout Setting Up Console Serial Port Setting Up an IP Interface for Broadcast Address Broadcast address Directed all 1s in the host fieldCost Ports All Ip interface modify Removing an Interface Timed out Gateway IP AddressTiming out Defining a Static Route Default route is immediately removed from the routing table Administering the ARP Cache Setting the RIP Mode Enter the IP address of the station you want to ping You could receive one of the following responses Statistics are displayed, as shown in this example Displaying IP StatisticsIP statistics you can view are described in Table Community string settings are displayed as shown here Setting Up Snmp on Your SystemDisplaying Snmp Settings Administering Snmp Trap Reporting Community string length Conﬁguring Trap Reporting Enter an IP address of the Snmp manager destination address This example shows a trap conﬁguration Trap address invalid or unreachable Remote SMT events. On all other Switch 2200s in your network You receive the following prompt Snmp trap smtProxyTraps Displaying System Conﬁguration Example of a Switch 2200 system conﬁguration displayEnvironment Setting Passwords Initial passwords You are prompted for the name of the system Setting the System NameChanging the Date and Time Rebooting About Setting You must disable the baselineBaselines Displaying the Current Baseline Setting Baselines Baselining is automatically enabled when a baseline is setEnabling or Disabling Baselines Message similar to the following appears Nonvolatile Data SAVING, RESTORING, and Resetting Nonvolatile DataWorking with Saving NV Data Restoring NV DataSaving the NV data Restoration rules described here System nvData restore Examining a Saved NV Data File You are returned to the NV data menu options Resetting NV Data to Defaults You see the following prompt III Ethernet and Fddi ParametersPage Ports DisplayingEthernet Port Information RxDiscards Describes the information provided about an Ethernet port Default is enabled Layer to receive them or because the port was disabledLong and are not configurable Disabled Second long and are not configurable SuccessfullyTransmitted successfully TxPeakByteRate There is no buffer space available Frame is in error TxDiscards TxQOverflows TxFrames Frames delivered to this port Setting the Port State Labeling a Port Fddi Stations AdministeringResources Describes these statistics Can be Thru, Isolated, WrapA, and WrapBConnectPolicy This value can be user-defined Defaults for connecting to a Port M Description of Fields for Fddi Station Attributes TNotifyFrames NIF. This value can be user-defined TraceMaxExp With defaults for connecting to a Port M Normal tree connectionTopology Node may not go to Thru state in CFM Setting Neighbor Notiﬁcation Timer Enabling Disabling Status Reporting Fddi Paths Description of Fields for Fddi Path Attributes MaxTReq RingLatencyTmaxLowBound TraceStatus Current Trace status of the path TvxLowBound To set tvxLowerBound Station, which appears in brackets Fddi MACs Displaying MAC Information Administering Fddi MACs Describes the information provided for the Fddi MAC Error during reception Description of Fields for Fddi MAC Attributes OldDownstreamNeighbor OldUpstream There is no buffer space available Frame is in error Receive Frame Network Setting the Frame Error Threshold Shows the order in which the discard tests are made Setting the Not Copied Threshold Enter the new threshold value. See the following example Enabling Disabling LLC Service Setting MAC Paths Administering Fddi Ports Displaying Port Information Describes the type of information provided for an Fddi port Setting lerCutoff Setting Port Labels Fddi port path Analysis Roving AnalysisAbout Roving Receive Roving AnalysisOn a speciﬁc system Adding an Analyzer Port Removing an Analyzer Port Starting Port MonitoringYou can start monitoring port activity See the example below for starting port monitoring Stopping Port Monitoring Bridging Parameters Displaying Bridge Information Information about the bridge is displayed Following example shows a display of bridge information Each item in the bridge parameter list is described in Table BridgeFwdDelay Learning states. The default value is 15 secondsRoot. The default value is 2 seconds ForwardDelay Default value is disabled Bridge Attributes Parameter Description MaxAgeIs determined by the root bridge Mode Enabling Disabling IPFragmentation Disabling IPX Setting AddressThreshold Aging Time Enabling and Disabling STP on a Bridge Enter enabled or disabled at the promptSTP Bridge Setting the Bridge Maximum Age To conﬁgure the STP bridge priority Forward delay The recommended value is 15 seconds To conﬁgure the forward delay value Setting the STP Group Address Bridge Port Following example shows a bridge port summary display Following example shows a bridge port detail display RxErrorDiscs Port is attachedDesignatedCost BPDUs from the designated bridge for that LAN Bridge Port Attributes Parameter Description RxFrames Management framesRxMcastExcDiscs Exceeded Disabled in which the port is currently operating Disabled The port has been disabled by managementBridge Port Attributes Parameter Description State Blocking The bridge continues to run the Spanning Tree Shows the order in which the discard decisions are made Multicast packet ﬁrewall, see Bridging Extensions Multicast LimitYou are prompted for port type STP Bridge Port EnablingDisabling STP On a Port Bridge port stpCost Bridge port stpPriority Administering Port Addresses Listing Addresses From the top level of the Administration Console, enter You are prompted for the port numberEnter the number of the port You are prompted for one or more addresses to add Flushing All Addresses You are prompted for the port numbers Packet Filters Packet Filtering Listing Packet Filters Displaying Packet Filters Creating and Using Packet Filters Describes the instructions and stacks of a packet ﬁlter Basic Elements of a Packet Filter Ethernet and Fddi Packet Fields Packet Filter Operands Description Opcode Packet field PushFieldSize of the field can be 1, 2, 4, or 6 bytes Want the filter to examine a 48-bit address Constant Accept and Reject Instructions Preprocessed and Run-time Storage Creating Packet Filters 12-9 Opcode.size operand... # comment 12-11 Creating and Using Packet Filters Pseudocode translates into the following packet ﬁlter # XNS Filtering Section Enter executable instruction #1 Enter executable instruction #2 Enter executable instruction #3 Enter executable instruction #4Enter executable instruction #5 Enter executable instruction #6 This combination looks like this Only IP pkts w/in socket range Add a not statement to discard any matching packets Maximum length of a packet ﬁlter deﬁnition is 4096 bytes Command are discarded Being editedDelete Previous Ctrl+h Character One position Delete Current Ctrl+d Deleting Packet Filters Editing, CheckingSaving Packet Filters At the Replace existing filter? prompt Loading Packet Filters Bridge packetFilter load Fddi Unassigning Packet Filters from Ports Configuring Address Port Groups to USE Packet Filters Using GroupsUser-deﬁned Packet Filtering in the SuperStack II Switch Address and port groups in packet ﬁlters OR, for port groups, enter the following command To list the currently deﬁned groups, enter this command Enter this command Displaying Groups Creating New Groups Enter the ports in this syntax Address 08-32-45-e3-32-21 Port Ethernet Ports to Groups AddingAddresses Address 08-37-21-65-78-c4 Removing Addresses or Ports from a Group To remove an address from a group, enterOR, to remove a port from a group, enter Enter the ports in the syntax Address 08-42-21-84-78-f1 Loading Groups 13-11 Configuring Address and Port Groups to USE in Packet Filters Appendixes Packet Filter Opcodes OpcodesOpcodes are described in this section Name name PushField.size offset Bytes PushLiteral.size value PushTop Byte PushSAGMByte PushDAGM Byte Byte Eq equal PushSPGMByte PushDPGM Byte Le less than or equal to Ne not equalByte Lt less than Byte Bit-wise Gt greater thanByte Ge greater than or equal to Or bit-wise or Byte Xor bit-wise exclusive-ORByte Not Byte Accept Byte Shiftr shift right RejectByte Shiftl shift left Packet ﬁlter concepts Packet FilterExamples Address To make a copy of the type ﬁeld XNSPage Errors Common Syntax Characters of the number Number with a leading 0x or 0X is treated asHexadecimal Number with a leading 0 is treated as octal Services Variety of services. This appendix describes these servicesOnline Technical Through the following online systems Access by Isdn Press Return to see the 3ComForum main menu Maintenance, application training, and support services Support fromYour Network Supplier U.S. and Canada, call 800 876-3266 for customer service To ﬁnd your authorized service provider3Com Support contracts are available from 3Com Address Resolution Protocol. See ARP address threshold Index3ComFacts B-3 3ComForum B-2 Abort ARP cache ﬂushing 3-12 removing entry Cost Multicast limit, setting 11-7 Spanning Tree EnablingStatistics, displaying 10-1bridge port SRFs 8-2 Connection policies, setting PortState Station MAC addresses 11-11Ethernet addressFddi path deﬁned Fddi port Removing from -9, 3-10 status Enabling Le opcode A-5 Name opcode A-1 Naming the Switch 2200 4-3ne opcode A-5 On-line technical services B-1opcodePassword conﬁguring Multicast frames Packet ﬁlters 12-1multicast limit Fddi ports 8-19ping IP station Broadcast address 3-4default mode 3-12displaying stateRlogin Snmp agent Accessing through IP 3-1deﬁned Snmp trap SMT eventSnifﬁng. See roving analysis and analyzer Port LER Condition Port Path Change Switch Deﬁned 8-7 settingTOpr Technical support B-1telnet Packet ﬁlter 12-12, 12-14, A-11 xor opcode A-7