Preprocessed and Run-time Storage | 3Com 2200 instruction

Creating Packet Filters

12-9

The following example shows the use of both accept and reject in a packet ﬁlter. This packet ﬁlter was created for a network running both Phase I and Phase II AppleTalk.TM The goal of the ﬁlter is to eliminate the AppleTalk trafﬁc.

Name	“Filter AppleTalk datagrams”
pushField.w		12	# Get the type field.
pushTop			# Make a copy.
pushLiteral		0x809b	# EtherTalk Phase I type
eq			# Test if the packet type is
			# equal to the AppleTalk type.
reject			# Reject the packet and end.
			# Otherwise
pushLiteral.w		0x5dc	# Largest 802.3 packet size
lt			# If this value is less than the
			# value in the packet’s
			# type/length field, then this
			# is an Ethernet frame, so
accept			# accept the packet if it is not
			# 802.3, otherwise…
pushField.a		16	# get the SNAP OUI and Ethertype
pushLiteral.a		0x03080007809b	# value to compare.
ne			# If not equal then forward the
			# packet, otherwise drop it

Preprocessed and Run-time Storage

Preprocessed packet ﬁlters

A packet ﬁlter program is stored in a preprocessed format to minimize the space required by the packet ﬁlter deﬁnition. When assigned to a port, the packet ﬁlter is converted from the stored format to a run-time format to optimize the performance of the ﬁlter. Each SuperStack™ II Switch 2200 system is limited to a maximum of 16 packet ﬁlter programs.

Each system provides a maximum of 2048 bytes of nonvolatile storage for preprocessed packet ﬁlter programs. In the preprocessed stored format:

■A single packet ﬁlter program is limited to 254 bytes.

■Each instruction in the packet ﬁlter program requires 1 byte for the opcode and size, plus additional bytes for any explicit operands.

■System overhead is 22 bytes, plus a per-packet-ﬁlter overhead of

13 bytes. For example, assume a packet ﬁlter program requires 200 bytes for storing the instructions in the program. If this packet ﬁlter is the only one loaded, the nonvolatile memory required is 22 bytes (for system overhead) plus 13 bytes (for packet ﬁlter overhead) plus 200 bytes (for the program itself) — a total of 235 bytes.

Image 146

3Com 2200 manual Preprocessed and Run-time Storage, Creating Packet Filters 12-9

Contents

Superstack II Switch Administration Console User Guide 3Com Corporation 5400 Bayfront Plaza Santa Clara, California Contents Setting Up an IP Interface for Management Administration Console Interface ParametersRemote Access Parameters Online Help About Setting Baselines Setting PasswordsRebooting the System Setting Baselines Setting the Aging Time Setting tmaxLowerBoundSetting lerAlarm Setting lerCutoff Starting Port Monitoring 10-8 Setting the Bridge Priority10-7 10-9 Opcodes A-1 Using Groups in Packet Filters Listing Groups13-3 Destination Address Filter A-9 World Wide Web Site 3ComForum on CompuServe Access by ModemSupport from 3Com Returning Products for Repair Familiarity with communications protocols that are used on About this GuideIntroduction Interconnected LANs This Guide How to UseSwitch 2200. The parts of the guide are described in Table Conventions This guide Documents, contact your sales representative for assistance SwitchDocumentation Comments Introduction Conﬁguration Tasks Administration OverviewAbout Switch Administration General System Commands Task Quick Command For Details, See Adjust the console screen height for your terminal To the system, or reset nonvolatile data to defaults Change the factory default baud rate of the Console port Configurations, and spanning tree configurations System Management Setup Commands Task Quick CommandBridging Commands Task Quick Command For Details, See Display bridge port information Administer bridge port addresses12-1 and following Set the multicast packet firewall threshold 9-2 to Ethernet Commands Task Quick Command For Details, SeeA summarized or detailed format Fddi Commands Task Quick Command 8-3 Access HOW to USEInitial User Access Levels of User Select access level read, write, administer Password Using Menus to Perform Tasks System-level Functions Menu Hierarchy for Administer Access Fddi Menu Bridge Menu Bridging Menu Hierarchy for Administer Access IP Menu Snmp Menu Analyzer Menu Most abbreviated version of the same command string is Menu options are not case sensitive Entering Values Parameters AdjustingConsole Interface Disabling Reboot Abort Keys System consoleLock Enter the telnet timeout interval 30 minutes to 60 minutes Running Scripts Administration Console TasksSetting Timeout Interval for Remote Sessions HOW to USE the Administration Console Running Scripts of Administration Console Tasks Console GettingHelp Exiting Exiting returns you to the password promptTo exit from the Administration Console There, by pressing the ESC key SYSTEM-LEVEL Functions Page Management Access to the SystemAbout Setting Up Console Serial Port Setting Up an IP Interface for Broadcast Address Broadcast address Directed all 1s in the host fieldCost Ports All Ip interface modify Removing an Interface Timed out Gateway IP AddressTiming out Defining a Static Route Default route is immediately removed from the routing table Administering the ARP Cache Setting the RIP Mode Enter the IP address of the station you want to ping You could receive one of the following responses Statistics are displayed, as shown in this example Displaying IP StatisticsIP statistics you can view are described in Table Community string settings are displayed as shown here Setting Up Snmp on Your SystemDisplaying Snmp Settings Administering Snmp Trap Reporting Community string length Conﬁguring Trap Reporting Enter an IP address of the Snmp manager destination address This example shows a trap conﬁguration Trap address invalid or unreachable Remote SMT events. On all other Switch 2200s in your network You receive the following prompt Snmp trap smtProxyTraps Displaying System Conﬁguration Example of a Switch 2200 system conﬁguration displayEnvironment Setting Passwords Initial passwords You are prompted for the name of the system Setting the System NameChanging the Date and Time Rebooting Baselines About SettingYou must disable the baseline Displaying the Current Baseline Enabling or Disabling Baselines Setting BaselinesBaselining is automatically enabled when a baseline is set Message similar to the following appears Nonvolatile Data SAVING, RESTORING, and Resetting Nonvolatile DataWorking with Saving NV Data Saving the NV data RestoringNV Data Restoration rules described here System nvData restore Examining a Saved NV Data File You are returned to the NV data menu options Resetting NV Data to Defaults You see the following prompt III Ethernet and Fddi ParametersPage Ethernet Port PortsDisplaying Information RxDiscards Describes the information provided about an Ethernet port Long and are not configurable Default is enabledLayer to receive them or because the port was disabled Disabled Transmitted successfully Second long and are not configurableSuccessfully TxPeakByteRate There is no buffer space available Frame is in error TxDiscards TxQOverflows TxFrames Frames delivered to this port Setting the Port State Labeling a Port Fddi Stations AdministeringResources ConnectPolicy Describes these statisticsCan be Thru, Isolated, WrapA, and WrapB This value can be user-defined Frames NIF. This value can be user-defined Defaults for connecting to a Port MDescription of Fields for Fddi Station Attributes TNotify TraceMaxExp Topology With defaults for connecting to a Port MNormal tree connection Node may not go to Thru state in CFM Setting Neighbor Notiﬁcation Timer Enabling Disabling Status Reporting Fddi Paths TmaxLowBound Description of Fields for Fddi Path Attributes MaxTReqRingLatency TraceStatus Current Trace status of the path TvxLowBound To set tvxLowerBound Station, which appears in brackets Fddi MACs Displaying MAC Information Administering Fddi MACs Describes the information provided for the Fddi MAC Neighbor Error during receptionDescription of Fields for Fddi MAC Attributes OldDownstream OldUpstream There is no buffer space available Frame is in error Receive Frame Network Setting the Frame Error Threshold Shows the order in which the discard tests are made Setting the Not Copied Threshold Enter the new threshold value. See the following example Enabling Disabling LLC Service Setting MAC Paths Administering Fddi Ports Displaying Port Information Describes the type of information provided for an Fddi port Setting lerCutoff Setting Port Labels Fddi port path Analysis Roving AnalysisAbout Roving Receive Roving AnalysisOn a speciﬁc system Adding an Analyzer Port Removing an Analyzer Port You can start monitoring port activity Starting PortMonitoring See the example below for starting port monitoring Stopping Port Monitoring Bridging Parameters Displaying Bridge Information Information about the bridge is displayed Following example shows a display of bridge information Each item in the bridge parameter list is described in Table Root. The default value is 2 seconds BridgeFwdDelayLearning states. The default value is 15 seconds ForwardDelay Is determined by the root bridge Default value is disabledBridge Attributes Parameter Description MaxAge Mode Fragmentation EnablingDisabling IP Disabling IPX Threshold SettingAddress Aging Time Enabling and Disabling STP on a Bridge Enter enabled or disabled at the promptSTP Bridge Setting the Bridge Maximum Age To conﬁgure the STP bridge priority Forward delay The recommended value is 15 seconds To conﬁgure the forward delay value Setting the STP Group Address Bridge Port Following example shows a bridge port summary display Following example shows a bridge port detail display DesignatedCost RxErrorDiscsPort is attached BPDUs from the designated bridge for that LAN RxMcastExcDiscs Bridge Port Attributes Parameter Description RxFramesManagement frames Exceeded Bridge Port Attributes Parameter Description State Disabled in which the port is currently operatingDisabled The port has been disabled by management Blocking The bridge continues to run the Spanning Tree Shows the order in which the discard decisions are made Multicast packet ﬁrewall, see Bridging Extensions Multicast LimitYou are prompted for port type Disabling STP STP Bridge PortEnabling On a Port Bridge port stpCost Bridge port stpPriority Administering Port Addresses Listing Addresses Enter the number of the port From the top level of the Administration Console, enterYou are prompted for the port number You are prompted for one or more addresses to add Flushing All Addresses You are prompted for the port numbers Packet Filters Packet Filtering Listing Packet Filters Displaying Packet Filters Creating and Using Packet Filters Describes the instructions and stacks of a packet ﬁlter Basic Elements of a Packet Filter Ethernet and Fddi Packet Fields Size of the field can be 1, 2, 4, or 6 bytes Packet Filter Operands Description Opcode Packet fieldPushField Want the filter to examine a 48-bit address Constant Accept and Reject Instructions Preprocessed and Run-time Storage Creating Packet Filters 12-9 Opcode.size operand... # comment 12-11 Creating and Using Packet Filters Pseudocode translates into the following packet ﬁlter # XNS Filtering Section Enter executable instruction #1 Enter executable instruction #2 Enter executable instruction #5 Enter executable instruction #3Enter executable instruction #4 Enter executable instruction #6 This combination looks like this Only IP pkts w/in socket range Add a not statement to discard any matching packets Maximum length of a packet ﬁlter deﬁnition is 4096 bytes Delete Previous Ctrl+h Command are discardedBeing edited Character One position Delete Current Ctrl+d Saving Deleting Packet FiltersEditing, Checking Packet Filters At the Replace existing filter? prompt Loading Packet Filters Bridge packetFilter load Fddi Unassigning Packet Filters from Ports User-deﬁned Packet Filtering in the SuperStack II Switch Configuring Address Port Groups to USE Packet FiltersUsing Groups Address and port groups in packet ﬁlters OR, for port groups, enter the following command To list the currently deﬁned groups, enter this command Enter this command Displaying Groups Creating New Groups Enter the ports in this syntax Address 08-32-45-e3-32-21 Port Ethernet Ports to Groups AddingAddresses Address 08-37-21-65-78-c4 OR, to remove a port from a group, enter Removing Addresses or Ports from a GroupTo remove an address from a group, enter Enter the ports in the syntax Address 08-42-21-84-78-f1 Loading Groups 13-11 Configuring Address and Port Groups to USE in Packet Filters Appendixes Opcodes are described in this section Packet Filter OpcodesOpcodes Name name PushField.size offset Bytes PushLiteral.size value Byte PushDAGM PushTopByte PushSAGM Byte Byte Eq equal PushSPGMByte PushDPGM Byte Le less than or equal to Ne not equalByte Lt less than Byte Bit-wise Gt greater thanByte Ge greater than or equal to Byte Not Or bit-wise orByte Xor bit-wise exclusive-OR Byte Accept Byte Shiftr shift right RejectByte Shiftl shift left Packet ﬁlter concepts Packet FilterExamples Address To make a copy of the type ﬁeld XNSPage Errors Common Syntax Hexadecimal Characters of the numberNumber with a leading 0x or 0X is treated as Number with a leading 0 is treated as octal Online Technical ServicesVariety of services. This appendix describes these services Through the following online systems Access by Isdn Press Return to see the 3ComForum main menu Your Network Maintenance, application training, and support servicesSupport from Supplier 3Com U.S. and Canada, call 800 876-3266 for customer serviceTo ﬁnd your authorized service provider Support contracts are available from 3Com 3ComFacts B-3 3ComForum B-2 Abort Address Resolution Protocol. See ARP address thresholdIndex ARP cache ﬂushing 3-12 removing entry Cost Multicast limit, setting 11-7 Spanning Tree EnablingStatistics, displaying 10-1bridge port Fddi path deﬁned SRFs 8-2 Connection policies, settingPortState Station MAC addresses 11-11Ethernet address Fddi port Removing from -9, 3-10 status Enabling Le opcode A-5 Password conﬁguring Name opcode A-1 Naming the Switch 2200 4-3ne opcode A-5On-line technical services B-1opcode Multicast frames Packet ﬁlters 12-1multicast limit Fddi ports 8-19ping IP station Broadcast address 3-4default mode 3-12displaying stateRlogin Snifﬁng. See roving analysis and analyzer Snmp agent Accessing through IP 3-1deﬁned Snmp trapSMT event Port LER Condition Port Path Change TOpr Technical support B-1telnet SwitchDeﬁned 8-7 setting Packet ﬁlter 12-12, 12-14, A-11 xor opcode A-7