Configure the hardware ACLs

Configuring a complex inter-VRF solution

The command access-list hardware <name> creates the hardware access list. The access list is associated with individual switch ports as an access-group. Each access group contains one or more filters, which filter source traffic ingressing the switch port based on the filter entry order.

Each individual filter in the example below match on IP traffic destined to a specific network from any source IP.

Any IP traffic not matching an ACL is implicitly permitted. This allows traffic not filtered to be able to access the Internet.

Note - these traffic filters are being used for quite a different purpose than the ACLs that are used in the route-maps for controlling which routes are leaked between VRFs.

Instead, these filters are checking individual packets that are coming into the switch, and blocking those packets that are trying to reach IP addresses that should not be reachable from their VRF domain.

Via the filters, the switch knows which IP subnets should not be reachable from a given domain, and so can drop any packets that are trying to reach IP addresses in those subnets.

The dropping (filtering) of those ingress packets is important in the case where a VRF has a default route to a shared VRF and there is an external router that exists in the shared VRF. If there is no external router in the shared VRF or VRF has no default route via the shared VRF, then these IP hardware filters are not required.

Without these filters, traffic which has source IP within one VRF to destination IP within another VRF will be routed via the shared VRF to the external router (the external Internet BGP router in this example). The external router will route the traffic back to the shared VRF, which will in turn route the traffic to the destination IP within the destination VRF. And the packet will be replied to. In effect, the external router inadvertently breaks the inter-VRF security.

Without the external router, although the shared VRF has routes to the other VRF domains, the VRF device will maintain the inter-VRF security. Traffic from one VRF will be unable to access another VRF via the shared VRF. In that case the hardware traffic filters are not so important, but they can still be used to prevent any accidental forwarding (by some external device) of traffic from one VRF to another VRF that the traffic should not be able to access.

Configure VRF-lite Page 49

C613-16164-00 REV E specifications

The Allied Telesis C613-16164-00 REV E is a robust networking device designed to enhance connectivity and communication within enterprise environments. Renowned for its reliability and efficiency, this device serves as an ideal choice for organizations seeking to improve their network infrastructure.

At its core, the C613-16164-00 REV E is a part of Allied Telesis' suite of products that adhere to high-performance standards. One of the main features is its support for both Layer 2 and Layer 3 networking, making it versatile enough to handle a variety of network configurations. This capability allows for seamless integration into different network architectures, whether for simple local area networks (LANs) or more advanced setups with routing capabilities.

Another significant characteristic of the C613-16164-00 REV E is its high-speed data transfer capabilities. With support for Gigabit Ethernet, the device ensures that data can be transmitted quickly and efficiently across the network. This is particularly important for businesses that rely on heavy data usage and need to maintain performance standards even during peak hours.

Additionally, the C613-16164-00 REV E features advanced security measures, including VLAN support and port security configurations, which help protect sensitive information and prevent unauthorized access. This is essential for businesses that handle confidential data and must comply with industry regulations.

In terms of manageability, the device supports SNMP (Simple Network Management Protocol), allowing for easy monitoring and management of network resources. Network administrators can efficiently manage the device and optimize performance with minimal effort, improving overall productivity.

The design of the C613-16164-00 REV E is also noteworthy; it is built for durability, often featuring a compact form factor that makes installation straightforward without compromising on performance. Its compatibility with various Allied Telesis products ensures that organizations can build a cohesive network ecosystem.

In conclusion, the Allied Telesis C613-16164-00 REV E stands out as an excellent networking solution characterized by its support for multiple networking layers, high-speed data transfer, and robust security features. Ideal for both small to medium enterprises and larger organizations, it helps ensure that businesses can maintain efficient and secure operations in a constantly evolving digital landscape.

Allied Telesis C613-16164-00 REV E manual Configure the hardware ACLs

Models: C613-16164-00 REV E