The logic of the operation of the hardware filters

The logic of the operation of the hardware filters

The operation of the filters follows the standard ACL logic: if a packet matches an ACL on the port, the comparison process stops and the action attached to the ACL is performed. The switch checks ACLs in the order in which you attach them to the port.

For example, to reject all multicast traffic except 236.5.8.213, make one ACL to permit that address and another ACL to deny all multicast traffic. Then attach the permit ACL to the port before attaching the deny ACL.

If a packet fails to match any of the port’s ACLs, then the switch moves to the next stage of comparison. The next stage is matching against QoS class-maps, if they exist. If the packet matches a QoS class-map, it will be processed appropriately. If it does not match a class-map, it will be processed as normal. Therefore, ACLs do not end in an implicit deny action to drop non-matching traffic. But they also do not end in an implicit permit action that would bypass other processing and forward non-matching traffic. The switch simply continues processing non-matching traffic as normal.

Note: ACLs will match on packets that are destined for the switch itself (packets that would be passed up to the switch's own CPU) in exactly the same way as they act on packets that were destined to be forwarded directly by the switching chip.

Combining interface ACLs and QoS class-maps

The switch compares the packet with every interface ACL before it compares the packet with any QoS class-maps. If the packet matches an interface ACL, the switch takes the action specified by that ACL and stops the comparison process. If a packet matches both an interface ACL and a QoS class-map, the packet only gets matched against the interface ACL. It bypasses the QoS process.

If the action on the interface ACL is deny or send-to-cpu, then this is not a problem, because the packet was never going to get into the QoS system anyway (given that it was being discarded). But, if the action on the interface ACL is permit, copy-to-cpu, or copy- to-mirror, and the packet would also be matched by a QoS class-map, then this is a problem. The packet will not be matched by the QoS class-map, so the switch will not apply any intended QoS-based filtering, policing, queue redirection, etc to the packet. Instead the switch will forward the packet as if it belongs to the default class-map.

For this reason, we only recommend combining interface ACLs and QoS class-map filtering if all your interface ACLs result in traffic being dropped. For traffic that you want forwarded with QoS control, use QoS class-maps for both the filtering and the QoS actions. Of course, you can also use QoS class-maps to drop traffic.

Page 13 AlliedWare Plus™ OS How To Note

Page 12 Page 14
Page 13
Image 13
Allied Telesis X900-12XT/S Logic of the operation of the hardware filters, Combining interface ACLs and QoS class-maps
Page 12 Page 14

X900-12XT/S, x908 specifications

The Allied Telesis x908 and the SwitchBlade x900 series of network switches are cutting-edge solutions designed to address the demands of modern networking environments. These switches are known for their high performance, reliability, and robust feature sets, making them ideal for enterprise and service provider networks.

The Allied Telesis x908 series consists of modular and chassis-based systems that can accommodate a variety of network configurations. One of the main features of the x908 series is its ability to offer high scalability with support for a large number of ports. This makes it suitable for data centers and large enterprise networks where space and bandwidth optimization are critical.

In addition to scalability, the x908 series supports advanced Layer 2 and Layer 3 switching capabilities. This allows for efficient traffic management and routing, ensuring that data is delivered swiftly and reliably. The x908 also incorporates intelligent features such as Quality of Service (QoS), which prioritizes critical network traffic, ensuring that time-sensitive data—like voice and video—maintains its quality during transmission.

The SwitchBlade x900 series takes this functionality further with its innovative modular architecture. This allows organizations to configure their networks to meet specific needs by choosing from a variety of interface cards and service modules. The SwitchBlade x900 also supports advanced security features such as Access Control Lists (ACLs) and VLAN segmentation, which provide enhanced protection against unauthorized access and network threats.

Another hallmark of the x908 and SwitchBlade series is their support for high-speed Ethernet technologies, including 10G and 40G Ethernet. This enables organizations to keep pace with the increasing bandwidth demands of applications and services, particularly in cloud computing and data-intensive workloads.

Both the x908 and the SwitchBlade x900 series are designed with energy efficiency in mind, featuring power-saving technologies that reduce overall operational costs. Coupled with Allied Telesis' management tools, which provide detailed analytics and monitoring, network administrators can optimize performance and energy consumption simultaneously.

In summary, the Allied Telesis x908 and SwitchBlade x900 series offer a comprehensive suite of features, high performance, scalability, and advanced networking technologies. They represent a strategic investment for organizations looking to build resilient, efficient, and future-proof network infrastructures.
Top Page Image Contents