CONFIGURING ADVANCED IP ROUTING

IP Filters

attached network.

through the Output Network Interface: applies the filter only to packets which are transmitted on a specific attached network (i.e. after the Routing process has determined the next-hop net- work for the datagram).

on a per-Devicebasis: applies a device-specific filter in addition to any Input or Output filters. This type of filtering is applicable only to WAN Network Interfaces.

Refer to the Role of Filters for more information on these filtering mechanisms.

Connection Filters

The Connection Filter, when enabled, is only applied when an IP datagram attempts to trigger a call on a WAN Output Interface. The initial default is that all such datagrams yield a FORWARD action, so the administrator must explicitly configure any desired connection restrictions. Note that the control offered by the IP Connection Filter is distinct from the “IP Callable” attribute of the Device Table. The IP Connection Filter permits connection control based on packet content, while the IP Callable feature applies such control based on the selected next hop.

Exception Filters

At certain times, you may want to allow specific IP packets to temporarily override the Forwarding Filters which have been applied. For example, you may want to allow temporary access to an authorized technical person via a path which is otherwise blocked via filters. One way to do this would be to simply make a temporary modification to the applicable filter or filters. However, the special concept of an Exception Filter is also expressly supported for this purpose.

The Exception Filter is a built-in filter which is selectively enabled and disabled. When enabled, it is logically appended before each Forwarding Filter which an IP packet encounters. The makeup of the Exception Filter is identical to any other filter. Should a match occur, the specified action will be taken, effectively overriding the original filter. If no match occurs, the Exception Filter’s Final action dictates the next processing step. When the Final action is FORWARD, filter execution flows into the original filter, thereby creating one logical filter. This is the default operation of the Exception Filter. The alternative for the no-match situation is a Final action of DISCARD, in which case the datagram is discarded.

Note: A final action of DISCARD in the Exception Filter will DISCARD all packets not matching the initial condition.

ROLE OF FILTERS IN THE IP PROCESSING FLOW

Refer to the following figure. It illustrates the exact order in which the filter application points are executed. Before reaching the IP routing process, incoming datagrams will first be subject to any User-specific filter (if arriving on a WAN interface) and secondly to any Input filter for the delivering Network Interface. Once a datagram has reached the IP routing process (either an incoming datagram or a datagram generated within the NE system), the Global filter, if enabled, is applied. When the routing process determines that a datagram is to be transmitted, that datagram is subject first to any Output filter of the selected to Network Interface. If the output interface is a WAN and it is necessary to first establish a connection, the Connection Filter, if enabled, is applied. Finally, any User-specific filter is applied (again, only if the datagram is being transmitted on WAN interface).

Central Site Remote Access Switch 303

Page 303
Image 303
Enterasys Networks CSX5500, CSX6000, CSX7000 manual Connection Filters, Exception Filters