Running zfilterd, Output Port, Field values | Znyx Networks bh5700

Running zfilterd

Before starting zfilterd, ztmd must be running. Your can start both from within a script, or directly from the command line. For example,

ztmd zfilterd

iptables rules can be entered at any time. If your iptables filtering rules set is extensive, you may want to move your set of iptables commands to a start up script to run upon initialization. This could be accomplished by creating a standalone "S" script and placing that script into /etc / r c Z . d .

Restrictions on Implementation

Several restrictions exist on the rules that can be implemented on the FFP hardware. These include:

Actions

DROP the packet. ACCEPT the packet.

Output Port

Should be specified if the action is ACCEPT, if no output port is specified, an IRULE table entry is generated for every port.

Field values

If specified as ranges, they must be on power of two boundaries.

Negation

Can only be used for icmp, tcp, or udp fields.

Fields supported are: Source IP address, destination IP address, IP protocol, TCP or UDP source port or destination port, ICMP type, and TCP flags bits (such as SYN).

The input port and output port may also be specified as either zre<n>, where <n> is one of the 24 physical ports, or as zhp<n>, where the zhp interface used must be previously defined using

zconfig.

A restriction on the fields supported is the size of the IMASK table. There are only 16 entries per port available, which means only 16 combinations of fields can be used at any time.

Conflict Resolution

There are differences from the expected behavior of implementing iptables in a host: Although the rules are taken from the FORWARD and INPUT chains, they are applied to all packets, including those destined for the local CPU. The order of application of the rules is not necessarily the order in which they appear in the chains. If a rule uses a mask that is less restrictive than another rule, it will be applied first. The last rule that is matched determines the

Ethernet Switch Blade User's Guide

release 3.2.2j

page 107

Image 107

Znyx Networks bh5700 manual Running zfilterd, Restrictions on Implementation, Output Port, Field values, Negation

Contents

Manufacturing Part Number AD171-9603A June HP bh5700 Atca 14-Slot Blade Server Ethernet Switch Blade Ethernet Switch Blade Users Guide Release 3.2.2j Legal Notices About the Ethernet Switch Blade Manual Table of Contents Specifying Source and Destination IP Addresses Ethernet Switch Blade Users Guide Release 3.2.2j 100 Combining Queuing Disciplines Network Time Protocol NTP Client ConfigurationNetwork File System NFS Client Configuration Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j Table of Figures Fabric Switch Elements Init Script Flow Index of Tables Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j High Performance Embedded Switching Overview of the Ethernet Switch Blade Ethernet Port Layout OpenArchitect Switch ManagementPowerful CarrierClass Features Extensible Customization of Routing Policies Inter-switch Link ISL Ethernet Switch Blade Port ConfigurationBase switch Quick Reference Fabric Switch Quick Reference OpenArchitect Software Structure OpenArchitect Switch Environment Ethernet Switch Blade Users Guide Release 3.2.2j OpenArchitect Software Structure Console Port Cabling Port Cabling and LED IndicatorsConnecting the Cables Connecting to the Console Port LED Reference Out of Band Ports OOB Ports LED Reference Ethernet Switch Blade Users Guide Release 3.2.2j Surviving Partner High Availability Networking Zlmd Switch Replacement and Reconfiguration Example HA Switch Configuration Modifying zsp.conf on the Base switch Siblingaddresses zhp1 = 10.0.0.30, 10.0.0.31 netmask #vrrpmode blockcrossconnect Siblingaddresses zhp1=10.0.0.30master, 10.0.0.31 netmask You will see output similar to this Modifying zspvlan.conf on the Fabric Switch Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j # zre names cannot be mixed on the same line ARP Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j Configuring Surviving Partner Central Authority Secondary Can be modified to OpenArchitect Configuration Procedure Fabric Switch ConfigurationTwo switches, two consoles Connecting to the Fabric Switch Console Changing the Shell Prompt Default Configuration ScriptsExample Configuration Scripts Tagging and Untagging VLANs Overview of OpenArchitect Vlan Interfaces Address. The S50layer2 script does the following Switch Port Interfaces Rapid Spanning Tree Using the S50layer2 ScriptReboot the switch Port Path Cost To Enable Rapid Spanning TreeCreate a bridge device from the zhp device Layer 3 Switch Configuration Usr/sbin/zl3d zhp0..47 Layer 3 Routing Protocols with GateD Using the S55gatedRip1 Script Sets the RIP1 protocol to open Defines the netmask used in the interface Or for RIP2 To Modify the GateD Scripts Or for Ospf Class of Service COSEgress Queues Ingress Classification Ztmd Explained Marking and Re-markingScheduling Running zfilterd Restrictions on Implementation Introduction Iptables and filtering Packet Walk Firewall Flow Specifying an Icmp Message Type Filter Rules SpecificationsSpecifying Source and Destination IP Addresses Specifying Protocol Supported Targets Specifying TCP flagsSpecifying an Interface Filter Rule Targets Send all tcp packets arriving on zhp5 out port Extensions to the default matchesOptions with any of these Zaction parameters Zaction Examples Output should display the following Forwarding Chain supports all of themFifo Queues pfifo and bfifo disciplines Pfifo limit HandleRoot Prio and WRR queues Ethernet Switch Blade Users Guide Release 3.2.2j Combining Queuing Disciplines U32 Filter Handle Semantics Cops Common Open Policy Service OpenArchitect PEP Protocol Architecture Sample configuration file is listed below Using pepd Adding Additional Users Fabric Switch AdministrationSetting the Root Password Name Service Resolution Setting up a Default Route Network Time Protocol NTP Client Configuration Network File System NFS Client Configuration Removing the # sign NFS Server Configuration Tftpd Server Configuration Connecting to the Switch Using FTPConnecting to the Switch Using Tftp Supported Mibs Snmp Agent Supported MIBs Supported Traps OpenArchitect, defines three types of devices Snmp and OpenArchitect Interface DefinitionsSupported Traps IfStackTable Entries Snmp ConfigurationLink and Snmp Status You can alter this behavior by specifying Port MirroringSnmp Applications Response To check the status of all links Link and LED ControlLink Event Monitoring To check the status of a link Overview of the OpenArchitect switch boot process Fabric Switch Maintenance Boot Flow Chart Saving Changes Modifying Files and Updating the SwitchRecovering from a System Failure System Boots with a Console Cable Booting with the -ioption Upgrading the OpenArchitect Image System Hangs During BootBooting the Duplicate Flash Image Reboot the system Image file will be something named similar to the following Upgrading the Switch DriverUpgrading or Adding Files Excluding Saving Files to Flash Using apt-get OpenArchitect Configuration Procedure Base Switch ConfigurationConnecting to the Base Switch Console Files into flash for reloading Default Configuration ScriptsExample Configuration Scripts Changing the Shell Prompt Overview of OpenArchitect Vlan Interfaces Multiple VLANs Linux Then, bring up the interface with ifconfig1M Rapid Spanning Tree Layer 3 Switch Configuration Zconfig zhp1 vlan2=zre5..8 zconfig zre5..8=untag2 Layer 3 Switch Using the S50multivlan Script Layer 3 Switch Using Multiple VLANs Multiple Vlan Configuration 10.0.0.42-10.0.3.42, assigns the netmask and brings them up Layer 3 Routing Protocols with GateD Shuts off sending and receiving packets from all interfaces To Modify the GateD Scripts Ingress Classification Class of Service COSEgress Queues Scheduling ZcosMarking and Re-marking Field values Running zfilterdRestrictions on Implementation Output Port Action that will take place. For example, the rules Iptables and filtering Firewall Flow Specifying Source and Destination IP Addresses Icmp-type ping Zaction Znyx Forwarding Chain supports all of them Tc Traffic ControlStrict Priority Qdisc These are described in the Linux packet filtering Howto at Weighted Round Robin Qdisc Protocol ip Using Filters to Direct Packets to a COS QueueFifo Qdiscs Matching Specific Ingress Ports Protocol arpProtocol all Advanced Filtering Policing Spanning tree Bpdu packets go in COS queue 6, no limit Policing ActionsExamples To mirror only in-profile packets to port 3, use U32 match selectors used in filters82+ U Match Selectors Match selectors Ztmd zqosd Ethernet Switch Blade Users Guide Release 3.2.2j U32 Filter Cops Common Open Policy Service Protocol Architecture OpenArchitect PEP Using pepd Pepid Where Adding Additional Users Base Switch AdministrationSetting the Root Password Name Service Resolution Setting up a Default Route Network File System NFS Client Configuration Connecting to the Switch Using FTP NFS Server Configuration Snmp Agent Connecting to the Switch Using TftpTftpd Server Configuration Supported Mibs Snmp and OpenArchitect Interface Definitions Snmp Configuration Physical Link Status on Base Switch Snmp Applications Port Mirroring Link Event Monitoring Link and LED Control Overview of the OpenArchitect switch boot process Base Switch Maintenance Booting up Process Flow Saving Changes Modifying Files and Updating the SwitchRecovering from a System Failure System Boots with a Console Cable ∙ Reboot the system Booting with the -i option Upgrading the OpenArchitect Image System Hangs During BootBooting the Duplicate Flash Image Upgrading or Adding Files Upgrading the Switch Driver Using apt-get Management Interfaces Base Interface Hub SystemEthernet Interfaces Console port. An RS-232 to RJ-45 adapter is required Fabric Interface Hub System Base Interface Out-of-Band Ethernet Connection Fabric Interface Serial Ports Fabric Interface Out of Band Ethernet Connection Ethernet Switch Blade Activation States Diagnosing a Failed Ethernet Switch Blade Activation FRU State HotSwap Healthy Solution LED Status Troubleshooting States Accessing the ShMMVerifying Communications Between the ShMM and Switch FRU State HotSwap Healthy Solution Checking the ekey Status From the Shelf Manager Analyzing Mstate information for the switch Clia board -v Troubleshooting a Failed OpenArchitect Load OpenArchitect Boot Process Recovering from a System Failure Properly attach the console cable Booting Without the Overlay File Booting the Duplicate Flash Image Physical Interfaces Network Configuration ProblemsEthernet Switch Blade Backplane Interfaces zre Ports Interface Overview Additional Interfaces Default Base Interface ConfigurationPort, Layer 2 Switching, single Vlan Default Base Interface Network Diagram Default Fabric Interface Configuration Linux Networking Environment Interfaces Ifconfig Default Screen Output for the Base Interface Determining ekey status for a specific slot Configuration TroubleshootingProblem Solution Zre Link Port Status Link Speed Pause FaultsAuto Enable Internal Fault 1000fd Disable External Fault Link Status for a range of ports Querying Base Interface ekey StatusLink Status for a single port Example Output Querying Fabric Interface ekey Status Ethernet Switch Blade Users Guide Release 3.2.2j Diminished Network Throughput Network Connectivity Troubleshooting No ConnectionConnecting to Devices with Fixed Port Speeds External Fault LED Network Tests Ping Test Traceroute Test Isolating Hardware Failures Isolation Transformer Isolation Transformer Zone 3 Atca Connector Switch Chip U60Switch Chip U59 ZMC Daughter Board Inside View Hardware Subsystem Testing the FlashROMs Link Status for a range of ports Testing the Switch FabricLink Status for a single port Testing the onboard RAM Testing the Control Processor INT FLT LED activity Hardware Fault Ethernet Switch Blade Users Guide Release 3.2.2j Unexpected Fail-back Activity High Availability TroubleshootingSpontaneous Failover Activity Base Interface Switch Firmware OverviewChecking the switch firmware version Following output is shown for the 3.0 Base Interface Fabric Interface OpenArchitect Firmware Upgrade Updating the Switch FirmwareBootLoader Firmware Upgrade Ipmc Firmware Upgrade Restoring the Factory Default Configuration Before Calling Support ROM Devices in OpenArchitect Appendix a Fabric Switch Command Man Pages Vrrpconfig Configure and control the running vrrpd Vrrpconfig See Also Vrrpd Virtual Router Redundancy Protocol Daemon Vrrpd Change the virtual MAC address from Vrrpconfig Zbootcfg Zbootcfg -d 1 Zconfig Configures the OpenArchitect switch Zconfig Trunk interface syntax Global StatementsGlobal Statement Syntax Trunk Interface Statements Teardown statement uses a colon instead of an equals sign Zrl0=ip sourceaddress, ip destinationaddress Is the same asExamples of trunk interface statements This statement creates a trunk containing three ports Examples of Network Interface Statements Network interface actions may include Examples of Port Interface Statements Port Interface Statements This statement is equivalent to the following three lines Wildcards This is equivalent to Zl3d Zcos Zcos class of service queue control Hostname Prio RR WRR DRR port list Zcos -n 50,50,50,50,75,75,75,75 zre0..19 Zdog Options Zfilterd Zflash Zbootcfg Zl2, zl2mc, zl3host, zl3net, zvlan Zl2 -m 00c095450000 Following command displays all entries of the zl2 table Following command deletes the above entry Zgvrpd Zgvrpd -t zhp0 Start stop Zl2d Layer 2 daemon for the OpenArchitect switchZl2d Operations Zl3d Zl3d Layer 3 daemon for the OpenArchitect switch Zl3d zhp1 zhp2 zhp3 Zlc − link and LED control Zlc To query the settings of a particular port Ifconfig8 Zlmd − monitor link changes or hot swap events Zlmd Zlmd zre1..4=/usr/sbin/prtchange Zlogrotate − Rotates log files To start zlogrotate with the default valuesZlogrotate Zmirror Set packet mirroring on an ingress or egress port Zmirror Zmirror is cumulative Zmnt − Expands the read/write files onto the RAM disk Zmnt Restored overlay will be used upon the next reboot Peer is not properly functioning On the fabric switch the following command would returnZpeer Set debug level to level Display complete status of zpeer Healthy state, the query will return the backup state Be also reset Zqosd Ztmd, tc8, zfilterd Zrc Packet rate control Zrc Zreg Operands Zrld Znyx redirector daemon Zrld Zsnoopd Zsnoopd Zspconfig configure and start surviving partner Zspconfig Configuration File Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j Rain link zhp1, zre1..4 Output Files Zconfig, ifconfig, vrrpd, dhclient, dhcpd Zstack Zstack Configures the OpenArchitect switch stacking Stack Port Association Stack Creation Stack Control Statements Stack Configuration Statements Are supported Zre lists. Example of stack0..3 representing stacks 0, 1, 2 Ztats Ztats − Display statistics and information about switchSwitch Blade Zsync − Saves changes to the flash Zsync To zsync only the hosts file Restored overlay will be loaded upon the next reboot Ztmd Zqosd, iptables8, tc8, zfilterd Brctl8 Brctl Bridge and Spanning Tree Protocol administration Brctl8 replaces the older brcfg tool Setportprio bridge zre# priority Zconfig, zl2d Appendix B Base Switch Command Man Pages = Master Examples Following options are supported by vrrpd Lower Case ‘m’ the time is specified in milliseconds. See Also Specifies the ROM device from which to boot. The dev Zbootcfg -d ZhpN for example, zhp0 Trunk interface actions Examples of trunk interface statements Network interface actions may include Zhp0 vlan100 = zre1,zre10,zre11,zre13 Tag are given the Vlan tag with the VID number 1, enter This is equivalent to See Also Zcos Limit on dynamic pool usage, in bytes, reset % port list Prio RR WRR DRR port list Examples Zdog Options Zffpcounter Next example clears all FFP counter values Now using zffpcounter to displayFirst example queries all FFP counter values Next example queries ports 2-7, 15, Counter 19 Counter 20 Counter 21 Zfilterd -d level -p port -f -l -i pid -o pid Zflash Zbootcfg Std 802.1D, 1998 Edition Zgmrpd Zgmrpd -t zhp0 Zgr Following command displays all entries of the zl2 table See Also Level Sets the level of debugging output required by zgvrpd. Enable Gvrp on the set Start stop Operations Zl3d -h hostname -t msecs -b -e -l -n -d level iface Zl3d zhp1 zhp2 zhp3 Zlc Global Settings Zlmd Examples Zlogrotate Zmirror Zmirror zre1 zre10 zmirror zre2 zre11 See Also Expanded, or the file to which the tar image is saved Restored overlay will be used upon the next reboot Zpeer Options See Also Zqosd Ztmd, tc8, zfilterd Number of packets per time period above which Zreg Echo 0x80000640 zreg -w Zrld Zsnoopd No router multicast traffic. Default is 260 seconds Zpeer peer state query Time to wait in seconds before giving up on Configuration File Ethernet Switch Blade Users Guide Release 3.2.2j Ethernet Switch Blade Users Guide Release 3.2.2j RAINlink zhp1, zre1..4 Boardsynchronizationmode basic Zconfig, ifconfig, vrrpd, dhclient, dhcpd, zpeer Ethernet Switch Blade Users Guide Release 3.2.2j Specifies the remote hostname to configure. By Stack0 ppa0 local Stack1 ppa1 local Stack Configuration Statements Wildcards See Also Zsync Files Ztmd Zqosd, iptables8, tc8, zfilterd Important This option must only be executed by zl2d Ethernet Switch Blade Users Guide Release 3.2.2j Zconfig, zl2d States ISwitch-ShMC InteractionAppendix C Intelligent Platform Management Interface Table C.2 PMC Controller Support PMC Controller Support Command Code Sensor # StatusPeripheral Management Controller Functional Support Table C.1. Ipmi M States Table C.3 GetSensorReading Standard Ipmi Command GetSensorReadingSensor Reading Example Table C.4 GetSensorResonse Standard Ipmi Response GetSensorReading Structure of Standard Ipmi Responses From PMC to BMC Structure of Standard Ipmi Commands From BMC to PMC Ipmb Event message format Event GeneratorField Replaceable Unit Inventory Device Ipmb Override Status Data Spare Seeprom Space AllocationTable C.8 Seeprom Space Table C.9. Ipmb Override Status Data Dhcp Index NFS NTP Tc 62 Ztmd 301 Zvlan 179 ZX4920.MIB 333