Allied Telesis AT X900-12XT/S How To Configure
Allied Telesis AT X900-12XT/S How To Configure

Allied Telesis AT X900-12XT/S How To Configure

Alliedware plus os hardware filters
Hide thumbs Also See for AT X900-12XT/S:

Advertisement

AlliedWare Plus
Configure Hardware Filters on SwitchBlade x908,
How To |
x900-12XT/S, and x900-24 Series Switches

Introduction

The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful
hardware based packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU of the switch, and do
not affect the throughput of the switch. It is possible to configure over 1000 different filters,
and still have complete wire speed throughput on the switch.
On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using hardware
ACLs (Access Control Lists). The following configuration methods are available:
1.
To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type,
you simply create one or more ACLs and apply them to a port.
You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL
to allow traffic from a source IP address to a destination address, then a second ACL to
drop all (other) traffic from that source IP address).
This How To Note calls ACLs that are applied to ports interface ACLs.
2.
To make a filter based on a range of other packet settings, you use QoS match commands
in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to
apply the class-maps to a policy-map and port.
This note describes both approaches. Then it gives a series of examples, and ends by
discussing how many filters you can make.
C613-16119-00 REV A
TM
OS
www.alliedtelesis.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the AT X900-12XT/S and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Allied Telesis AT X900-12XT/S

  • Page 1: Introduction

    AlliedWare Plus Configure Hardware Filters on SwitchBlade x908, How To | x900-12XT/S, and x900-24 Series Switches Introduction The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful hardware based packet-filtering facility. These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and perform a variety of different actions on the packets that match the filters.
  • Page 2: Table Of Contents

    Contents Introduction ... 1 Which products and software version does this Note apply to? ... 2 Creating hardware ACLs ... 3 Creating IP hardware ACLs ... 3 Creating MAC address hardware ACLs ... 6 The effects of the action keywords in ACLs ... 6 Making filters by applying hardware ACLs to ports ...
  • Page 3: Creating Hardware Acls

    Creating hardware ACLs Hardware ACLs contain both the match criteria and the action to take on matching traffic. There are two types of hardware ACL: IP address and MAC address. These are indexed by their ID number. IP hardware ACLs have a number in the range 3000 to 3699 and MAC hardware ACLs have a number in the range 4000 to 4699.
  • Page 4 IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The command syntax is: awplus(config)#access-list <3000-3699> <action> ip <source-ip-address> <destination-ip-address> The source and destination IP addresses can be any of the following: a subnet. To specify this, enter the address and mask. You can specify the mask in slash notation or with a wildcard (reverse) mask: awplus(config)#access-list 3000 permit ip 192.168.0.0/16 ...
  • Page 5 You can filter TCP and UDP packets on the basis of: TCP and UDP packets source IP address and/or destination IP address (using the same syntax as when filtering IP packets) source and/or destination TCP/UDP ports. The command syntax is: awplus(config)#access-list <3000-3699>...
  • Page 6: Creating Mac Address Hardware Acls

    Creating MAC address hardware ACLs MAC address hardware ACLs filter packets on the basis of their source or destination MAC address. The command syntax is: awplus(config)#access-list <4000-4699> <action> <source-mac-address> <destination-mac-address> The source and destination MAC addresses can be any of the following: a range of MAC addresses.
  • Page 7: Making Filters By Applying Hardware Acls To Ports

    Making filters by applying hardware ACLs to ports You can create a filter by simply applying one or more ACLs to a port, as long as you can select the matching traffic through hardware ACL keywords, as described above. ACLs can be applied to switch ports and static channel groups. To apply an ACL to a dynamic (LACP) channel group, apply the ACL to all ports that can be in the channel group.
  • Page 8: Making Filters By Using Qos Class-Maps

    Making filters by using QoS class-maps QoS class-maps allow you to match on a much wider range of packet attributes than ACLs by themselves. They do this by determining the match criteria from an ACL, or from match commands, or from both in combination. Also, they use an ACL to decide what action to take on a packet, unless you want the default action of permit.
  • Page 9: Creating A Class-Map

    Specify what the class-map will match on (see attaching the ACL to the class-map using other match commands to further limit what the traffic will match the class-map (unless the ACL’s settings were enough) Attach the class-maps to a policy-map (see Attach the policy-map to the ingress port or ports (see The following sections describe how to do each of these steps (except creating ACLs—that’s described from...
  • Page 10: Matching On "Inner" Keywords For Nested Vlans

    Matching on “inner” keywords for nested VLANs The match tpid, match inner-tpid, match inner-vlan, and match inner-cos commands all apply to nested VLAN configuration. In this situation, the packets arriving at the core-facing port can have two VLAN tags configured on them. The match tpid command matches on the first Tag Protocol Identifier field in the packet.
  • Page 11: Matching On Tcp Flag

    Matching on TCP flag Unlike the other match commands, you can match on multiple TCP flags. The switch combines the specified flags by ANDing them together. To specify the multiple flags, either make multiple match tcp-flags commands or specify the flags in one command as a space- separated list.
  • Page 12: Matching On Eth-Format And Protocol

    Matching on eth-format and protocol Ethernet format and protocol are specified together, as a pair. You can either specify the command as: match eth-format <keyword> protocol <keyword-or-number> match protocol <keyword-or-number> eth-format <keyword> The switch allows you to match on any of the Ethernet formats, as the following output shows: awplus(config-cmap)#match eth-format ? 802dot2-tagged...
  • Page 13: The Logic Of The Operation Of The Hardware Filters

    The logic of the operation of the hardware filters The operation of the filters follows the standard ACL logic: if a packet matches an ACL on the port, the comparison process stops and the action attached to the ACL is performed. The switch checks ACLs in the order in which you attach them to the port.
  • Page 14: Examples

    Examples Blocking all multicast traffic This example uses an interface ACL with an action of deny. Consider a situation where multiple clients are attached to the switch, with each client attached to a different port. Each client has a specific service, which includes a set of allowed traffic types.
  • Page 15: Blocking All Multicast Traffic Except One Address

    Blocking all multicast traffic except one address This example uses two interface ACLs, one with an action of permit and one with an action of deny. Use this type of configuration when you want to discard a wide range of traffic but want to forward a subset of traffic within that range.
  • Page 16: Mirroring Arp Packets

    Mirroring ARP packets This example uses a QoS class-map. Use this type of configuration when you want to mirror a subset of the incoming traffic on a port, and you need to use QoS match commands to select the mirrored traffic. Consider a situation where you want to capture ARP packets that arrive at port 1.0.10.
  • Page 17: Blocking Tcp Sessions In One Direction

    Blocking TCP sessions in one direction This example uses two QoS class-maps. Administrators often want to block the establishment of TCP sessions in one direction, but allow TCP sessions to be established in the opposite direction. To do this, it is necessary to block the very first packet of an outgoing TCP session from being forwarded, but to allow any packets that reply to the initiation of an incoming TCP session to be forwarded.
  • Page 18: How Many Filters Can You Create

    How many filters can you create? The total number of filters that can be created is not an exact number, but depends on which fields the various filters are matching on. So, to understand how to work out whether the set of filters you are creating might run out of space, it is necessary to understand the way in which the filters operate in the switch hardware.
  • Page 19: The Profile (Mask)

    2. The profile (mask) The other item is called the profile. Conceptually, this is a 16-byte mask that decides which set of bytes should be extracted from a packet as it enters the filtering process, to be compared against all the interface ACLs and the QoS class-maps. All filters share a single mask.
  • Page 20: Are There Enough Bytes For Your Set Of Filters

    How many filters can you create? Are there enough bytes for your set of filters? Of course, the mask cannot increase without limit—it has a maximum size of 16 bytes. When it reaches the 16-byte limit, no more ACLs or QoS match commands can be created which would cause the mask to increase in size.
  • Page 21: Some Protocols Also Use Filters, So Use Some Of The Length

    Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. T: +1 800 424 4284 F: +1 425 481 3895 F: +41 91 69769.11...

Table of Contents

Save PDF