Allied Telesis x900-24 series Function Manual
Configuring hardware filters
Hide thumbs
Also See for x900-24 series:
- Network manual (31 pages) ,
- Function manual (21 pages) ,
- Software configuration manual (16 pages)
Table of Contents
Advertisement
Quick Links
Download this manual
See also:
Network Manual
TM
AlliedWare
Configure Hardware Filters on AT-9900, x900-48,
How To |
and x900-24 Series Switches
Introduction
The AT-9900, x900-48, and x900-24 series switches support a powerful hardware based
packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU of the switch, and have
no affect on the throughput of the switch. It is possible to configure over 1000 different
filters, and still have complete wire speed throughput on the switch.
The following configuration methods are available:
1.
To filter traffic across all ports on the switch, create dedicated hardware filters.
2.
To filter traffic on a per-port basis, apply filtering actions to QoS flow groups or traffic
classes.
This Note only describes method 1. Method 2 is described in How To Configure Filtering Actions
on QoS Flow Groups and Traffic Classes, available from
literature/howto.aspx.
C613-16058-00 REV C
OS
www.alliedtelesis.com/resources/
www.alliedtelesis.com
Advertisement
Table of Contents
Related Manuals for Allied Telesis x900-24 series
Summary of Contents for Allied Telesis x900-24 series
-
Page 1: Introduction
How To | and x900-24 Series Switches Introduction The AT-9900, x900-48, and x900-24 series switches support a powerful hardware based packet-filtering facility. These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and perform a variety of different actions on the packets that match the filters. -
Page 2: Table Of Contents
Software versions: 2.7.3 and above Hardware filters are also available on Layer 3 switches running the AlliedWare Plus OS. See the following How To Note: How To Configure Hardware Filters on SwitchBlade x908, x900-12XT/S, and x900-24 Series Switches This Note is available from Page 2 | AlliedWare™... -
Page 3: Creating Dedicated Hardware Filters
Creating dedicated hardware filters Before we get into the details of the filter creation, we need to look at the underlying packet classification process. Configuring packet classification Dedicated hardware filters and QoS use the same packet classification process. The basic construct in the classification process is a classifier. The syntax for creating a classifier on the switch is: CREate CLASSifier=rule-id [MACSaddr={macadd|ANY|DHCPSnooping}]... -
Page 4: Configuring Layer 4 Source And Destination Port Number Masks
Configuring Layer 4 source and destination port number masks A common filtering requirement is the ability to filter on a range of TCP or UDP port numbers. For example, we often want to be able to allow through all packets with a TCP destination port greater than 1024, as such packets are deemed to be replies coming back to sessions initiated from the other side of the switch.The l4smask and l4dmask parameters make it possible for a single classifier to match a whole range of port numbers. -
Page 5: Creating Hardware Filters
When packets arrive at a customer port of a nested VLAN, the “inner” parameters will match the attributes of the first tag in the packets. This is because when the packet is forwarded from the core port, that first tag will have become the inner tag. So, from the point of view of the nested VLAN, the tag that is on the packet when it arrives into the customer port is the inner tag. -
Page 6: The Logic Of The Operation Of The Hardware Filters
The logic of the operation of the hardware filters The operation of the filters follows the standard ACL logic: if a packet matches an filter, the comparison process stops and the action attached to the filter is performed. If a packet fails to match any of the filters, then the default action (forward) is taken. -
Page 7: Combining Hardware Filters And Qos
Combining hardware filters and QoS The switch compares the packet with every hardware filter before it compares the packet with any QoS flow group. If the packet matches a hardware filter, the switch takes the action specified by that hardware filter and stops the comparison process. If a packet matches both a hardware filter and a QoS flow group, the packet only gets matched against the hardware filter. -
Page 8: Extra Rules Used When Combining Qos And Hardware Filters
Extra rules used when combining QoS and hardware filters In fact, QoS can cause the limit on the number of hardware filters to be reduced rather more radically than might be initially evident. To see why this is, we have to understand a bit more about how the rule table is used. -
Page 9: The Profile (Mask)
The following figure shows the copies of these rules. Port Table that maps ingress port to the starting point of the rule comparison process When a QoS policy has been applied to ports 4 and 5, all the hardware filter rules have to be replicated further down in the rule table, and the QoS-specific rules added to the table below this copy of the hardware filter rules. -
Page 10: Are There Enough Bytes For Your Set Of Filters
Protocol type—2 bytes Ethernet format—2 bytes VLAN ID—2 bytes IP protocol type (TCP, UDP, etc)—1 byte source IP address—4 bytes destination IP address—4 bytes TCP port number—2 bytes UDP port number—2 bytes DSCP—1 byte For example, if you make a hardware filter that matches on destination IP address and source TCP port, this adds 7 bytes to the mask: 1 byte for the IP protocol field (to indicate TCP) 4 bytes for the destination IP address... -
Page 11: Some Protocols Also Use Filters, So Use Some Of The Length
Okay length For example, this set of filters would work: source MAC address source UDP port destination IP address + destination TCP port The total number of bytes for the switch to check in a packet would be: source MAC address + IP protocol type + source TCP/UDP port + destination IP address + destination TCP/UDP port = 6 + 1 + 2 + 4 + 2 = 15 bytes Too long... -
Page 12: How To See The Current Filter Resource Usage On The Switch
How to see the current filter resource usage on the switch The show switch command outputs a number of counters that display the current usage of filtering resources. A typical output from this command, and a discussion of each of the values it outputs, is shown below: Command output Traffic Control Unit,hardware... -
Page 13: Appendix A: How To Use The Layer 4 Mask In Classifiers
Command output Profile #1: IPv4 bytes used ... 3 of 16 Other-Eth bytes used ... 5 of 16 Device Resource, device #1: Number of rules used ... 1 Rule space usage ... 8 Number of rules per application: Accel. Card(IPv6) ... 1 Device rule space limit ... -
Page 14: Example 1: Ports 2000-2003
Example 1: ports 2000-2003 Let’s say we want to have a UDP port range of 2000-2003, then the mask we need to have is: 2000 2001 2002 2003 The changed bits from 2000-2003 are bolded. We must now write a L4 mask which will meet these requirements. -
Page 15: Example 2: Ports 5004-5008
Example 2: ports 5004-5008 In some more complex situations, we may need more than one classifier to cover all the range we want to. Let’s take UDP destination ports between 5004-5008 5004 5005 5006 5007 5008 According to the bolded bits, we may think that the changed bits are the last 5 bits so the mask should be 11111111 11100000. - Page 16 So our biggest block fits into the range 512-767. The next second biggest block is 128 in our example … it should fit into 384-511. With these 2 blocks, we cover from 384-767. If we keep repeating the same procedure for the other blocks, we get the commands in the following table.
- Page 17 The following table shows the port ranges for the largest blocks. L4 mask: number of ports: Page 17 | AlliedWare™ OS How To Note: Hardware Filters Appendix A: How to use the layer 4 mask in classifiers FC00 F800 F000 E000 1024 2048...
- Page 18 WA 98011 6830 Chiasso Switzerland T: +41 91 69769.00 Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. E000 C000 8000 16384 8192 32768...