ページ1に含まれる内容の要旨
TM
AlliedWare Plus OS
How To | Configure Hardware Filters on SwitchBlade x908,
x900-12XT/S, and x900-24 Series Switches
Introduction
The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful
hardware based packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU o
ページ2に含まれる内容の要旨
Introduction Contents Introduction .............................................................................................................................................. 1 Which products and software version does this Note apply to? ......................................... 2 Creating hardware ACLs ....................................................................................................................... 3 Creating IP hardware ACLs ............................................
ページ3に含まれる内容の要旨
Creating hardware ACLs Creating hardware ACLs Hardware ACLs contain both the match criteria and the action to take on matching traffic. There are two types of hardware ACL: IP address and MAC address. These are indexed by their ID number. IP hardware ACLs have a number in the range 3000 to 3699 and MAC hardware ACLs have a number in the range 4000 to 4699. The following table shows the available ACL ranges as displayed by the ? help, and highlights the hardware ACLs. Number range Description
ページ4に含まれる内容の要旨
Creating hardware ACLs IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The command syntax is: awplus(config)#access-list <3000-3699> ip The source and destination IP addresses can be any of the following: a subnet. To specify this, enter the address and mask. You can specify the mask in slash notation or with a wildcard (reverse) mask: awplus(config)#access-list 3000 permit ip 192.168.0.
ページ5に含まれる内容の要旨
Creating hardware ACLs TCP and UDP You can filter TCP and UDP packets on the basis of: packets source IP address and/or destination IP address (using the same syntax as when filtering IP packets) source and/or destination TCP/UDP ports. The command syntax is: awplus(config)#access-list <3000-3699> {tcp|udp} [{eq|gt|lt|ne|range} []] [{eq|gt|lt|ne|range} []] To determine which ports to
ページ6に含まれる内容の要旨
The effects of the action keywords in ACLs Creating MAC address hardware ACLs MAC address hardware ACLs filter packets on the basis of their source or destination MAC address. The command syntax is: awplus(config)#access-list <4000-4699> The source and destination MAC addresses can be any of the following: a range of MAC addresses. To specify this, enter a MAC address and the mask. Specify the mask as a wildcard mask: awplus(config)#ac
ページ7に含まれる内容の要旨
Making filters by applying hardware ACLs to ports Making filters by applying hardware ACLs to ports You can create a filter by simply applying one or more ACLs to a port, as long as you can select the matching traffic through hardware ACL keywords, as described above. ACLs can be applied to switch ports and static channel groups. To apply an ACL to a dynamic (LACP) channel group, apply the ACL to all ports that can be in the channel group. The hardware filters act on incoming traffic, so apply
ページ8に含まれる内容の要旨
Making filters by using QoS class-maps Making filters by using QoS class-maps QoS class-maps allow you to match on a much wider range of packet attributes than ACLs by themselves. They do this by determining the match criteria from an ACL, or from match commands, or from both in combination. Also, they use an ACL to decide what action to take on a packet, unless you want the default action of permit. The following figure summarises the class-map logic flow. Note that a class-map with no mat
ページ9に含まれる内容の要旨
Making filters by using QoS class-maps 3. Specify what the class-map will match on (see page 9). This involves: attaching the ACL to the class-map using other match commands to further limit what the traffic will match the class-map (unless the ACL’s settings were enough) 4. Attach the class-maps to a policy-map (see page 12). 5. Attach the policy-map to the ingress port or ports (see page 12). The following sections describe how to do each of these steps (except creating ACLs—that’s describ
ページ10に含まれる内容の要旨
Making filters by using QoS class-maps Matching on “inner” keywords for nested VLANs The match tpid, match inner-tpid, match inner-vlan, and match inner-cos commands all apply to nested VLAN configuration. In this situation, the packets arriving at the core-facing port can have two VLAN tags configured on them. The match tpid command matches on the first Tag Protocol Identifier field in the packet. The match inner-tpid command matches on the TPID in the second 802.1Q tag in the packet. The
ページ11に含まれる内容の要旨
Making filters by using QoS class-maps Matching on TCP flag Unlike the other match commands, you can match on multiple TCP flags. The switch combines the specified flags by ANDing them together. To specify the multiple flags, either make multiple match tcp-flags commands or specify the flags in one command as a space- separated list. For example, the following series of commands will match on a packet that has all of ACK, SYN and FIN set: awplus(config)#class-map tcp-flags awplus(config-cmap)
ページ12に含まれる内容の要旨
Making filters by using QoS class-maps Matching on eth-format and protocol Ethernet format and protocol are specified together, as a pair. You can either specify the command as: match eth-format protocol or match protocol eth-format The switch allows you to match on any of the Ethernet formats, as the following output shows: awplus(config-cmap)#match eth-format ? 802dot2-tagged 802.2 Tagged Packets 802dot2-untagged 802.
ページ13に含まれる内容の要旨
The logic of the operation of the hardware filters The logic of the operation of the hardware filters The operation of the filters follows the standard ACL logic: if a packet matches an ACL on the port, the comparison process stops and the action attached to the ACL is performed. The switch checks ACLs in the order in which you attach them to the port. For example, to reject all multicast traffic except 236.5.8.213, make one ACL to permit that address and another ACL to deny all multicast tr
ページ14に含まれる内容の要旨
Examples Examples Blocking all multicast traffic This example uses an interface ACL with an action of deny. Consider a situation where multiple clients are attached to the switch, with each client attached to a different port. Each client has a specific service, which includes a set of allowed traffic types. The client on port 1.0.10 is using a service that does not allow any multicast packets to be sent. To configure this: 1. Create an ACL to match and deny all packets with a multicast desti
ページ15に含まれる内容の要旨
Examples Blocking all multicast traffic except one address This example uses two interface ACLs, one with an action of permit and one with an action of deny. Use this type of configuration when you want to discard a wide range of traffic but want to forward a subset of traffic within that range. Consider a situation where you want to prevent the forwarding of multicast traffic in general, but wish to support an application that needs to send packets to one particular multicast address (236.5
ページ16に含まれる内容の要旨
Examples Mirroring ARP packets This example uses a QoS class-map. Use this type of configuration when you want to mirror a subset of the incoming traffic on a port, and you need to use QoS match commands to select the mirrored traffic. Consider a situation where you want to capture ARP packets that arrive at port 1.0.10. To configure this: 1. Set port 1.0.20 as the mirror port. To do this, enter global configuration mode and use the commands: awplus(config)#interface port1.0.20 awplus(config-
ページ17に含まれる内容の要旨
Examples Blocking TCP sessions in one direction This example uses two QoS class-maps. Administrators often want to block the establishment of TCP sessions in one direction, but allow TCP sessions to be established in the opposite direction. To do this, it is necessary to block the very first packet of an outgoing TCP session from being forwarded, but to allow any packets that reply to the initiation of an incoming TCP session to be forwarded. The very first packet of a TCP session has the SYN
ページ18に含まれる内容の要旨
How many filters can you create? How many filters can you create? The total number of filters that can be created is not an exact number, but depends on which fields the various filters are matching on. So, to understand how to work out whether the set of filters you are creating might run out of space, it is necessary to understand the way in which the filters operate in the switch hardware. There are two items within the switch hardware which set limits on the number of filters that can be
ページ19に含まれる内容の要旨
How many filters can you create? 2. The profile (mask) The other item is called the profile. Conceptually, this is a 16-byte mask that decides which set of bytes should be extracted from a packet as it enters the filtering process, to be compared against all the interface ACLs and the QoS class-maps. All filters share a single mask. In effect, the mask is the sum of all the individual bytes required for each individual ACL or QoS match command. The number of bytes required by each ACL or mat
ページ20に含まれる内容の要旨
How many filters can you create? Are there enough bytes for your set of filters? Of course, the mask cannot increase without limit—it has a maximum size of 16 bytes. When it reaches the 16-byte limit, no more ACLs or QoS match commands can be created which would cause the mask to increase in size. The switch can still accept ACLs or QoS match commands that use fields that have already been included in the mask. There is no particular number of ACLs or QoS match commands that will cause the mas
