Allied Telesis AT X900-12XT/S User Manual download pdf

C613-16119-00 REV A

www.alliedtelesis.com

AlliedWare Plus

How To |

Introduction

The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful

hardware based packet-filtering facility.

These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and

perform a variety of different actions on the packets that match the filters.

Because the filters are hardware-based, they put no load on the CPU of the switch, and do

not affect the throughput of the switch. It is possible to configure over 1000 different filters,

and still have complete wire speed throughput on the switch.

On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using hardware

ACLs (Access Control Lists). The following configuration methods are available:

1. To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type,

you simply create one or more ACLs and apply them to a port.

You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL

to allow traffic from a source IP address to a destination address, then a second ACL to

drop all (other) traffic from that source IP address).

This How To Note calls ACLs that are applied to ports interface ACLs.

2. To make a filter based on a range of other packet settings, you use QoS match commands

in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to

apply the class-maps to a policy-map and port.

This note describes both approaches. Then it gives a series of examples, and ends by

discussing how many filters you can make.

Configure Hardware Filters on SwitchBlade x908,

x900-12XT/S, and x900-24 Series Switches

1 2 3 4 5 6 ... 20 21

Summary of Contents

Page 1 - How To

C613-16119-00 REV Awww.alliedtelesis.comAlliedWare PlusTM OSHow To |IntroductionThe SwitchBlade x908, x900-12XT/S, and x900-24 series switches support

Page 2 - Contents

Page 10 | AlliedWare Plus™ OS How To NoteMaking filters by using QoS class-mapsMatching on “inner” keywords for nested VLANsThe match tpid, match inne

Page 3 - Creating hardware ACLs

Page 11 | AlliedWare Plus™ OS How To NoteMaking filters by using QoS class-mapsMatching on TCP flagUnlike the other match commands, you can match on m

Page 4

Page 12 | AlliedWare Plus™ OS How To NoteMaking filters by using QoS class-mapsMatching on eth-format and protocolEthernet format and protocol are spe

Page 5 - TCP and UDP

Page 13 | AlliedWare Plus™ OS How To NoteThe logic of the operation of the hardware filtersThe logic of the operation of the hardware filtersThe opera

Page 6

Page 14 | AlliedWare Plus™ OS How To NoteExamplesExamplesBlocking all multicast trafficThis example uses an interface ACL with an action of deny.Consi

Page 7

Page 15 | AlliedWare Plus™ OS How To NoteExamplesBlocking all multicast traffic except one addressThis example uses two interface ACLs, one with an ac

Page 8

Page 16 | AlliedWare Plus™ OS How To NoteExamplesMirroring ARP packetsThis example uses a QoS class-map.Use this type of configuration when you want t

Page 9 - Creating a class-map

Page 17 | AlliedWare Plus™ OS How To NoteExamplesBlocking TCP sessions in one directionThis example uses two QoS class-maps.Administrators often want

Page 10

Page 18 | AlliedWare Plus™ OS How To NoteHow many filters can you create?How many filters can you create?The total number of filters that can be creat

Page 11 - Matching on TCP flag

Page 19 | AlliedWare Plus™ OS How To NoteHow many filters can you create?2. The profile (mask)The other item is called the profile. Conceptually, this

Page 12

Page 2 | AlliedWare Plus™ OS How To NoteIntroductionContentsIntroduction ...

Page 13

Page 20 | AlliedWare Plus™ OS How To NoteHow many filters can you create?Are there enough bytes for your set of filters?Of course, the mask cannot inc

Page 14 - Examples

USA Headquar ters | 19800 Nor th Cr eek Parkwa y | Suite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895

Page 15

Page 3 | AlliedWare Plus™ OS How To NoteCreating hardware ACLsCreating hardware ACLsHardware ACLs contain both the match criteria and the action to ta

Page 16 - Mirroring ARP packets

Page 4 | AlliedWare Plus™ OS How To NoteCreating hardware ACLsIP packets You can filter IP packets on the basis of their source and/or destination IP

Page 17

Page 5 | AlliedWare Plus™ OS How To NoteCreating hardware ACLsTCP and UDPpacketsYou can filter TCP and UDP packets on the basis of:z source IP address

Page 18 - 1. The filter rules table

Page 6 | AlliedWare Plus™ OS How To NoteThe effects of the action keywords in ACLsCreating MAC address hardware ACLsMAC address hardware ACLs filter p

Page 19 - 2. The profile (mask)

Page 7 | AlliedWare Plus™ OS How To NoteMaking filters by applying hardware ACLs to portsMaking filters by applying hardware ACLs to portsYou can crea

Page 20

Page 8 | AlliedWare Plus™ OS How To NoteMaking filters by using QoS class-mapsMaking filters by using QoS class-mapsQoS class-maps allow you to match

Page 21 - C613-16119-00 REV A

Page 9 | AlliedWare Plus™ OS How To NoteMaking filters by using QoS class-maps3. Specify what the class-map will match on (see page 9). This involves: