How it Works
Allied Telesis
Loading...
AT X900-12XT-S
User Manual
21 pgs205.44 Kb0
Table of contents
Loading...

Allied Telesis AT X900-12XT-S, x908 User Manual

AlliedWare PlusTM OS
How To |
Configure Hardware Filters on SwitchBlade x908, x900-12XT/S, and x900-24 Series Switches

Introduction

The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful hardware based packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU of the switch, and do not affect the throughput of the switch. It is possible to configure over 1000 different filters, and still have complete wire speed throughput on the switch.
On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using hardware ACLs (Access Control Lists). The following configuration methods are available:
1. To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type,
you simply create one or more ACLs and apply them to a port.
You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL to allow traffic from a source IP address to a destination address, then a second ACL to drop all (other) traffic from that source IP address).
This How To Note calls ACLs that are applied to ports interface ACLs.
2. To make a filter based on a range of other packet settings, you use QoS match commands
in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to apply the class-maps to a policy-map and port.
This note describes both approaches. Then it gives a series of examples, and ends by discussing how many filters you can make.
C613-16119-00 REV A
www.alliedtelesis.com
Introduction
Contents
Introduction .............................................................................................................................................. 1
Which products and software version does this Note apply to? ......................................... 2
Creating hardware ACLs ....................................................................................................................... 3
Creating IP hardware ACLs ........................................................................................................... 3
Creating MAC address hardware ACLs ...................................................................................... 6
The effects of the action keywords in ACLs ..................................................................................... 6
Making filters by applying hardware ACLs to ports ........................................................................ 7
Making filters by using QoS class-maps .............................................................................................. 8
Creating a class-map ........................................................................................................................ 9
Specifying what the class-map will match on ............................................................................. 9
Matching on “inner” keywords for nested VLANs ........................................................ 10
Matching on TCP flag ........................................................................................................... 11
Matching on eth-format and protocol .............................................................................. 12
Applying the class-maps to a policy-map .................................................................................. 12
Applying the policy-map to ports ............................................................................................... 12
The logic of the operation of the hardware filters ........................................................................ 13
Combining interface ACLs and QoS class-maps ............................................................................ 13
Examples .................................................................................................................................................. 14
Blocking all multicast traffic ......................................................................................................... 14
Blocking all multicast traffic except one address .................................................................... 15
Mirroring HTTP and SMTP traffic .............................................................................................. 15
Mirroring ARP packets .................................................................................................................. 16
Blocking TCP sessions in one direction .................................................................................... 17
How many filters can you create? ...................................................................................................... 18
1. The filter rules table ................................................................................................................. 18
2. The profile (mask) ..................................................................................................................... 19
Are there enough bytes for your set of filters? .............................................................. 20
Some protocols also use filters, so use some of the length ........................................ 21

Which products and software version does this Note apply to?

z Products: SwitchBlade x908, x900-12XT/S, and x900-24 series switches
z Software versions: 5.2.1-0.1 and above
Hardware filters are also available on Layer 3 switches running the AlliedWare OS. For AlliedWare OS configurations, see the AlliedWare OS How To Notes:
z How To Use the Hardware Filters on the AT-8948 and AT-9900 Series Switches
z How To Configure Filtering Actions on QoS Flow Groups and Traffic Classes
These Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx.
Page 2 | AlliedWare Plus™ OS How To Note

Creating hardware ACLs

Creating hardware ACLs
Hardware ACLs contain both the match criteria and the action to take on matching traffic. There are two types of hardware ACL: IP address and MAC address. These are indexed by their ID number. IP hardware ACLs have a number in the range 3000 to 3699 and MAC hardware ACLs have a number in the range 4000 to 4699.
The following table shows the available ACL ranges as displayed by the ? help, and highlights the hardware ACLs.
Number range Description
1-99 IP standard access list
100-199 IP extended access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list (expanded range)
3000-3699 Hardware IP access list
4000-4699 Hardware MAC access list
extended Named IP extended access list
standard Named IP standard access list
The ACLs give you the following choice of actions to take on matching traffic (see “The
effects of the action keywords in ACLs” on page 6 for details).
Action parameter Description
copy-to-cpu Specify packets to copy to the CPU
copy-to-mirror Specify packets to copy to the mirror port
deny Specify packets to reject
permit Specify packets to permit
send-to-cpu Specify packets to send to the CPU

Creating IP hardware ACLs

IP hardware ACLs filter packets from the following IP protocols:
z IP
z ICMP
z TCP
z UDP
This section describes how to create ACLs to filter packets from each of these protocols.
Page 3 | AlliedWare Plus™ OS How To Note
Creating hardware ACLs
IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The
command syntax is:
awplus(config)#access-list <3000-3699> <action> ip <source-ip-address>
<destination-ip-address>
The source and destination IP addresses can be any of the following:
z a subnet. To specify this, enter the address and mask. You can specify the mask in slash
notation or with a wildcard (reverse) mask:
awplus(config)#access-list 3000 permit ip 192.168.0.0/16 ...
awplus(config)#access-list 3000 permit ip 192.168.0.0 0.0.255.255 ...
z a single host. To specify this, enter the keyword host and then the address:
awplus(config)#access-list 3000 permit ip host 192.168.0.1 ...
z all source IPs or all destination IPs. To specify this, enter the keyword any:
awplus(config)#access-list 3000 permit ip any ...
ICMP packets You can filter ICMP messages on the basis of:
z source IP address and/or destination IP address (using the same syntax as when filtering IP
packets)
z ICMP message type, by specifying a type number. Popular types to filter include Echo Reply
(0), Echo Request (8), Redirect (5), Destination Unreachable (3), Traceroute (30), and Time Exceeded (11)
The command syntax is:
awplus(config)#access-list <3000-3699> <action> icmp
<source-ip-address> <destination-ip-address> [icmp-type <value>]
For example, the following ACL matches on all ICMP messages from 192.168.0.0/16:
awplus(config)#access-list 3000 permit icmp 192.168.0.0/16 any
For example, the following ACL matches on ICMP redirect messages to and from any address:
awplus(config)#access-list 3000 permit icmp any any icmp-type 5
Page 4 | AlliedWare Plus™ OS How To Note
Creating hardware ACLs
TCP and UDP
packets
You can filter TCP and UDP packets on the basis of:
z source IP address and/or destination IP address (using the same syntax as when filtering IP
packets)
z source and/or destination TCP/UDP ports.
The command syntax is:
awplus(config)#access-list <3000-3699> <action> {tcp|udp}
<source-ip-address> [{eq|gt|lt|ne|range} <source-port> [<source-port>]] <destination-ip-address> [{eq|gt|lt|ne|range} <dest-port> [<dest-port>]]
To determine which ports to filter, use the following keywords:
Keyword Selects Example
no keyword All ports For example, to match packets that use any TCP source or
destination port:
access-list 3000 permit tcp any any
eq A single port Specify a single port number. For example, to match packets
from any IP address that use TCP source port 5100:
access-list 3000 permit tcp any eq 5100 any
Note that the TCP port parameter is optional. In this example, the keyword any indicates that the ACL matches on any source and destination IP address. The absence of a port at the end of the command indicates that it matches on any destination port.
gt All ports higher than the
specified port number
lt All ports lower than the
specified port number
ne All ports except the specified
port
range A contiguous range of ports Specify the lowest and highest numbers in the range,
Specify a single port number. For example, to match packets that use a source TCP port of 5100 or higher:
access-list 3000 permit tcp any gt 5099 any
Specify a single port number. For example, to match packets that use a source TCP port of 5100 or lower:
access-list 3000 permit tcp any lt 5101 any
Specify a single port number. For example, to match packets that use any source TCP port except port 5100:
access-list 3000 permit tcp any ne 5100 any
separated by a space. For example, to match packets that use TCP source ports 5100 to 5200 inclusive:
access-list 3000 permit tcp any range 5100 5200 any
Page 5 | AlliedWare Plus™ OS How To Note

The effects of the action keywords in ACLs

Creating MAC address hardware ACLs

MAC address hardware ACLs filter packets on the basis of their source or destination MAC address.
The command syntax is:
awplus(config)#access-list <4000-4699> <action> <source-mac-address>
<destination-mac-address>
The source and destination MAC addresses can be any of the following:
z a range of MAC addresses. To specify this, enter a MAC address and the mask. Specify the
mask as a wildcard mask:
awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.000f
...
(this example selects MAC addresses from 1234.1234.1230 to 1234.1234.123f)
z a single MAC address. To specify this, enter the MAC address and a mask of
0000.0000.0000:
awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.0000
...
z all MAC addresses. To specify this, enter the keyword any:
awplus(config)#access-list 4000 permit any ...
The effects of the action keywords in ACLs
Let us consider the effect of each the possible action keywords.
Action What it does When do you need this action?
deny Drops the traffic. Use this when the filtering policy is to disallow certain
traffic flows.
permit Forwards the traffic normally. Use this when you want to:
z discard a wide range of traffic, but still forward some
small subset of traffic within that range.
z use the ACL in a QoS class-map to select traffic for the
switch to apply QoS settings to (like queue shaping).
copy-to-cpu Forwards the traffic normally, and
also sends a copy of each packet to the CPU.
send-to-cpu Drops the traffic, but also sends a
copy of each packet to the CPU.
copy-to-mirror Forwards the traffic normally, and
also sends a copy of each packet to the mirror port.
Use this when you want software monitoring of a certain packet flow. If you want to log, or count, or output debug pertaining to a certain stream, then create an ACL that matches the packets in the stream, and specify the copy­to-cpu action.
Use this when you want software monitoring of a certain packet flow that is being dropped. If you want to log, count, or output debug pertaining to a certain disallowed stream, then create an ACL that matches the packets in the stream, and specify the send-to-cpu action.
Use this when you want to mirror only a certain stream, instead of mirroring all traffic on a port.
Page 6 | AlliedWare Plus™ OS How To Note

Making filters by applying hardware ACLs to ports

Making filters by applying hardware ACLs to ports
You can create a filter by simply applying one or more ACLs to a port, as long as you can select the matching traffic through hardware ACL keywords, as described above.
ACLs can be applied to switch ports and static channel groups. To apply an ACL to a dynamic (LACP) channel group, apply the ACL to all ports that can be in the channel group.
The hardware filters act on incoming traffic, so apply them to the ingress ports.
Attaching
ACLs
Viewing port
information
To apply ACLs to ports, enter interface mode for the port or ports you want to attach the ACL to, and then use one of the following commands:
For IP hardware ACLs:
ip access-group <ip-acl-number>
For MAC hardware ACLs:
mac access-group <mac-acl-number>
If you have multiple ACLs on a port, attach them to the port in the order in which you want the switch to check them—see “The logic of the operation of the hardware filters” on
page 13. You can alternate IP and MAC ACLs, like in the following example:
awplus(config-if)#ip access-group 3200
awplus(config-if)#ip access-group 3100
awplus(config-if)#mac access-group 4300
awplus(config-if)#ip access-group 3150
awplus(config-if)#mac access-group 4350
To see a list of the ACLs that are directly attached to a port, use the following command:
awplus#show interface <range> access-group
Changing
ACL order
It is not possible to change the order of ACLs once you have attached them to a port. Instead, remove ACLs from the port by entering interface mode for the port and using the commands:
no ip access-group <ip-acl-number>
no mac access-group <mac-acl-number>
Then re-enter them in the desired order.
Page 7 | AlliedWare Plus™ OS How To Note
Loading...
+ 14 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use