Allied Telesis x900-24 User Manual

AlliedWareTM OS

How To |

Configure Hardware Filters on AT-9900, x900-48, and x900-24 Series Switches

Introduction

The AT-9900, x900-48, and x900-24 series switches support a powerful hardware based packet-filtering facility.

These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and perform a variety of different actions on the packets that match the filters.

Because the filters are hardware-based, they put no load on the CPU of the switch, and have

no affect on the throughput of the switch. It is possible to configure over filters, and still have complete wire speed throughput on the switch.

The following configuration methods are available:

1. To filter traffic across all ports on the switch, create dedicated hardware filters.

2. To filter traffic on a per-port basis, apply filtering actions to QoS flow groups or traffic

classes.

This Note only describes method on QoS Flow Groups and Traffic Classes, available from www.alliedtelesis.com/resources/

literature/howto.aspx.

. Method 2 is described in How To Configure Filtering Actions

000 different

C613-16058-00 REV C

www.alliedtelesis.com

Introduction

What information will you find in this document?

This document contains the following:

Introduction .............................................................................................................................................. 1

Which products and software versions does this information apply to? ............................ 2

Creating dedicated hardware filters .................................................................................................... 3

Configuring packet classification ................................................................................................... 3

Configuring Layer 4 source and destination port number masks ................................ 4

Configuring “inner” parameters for nested VLANs ........................................................ 4

Creating hardware filters ............................................................................................................... 5

The logic of the operation of the hardware filters ................................................................... 6

The effects of the action parameters .......................................................................................... 6

Combining hardware filters and QoS ................................................................................................. 7

How many filters can you create? ........................................................................................................ 7

. The filter rules table ................................................................................................................... 7

Extra rules used when combining QoS and hardware filters ........................................ 8

2. The profile (mask) ....................................................................................................................... 9

Are there enough bytes for your set of filters? .............................................................. 10

Some protocols also use filters, so use some of the length ........................................ 11

How to see the current filter resource usage on the switch .............................................. 12

Appendix A: How to use the layer 4 mask in classifiers .............................................................. 13

Example

Points to remember ...................................................................................................................... 14

Example 2: ports 5004-5008 ....................................................................................................... 15

Example 3: ports 333-777 ............................................................................................................ 15

: ports 2000-2003 ....................................................................................................... 14

Which products and software versions does this information apply to?

z Products: AT-8948, AT-9900, x900-48, and x900-24 series

z Software versions: 2.7.3 and above

Hardware filters are also available on Layer 3 switches running the AlliedWare Plus OS. See the following How To Note:

z How To Configure Hardware Filters on SwitchBlade x908, x900-

Switches

This Note is available from www.alliedtelesis.com/resources/literature/howto_plus.aspx.

2XT/S, and x900-24 Series

Page 2 | AlliedWare™ OS How To Note: Hardware Filters

Creating dedicated hardware filters

Before we get into the details of the filter creation, we need to look at the underlying packet classification process.

Configuring packet classification

Dedicated hardware filters and QoS use the same packet classification process.

The basic construct in the classification process is a classifier. The syntax for creating a classifier on the switch is:

CREate CLASSifier=rule-id

[MACSaddr={macadd|ANY|DHCPSnooping}] [MACDaddr={macadd|ANY}][MACSMask=macadd][MACDMask=macadd] [MACType={L2Ucast|L2Mcast|L2Bcast|ANY}] [TPID={tpid|ANY}] [VLANPriority={0..7|ANY}] [VLAN={vlanname|1..<VIDMaxUser>|ANY}] [INNERTpid={tpid|ANY}] [INNERVLANPriority={0..7|ANY}] [INNERVLANId={vlanname|1..4094|ANY}] [ETHFormat={802.2-Tagged|802.2-Untagged|ETHII-Tagged| ETHII-Untagged|NETWARERAW-Tagged|Netwareraw-untagged| SNAP-Tagged|SNAP-Untagged|ANY}] [PROTocol={protocoltype|IP|IPV6|ANY}] [IPDScp={dscplist|ANY}] [IPTOs={0..7|ANY}] [IPSAddr={ipaddmask|ANY|DHCPSnooping}] [IPDAddr={ipaddmask|ANY}] [IPPRotocol={TCP|UDP|ICMp|IGMp|OSPf|ipprotocolnum|ANY}] [IPXDAddr={ipxadd|ANY}] [IPXDSocket={NCP|SAP|RIP|NNB|DIAg|NLSp|IPXwan|ipxsocketnum|ANY}] [IPXSSocket={NCP|SAP|RIP|NNB|DIAg|NLSp|IPXwan|ipxsocketnum|ANY}] [TCPSport={portid|port-range|ANY}] [TCPDport={portid|port-range|ANY}] [UDPSport={portid|port-range|ANY}] [UDPDport={portid|port-range|ANY}] [L4SMask=mask] [L4DMask=mask] [L5BYTE01=byteoffset,bytevalue[,bytemask]] [L5BYTE02=byteoffset,bytevalue[,bytemask]] ... [L5BYTE16=byteoffset,bytevalue[,bytemask]] [TCPFlags={{Urg|Ack|Rst|Syn|Fin}[,...]|ANY}] [ICmptype={Any|ECHORply|Unreachable|Quench|Redirect|ECHO|ADvertisement| Solicitation|TImeexceed|Parameter|TSTAMP|TSTAMPRply|INFOREQ|INFOREP| ADDRREQ|ADDRREP|NAMEREq|NAMERPly|icmp-type}] [ICMPCode={Any|FIlter|FRAGMent|FRAGReassm|HOSTComm|HOSTIsolated|HOSTPrec| HOSTREdirect|HOSTRTos|HOSTTos|HOSTUNKnown|HOSTUNReach|NETComm| NETREdirect|NETRTos|NETTos|NETUNKnown|NETUNReach|NOptr|POrtunreach| PREcedent|PROtunreach|PTrproblem|Sourceroute|Ttl| icmp-code}] [IGmptype={ANY|QUery|V1Report|DVmrp|PIMv1|CTRace|V2Report|V2Leave| MCTRACEResponse|MCTRACE|V3Report|MRAdvert|MRSolicit|MRTermination|igmp- type}] [EIPBYTE01=byteoffset,bytevalue[,bytemask]]

YTE02=byteoffset,bytevalue[,bytemask]]

[EIPB ... [EIPBYTE16=byteoffset,bytevalue[,bytemask]]

From this, it can be seen that there are a large number of different attributes upon which packets can be classified.

Most of these options are self-evident, but the following sections give more information about the L4 mask and the “inner” options. For information about the other options, see the Generic Classifier chapter of the Software Reference.

Page 3 | AlliedWare™ OS How To Note: Hardware Filters

Creating dedicated hardware filters

Configuring Layer 4 source and destination port number masks

A common filtering requirement is the ability to filter on a range of TCP or UDP port numbers. For example, we often want to be able to allow through all packets with a TCP

destination port greater than sessions initiated from the other side of the switch.The l4smask and l4dmask parameters make it possible for a single classifier to match a whole range of port numbers.

These parameters take on HEX values, and are used in conjunction with the parameters tcpsport, tcpdport, udpsport, and udpdport. A range of port numbers matches the classifier if performing a logical AND with the mask would give the same result as performing a logical AND with the value specified in the corresponding sport or dport parameter.

Of course, this is not quite so convenient as being able to simply specify a range of decimal numbers. Often it can require multiple port/mask combinations to cover a particular range of numbers.

This maths of all this is described in detail in Appendix A of this How To Note—see page 13.

024, as such packets are deemed to be replies coming back to

Note: The default value of each mask is FFFF. This means that if you specify a port number

without specifying a mask, then the classifier matches only that one value of the port number. This is the same as specifying a port number and a mask of FFFF.

Configuring “inner” parameters for nested VLANs

The tpid, innertpid, innervlanid, and innervlanpriority parameters all apply to nested VLAN configuration. In this situation, the packets arriving at the core-facing port can have two VLAN tags configured on them.

z The tpid parameter matches on the first Tag Protocol Identifier field in the packet.

z The innertpid parameter matches on the TPID in the second 802.

z The innervlanid parameter matches on the tunnelled VLAN ID in the second 802.

in the packet.

z The innervlanpriority parameter matches on the 802.

P field in the second tag in the

packet.

The following table shows where in the packet the inner and outer tags will be matched.

Outer VLAN parameters

(normal)

Customer port VLAN

Core port

Nested VLANs disabled

st tag 2nd tag

Inner VLAN parameters

st tag

Q tag in the packet.

Q tag

Some important points to keep in mind while configuring the “inner” parameters are:

z When packets arrive at a customer port of a nested VLAN, the parameter vlan will match

the VID of the nested VLAN that the port is a member of, which is just how this parameter normally operates.

Page 4 | AlliedWare™ OS How To Note: Hardware Filters

Creating dedicated hardware filters

z When packets arrive at a customer port of a nested VLAN, the “inner” parameters will

match the attributes of the first tag in the packets. This is because when the packet is forwarded from the core port, that first tag will have become the inner tag. So, from the point of view of the nested VLAN, the tag that is on the packet when it arrives into the customer port is the inner tag.

z When nested VLANs are disabled, and “inner” parameters have been configured, these

parameters will be applied as though all packets arriving at the switch were double tagged. In other words, there will be no attempt to make a distinction between “customer” and “core” ports. So, if the packets arriving at the switch are not double tagged, then the “inner” parameters will just match on whatever data happens to be in the packets at the position where an inner tag would have been.

Therefore, when you disable nested VLANs, you should also remove the classifiers.

z When nested VLANs are being used, the parameters tpid and vlanpriority cannot be

used in classifiers on filters applied to customer ports.

z If you attach the classifier to a number of ports, they will all be treated like core ports if

at least one of the ports is a core port.

Creating hardware filters

Once you have created a classifier, create a filter. The filter uses the classifier, and specifies an action.

add switch hwfilter[=<filter-id>] classifier=<rule-id>

action={copy|discard|forward|copy,discard|setl2qos}

Note that it is possible, but not required, to specify a ID number for the filter. If you do not specify an ID, then the filter is simply added to the end of the existing list of filters. However, if you want to actually insert a filter into a specific position in the list, then you can specify a filter ID. That way, the filter will be inserted at the position indicated by the filter-id value, and all the existing filters from that position and above will all move up one position.

For example, imagine you have the following set of filters:

add swi hwfilt class=1 action=xxx

add swi hwfilt class=4 action=xxx

add swi hwfilt class=3 action=xxx

add swi hwfilt class=6 action=xxx

Then, enter the following command:

add swi hwfilt=2 class=8

The new filter will be inserted at position 2 in the list. The previous filter #2 will become filter #3, the previous filter #3 will become filter #4, and the previous filter #4 will become filter #5:

add swi hwfilt class=1 action=xxx

add swi hwfilt class=8 action=xxx

add swi hwfilt class=4 action=xxx

add swi hwfilt class=3 action=xxx

add swi hwfilt class=6 action=xxx

Page 5 | AlliedWare™ OS How To Note: Hardware Filters

Creating dedicated hardware filters

The logic of the operation of the hardware filters

The operation of the filters follows the standard ACL logic: if a packet matches an filter, the comparison process stops and the action attached to the filter is performed. If a packet fails to match any of the filters, then the default action (forward) is taken.

Note: Hardware filters will act on packets that are destined for the switch itself (packets

that would be passed up to the switch's own CPU) in exactly the same way as they act on packets that were destined to be forwarded directly by the switching chip.

The effects of the action parameters

Let us consider the effect of each the possible action keywords.

Action What it does When do you need this action?

discard Drops the traffic. Use this when the filtering policy is to disallow certain

traffic flows.

forward Forwards the traffic normally. Use this when you want to discard a wide range of traffic,

but still forward some small subset of traffic within that range.

copy Forwards the traffic normally, and

also sends a copy of each packet to the CPU.

copy,discard Drops the traffic, but also sends a

copy of each packet to the CPU.

setl2qos

Note that this action has the other parameters associated with it, as the following syntax shows:

add switch hwfilter[=<filter-id>] classifier=<rule-id> action=setl2qos

[l2qosqueue=0..7] [priority=0..7] [bandwidthclass=1..3]

This action means you can use hardware filters to set the queue, 802.

There is an elaborate QoS mechanism available for allocating these values to packets, but this filter type provides a simple method if you do not require a full QoS configuration. The principle use for this filter action, though, is as a mechanism for elevating the probability of CPU reception for packets that you determine to be “important”.

In heavily congested networks, data streams can sometimes use up all the available bandwidth of the CPU receive process. This increases the probability of losing infrequently-sent control or management packets, for example, routing protocol packets (BGP, OSPF, PIM, DVMRP) or STP packets. By creating an appropriate classifier and hardware filter, such packets can be given higher priority forwarding up to the CPU.

If you are using the filter to prioritise packets going up to the CPU, you only need to specify a value for the l2qosqueue parameter. The higher the value given to this parameter, the higher the priority the matching packets will be given in forwarding up to the CPU. It is possible to specify the priority and bandwidthclass parameters in this case, but they will have no effect, because the CPU ignores these parameters. The default value for the l2qosqueue parameter is 0.

The priority parameter specifies the 802.

The bandwidthclass parameter specifies the bandwidth class (colour) to assign matching packets to. The default is 1 (green).

p user priority with which to re-mark matching packets. The default is 0.

Use this when you want software monitoring of a certain packet flow. If you want to log, or count, or output debug pertaining to a certain stream, then create a filter that matches the packets in the stream, and specify copy for the action.

Use this when you want software monitoring of a certain packet flow that is being dropped. If you want to log, count, or output debug pertaining to a certain disallowed stream, then create a filter that matches the packets in the stream, and specify copy,discard for the action.

p user priority or bandwidth class for packets.

Page 6 | AlliedWare™ OS How To Note: Hardware Filters

+ 12 hidden pages