Avaya Traffic Filters and Protocol Prioritization User Manual

BayRS Version 14.00 Part No. 308645-14.00 Rev 00

September 1999 4401 Great America Parkway

Santa Clara, CA 95054

Configuring Traffic Filters and Protocol Prioritization

and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must t ak e full re sponsib ility fo r th eir a pplic atio ns o f a ny products specified in this document. The information in this document is proprietary to Nortel Networks NA Inc.

The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license. A summary of the Software License is included in this document.

Trademarks

NORTEL NETWORKS is a trademark of Nortel Networks. Bay Networks, AN, BCN, BLN, BN, FRE, LN, Optivity and PPX are registered trademarks and Advanced Remote

Node, ANH, ARN, ASN, BayRS, BaySecure, BayStack, BayStream, BCC, and System 5000 are trademarks of Nortel Networks.

Microsoft, MS, MS-DOS, Win32, Windows, and Windows NT are registered trademarks of Microsoft Cor poration. All other trademarks and registered trademarks are t he property of their respective owners.

Restricted Rights Legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Sof tware clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights cl ause at FAR 52.227-19.

Statement of Conditions

In the interest of improvi ng internal design, operational fun c tion , an d/o r re lia bi lity, No rtel Ne tworks NA Inc. re se rv es the right to make changes to the products described in this document without notice.

Nortel Networks NA Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any docu mentation, advertising materials, and other materials related to such distribution and use acknowledge that su ch portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information containe d herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

308645-14.00 Rev 00

Nortel Networks NA Inc. Software License Agreement

NOTICE: Please carefully read this license agre ement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

1. License Grant. Nortel Networks NA Inc. (“Nortel Networks”) grants the end user of the Software (“Licensee”) a personal, nonex clusive, nontransferable license: a) to use the So ftwa re eithe r on a sing le com puter o r, if applicable, on a single authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely for backup purposes in support of authorized use of t he Software; and c) to use and copy the associated user manual solely in support of authoriz ed use of th e Softwa re b y Licen see. Thi s license applies t o the So ftware o nly and d oes not extend to Nortel Networks Agent software or other Nortel Networks software products. Nortel Networks Agent software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel Networks NA Inc. Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software.

2. Restrictions on use; reservation of rights. The Software and user manuals are protected und er copyright laws. Nortel Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including any revisions made by Nortel Networks or its licensors. The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use for any competitive analysis, reverse engineer, distribute, or create derivative works from the Software or user manuals or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer the Software or user manuals, in whole or in part. The Software and user manuals embody Nortel Networks’ and its licensors’ confidential and proprietary intellectual property. Licensee shall not sublicense, assign, or otherwise disclose to any third party the Software, or any information about the operation, design, performance, or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors; however, Licensee may grant permission to its consultants, subcontractors, a nd agents to use the Softw are at Licensee’s facility, provided they have agreed to use the Software only in accordance with the terms of this license.

3. Limited warranty . Nortel Networks warrants each item of Software, as delivered by Nortel Networks and properly installed and operated on Nortel Networks hardware or other equipment it is originally licensed for, to function substantially as described in its accompanying user manual during its warranty period, which begins on the date Software is first shipped to Licensee. If an y item of S oftware f ails to so function d uring its w arranty period, as the sole remedy Nortel Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be included in a future Software release. Nortel Networks further warrants to Licensee that the media on which the Software is provided will be free from defec ts in materials and wo rkman ship under no rmal use for a peri od of 90 da ys from the date Software is first shipped to Licensee. Nortel Networks will replace defective media at no charge if it is returned to Nortel Netw orks during the warranty period along with proof of the date of ship ment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all responsibility for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained from the Software. Nortel Networks does not warrant a) that the functions contained in the software will meet the Licensee’s requirements, b) that the Software will operate in the hardware or software combinations that the Licensee may select, c) that the operation of the Software will be uninterrupted or error free, or d) that all defects in the operation of the Softw are will be corrected . Nortel Network s is not obligate d to remedy an y Software defect that cannot be reproduced with the latest Software release. These warranties do not apply to the Software if it has been (i) altered, except by Nortel Networks or in accordance with i ts instructions; (ii) used in conjunction with another vendor’s product, resulting in the de fect; or (iii) damage d by improper environment, abuse, misuse, accident, or negligence. THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible

308645-14.00 Rev 00

iii

for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs.

4. Limitation of liability. IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF NORTEL NETWORKS RELA TING TO THE SOFTW ARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE.

5. Government Licensees. This provision applies to a ll Softwa re and docum entation acquired d irectly or i ndirectly by or on behalf of the United States Government. The Software and documentation are commercial products, licensed on the open market at market prices, and were developed entirely at private expense and without th e use of any U.S. Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial Computer Software––Restricte d Rig hts cla u se o f FAR 52.227-19 and the limita tions se t o ut in thi s licen se for civilian agencies, and subparagraph (c)(1)(ii ) of the Rights in Technical Data and Computer Software clause of DFARS

252.227-7013, for agencies of t he Department of Defense or their successors, whichever is applicable.

6. Use of Software in the European Community. This provision applies to all Software acquired for use within the European Community. If Licensee uses the Software within a country in the European Community, the Software Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the examination of the Software to facilitate interoperability. Licensee agrees to notify Nortel Networks of any such intended examination of the Software an d may procure support and assistance from Nortel Networks.

7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Nortel Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the Nortel Networks copyright; those restrictions relating to use and disclosure of Nortel Networks’ confidential information shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason, Licensee will immediat ely destroy or return to Nortel Networks the Software, user manuals, and all copies. Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.

8. Export and Re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data or information without first obtaining any required export licenses or other governmental approvals. Without limiting the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricte d or em b argoed under United States expo r t con tr o l la w s an d r egulations, or to any national or resident of such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any military end user or for any military end use, including the design, development, or production of any chemical, nuclear, or biological weapons.

9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement will be governed by the laws of the state of California.

Should you have any questions concerning this Agreement, contact Nortel Networks, 4401 Great America Par kwa y, P.O. Box 58 185, Santa Clara, California 95054-8185.

LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.

308645-14.00 Rev 00

Preface

Before You Begin ............................................................................................................. xv

Text Conventions .............................................................................................................xvi

Acronyms ........................... .......................... .......................... ......................... ................xvii

Hard-Copy Technical Manuals ........ ...... ............................................. ....... ...... ................. xx

How to Get Help .............................................................................................................. xx

Chapter 1 Using Traffic Filters

What Are Traffic Filters? .................................................................................................1-1

Inbound Traffic Filters ...............................................................................................1-2

Outbound Traffic Filters ............................................................................................1-3

What Is Protocol Prioritization? ......................................................................................1-3

Filtering Strategies ...... ....... ............................................. ....... ...... ...................................1-4

Direct Traffic .............................................................................................................1-4

Drop or Accept Traffic ...............................................................................................1-4

Prioritize Traffic .........................................................................................................1-4

Combine Filters ........................................................................................................1-5

Build a Firewall .........................................................................................................1-5

Traffic Filter Components ................................................................................................1-6

Criteria .....................................................................................................................1-6

Predefined and User-Defined Criteria ...............................................................1-7

Ranges .............................. ................................. ................................ .................... 1 -11

Actions ...................................................................................................................1-11

Using Filter Templates ..................................................................................................1-13

Summary of Traffic Filter Support .................................................................................1-14

308645-14.00 Rev 00

Chapter 2 Using Protocol Prioritization Queues

About Protocol Priorit izati on ........................................... ....... ...... ...... ....... ...... ....... ...... ...2-1

Priority Queuing .......................................................................................................2-2

The Dequeuing Process ...........................................................................................2-3

Bandwidth Allocation Algorithm .........................................................................2-4

Strict Dequeuing Algorithm ................................................................................2-7

Enabling Protocol Prioritization .......................................................................................2-9

Enabling Protocol Prioritization on an ATM Circuit .......................................................2-10

Tuning Protocol Prioritization ........................................................................................2-11

Tuning Concepts ....................................................................................................2-11

Percent of Bandwidth .......................................................................................2-11

Queue Size ......................................................................................................2-12

Latency ............................................................................................................2-14

Editing Protocol Prioritization Parameters ..............................................................2-15

Monitoring Protocol Prioritization Statistics ............................................................2-16

Chapter 3 Inbound Traffic Filter Criteria and Actions

Transparent Bridge Criteria and Actions .........................................................................3-2

Predefined Transparent Bridge Criteria ....................................................................3-3

User-Defined Transparent Bridge Criteria ................................................................3-4

Transparent Bridge Actions ......................................................................................3-4

Source Route Bridging Criteria and Actions ...................................................................3-5

Predefined SRB Criteria ...........................................................................................3-5

Specifying an SRB Criterion Range ..................................................................3-5

User-Defined SRB Criteri a .............................................. ...... ...................................3-6

SRB Actions .............................................................................................................3-6

DECnet Phase IV Criteria and Actions ...........................................................................3-7

Predefined DECnet Criteria .....................................................................................3-7

User-Defined DECnet Criteria ............................................................ ...... ....... ......... 3-7

DECnet Actions .............................. ....... ...... ....... ...... ....... .........................................3-7

DLSw Criteria and Actions .............................................................................................3-8

Predefined DLSw Criteria ........................................................................................3-8

User-Defined DLSw Criteri a ............................... ...... ....... ...... ...... ....... ...... ................3-8

DLSw Actions ...........................................................................................................3-8

308645-14.00 Rev 00

IP Criteria and Actions ....................................................................................................3-9

Predefined IP Criteria ...............................................................................................3-9

User-Defined IP Criter ia .... ....... ...... ....... ...... ....... ...... ....... .........................................3-9

IP Actions . ...... ...... ....... ...... ....... ...... ....... ............................................. ...... ....... .......3-1 0

IPX Criteria and Actio ns ................. ...... ....... ...... ....... ...... ............................................. .3-1 1

Predefined IPX Criteria ..........................................................................................3-11

User-Defined IPX Criteri a ........................................................................ ....... ...... .3-12

IPX Actions .............................................................................................................3-12

LLC2 Criteria and Actions ............................................................................................3-12

Predefined LLC2 Criteria .......................................................................................3-12

User-Defined LLC2 Criteri a ................................ ...... ....... ...... ...... ....... ...... .............. 3 -1 3

LLC2 Actions ..........................................................................................................3-13

OSI Criteria and Actions ...............................................................................................3-13

Predefined OSI Criteria ..........................................................................................3-13

User-Defined OSI Criter ia ........ ...... ....... ............................................. ...... ....... .......3-1 4

OSI Actions ............................................................................................................3-14

VINES Criteria and Actions ..........................................................................................3-14

Predefined VINES Criteria .....................................................................................3-14

User-Defined VINES Criteria ...................... ....... ...... ....... ...... ...... ....... ...... ....... ...... .3-1 5

VINES Actions ........................................................................................................3-15

XNS Criteria and Actio ns ...................... ....... ...... ....... ............................................. ...... .3-1 5

Predefined XNS Criteria .........................................................................................3-15

User-Defined XNS Criteri a .............................................. ...... .................................3-16

XNS Actions ...........................................................................................................3-16

Chapter 4 Outbound Traffic Filter Criteria and Actions

Selecting Predefined Cr ite r ia ....................... ...... ....... ...... ....... ...... ...................................4-2

Predefined Data Link Criteria ...................................................................................4-2

Predefined IP Criteria ...............................................................................................4-5

Specifying Criteria Common to IP and Data Link Headers ......................................4-6

Selecting User-Defined Cr iteria ............ ....... ...... ....... ...... ....... ...... ...... .............................4-7

Data Link Reference Points ......................................................................................4-7

IP Reference Points ....................... ....... ...... ............................................. ....... ...... ...4-9

Selecting Actions ................................................................... ...... ...... ...........................4-10

Filtering Actions .................................... ...... ............................................. ....... ...... .4-1 0

308645-14.00 Rev 00

vii

Prioritizing Actions .................................................................................................4-11

Dial Service Actions ...............................................................................................4-11

Chapter 5 Specifying Common Criterion Ranges

Specifying MAC Address Ranges ...................................................................................5-2

SRB Source MAC Addresses ..................................................................................5-2

SRB Functional MAC Addresses .............................................................................5-3

Specifying VINES Address Ranges ................................................................................5-3

Specifying Source and Destination SAP Code Ranges .................................................5-4

Specifying Frame Relay NLPID Ranges .........................................................................5-5

Specifying PPP Protocol ID Ranges ...............................................................................5-5

Specifying TCP and UDP Port Ranges ..........................................................................5-6

Specifying Ethernet Type Ranges ..................................................................................5-7

Specifying IP Protocol ID and Type of Service Ranges ................................................5-10

Chapter 6 Applying Inbound Traffic Filters

Displaying the Inbound Traffic Filters Window ................................................................6-2

Preparing Inbound Traffic Filt er Tem plates ............................ ...... ...... ....... ...... ....... ...... ...6-3

Creating a Template .................................................................................................6-4

Customizing Templates ............................................................................................6-6

Copying a Te mplate .... ....... ...... ....... ...... ....... ...... ....... .........................................6-6

Editing a Template ...... ....... ...... ....... ...... ....... ............................................. ...... ...6-7

Creating an Inbound Traffic Filter ..................................................................................6-10

Editing an Inbound Traffic Filter ....................................................................................6-11

Enabling or Disabling an Inbound Traffic Filter .............................................................6-15

Deleting an Inbound Traffic Filter ..................................................................................6-16

Specifying User-Defined Criteria ..................................................................................6-17

Changing Inbound Traffic Filter Precedenc e ...... ....... ...... ............................................. .6-18

Chapter 7 Applying Outbound Traffic Filters

Displaying the Priority/Outbound Filters Window ...........................................................7-2

Preparing Outbound Traffic Filter Templates ..................................................................7-4

Creating a Template .................................................................................................7-4

Specifying Prioritization Length ................................................................................7-7

viii

308645-14.00 Rev 00

Customizing Templates ............................................................................................7-9

Copying a Te mplate .... ....... ...... ....... ...... ....... ...... ....... .........................................7-9

Editing a Template ...... ....... ...... ....... ...... ....... ............................................. ...... .7-1 0

Creating an Outbound Traffic Filter ...............................................................................7-13

Editing an Outbound Traffic Filter ................................................................................7-14

Enabling or Disabling an Outbound Traffic Filter ..........................................................7-18

Deleting an Outbound Traffic Filter ...............................................................................7-19

Specifying User-Defined Criteria ..................................................................................7-20

Changing Outbound Traffic Filter Precedence ..............................................................7-21

Chapter 8 Configuring IP Inbound Traffic Filters Using the BCC

IP Inbound Traffic Filter Concepts and Terminology .......................................................8-2

IP Traffic Filter Templates ................................... ...... ............................................. ...8-2

IP Inbound Traffic Filters ..........................................................................................8-3

Filter Precedence .....................................................................................................8-4

Filter Criteria and Actions .........................................................................................8-5

IP Filtering Actions ...... ....... ...... ....... ...... ....... ...... ....... ...... ...... .............................8-5

Extended and Nonextended Filtering Modes ...........................................................8-6

Creating an IP Traffic Filter Template ..............................................................................8-7

Creating an IP Inbound Traffic Filter ...............................................................................8-8

Specifying Match Criteria for IP Inbound Traffic Filters and Templates ..........................8-9

Specifying Source and Destination Networks As Match Criteria ...........................8-10

Specifying Source and Destination TCP and UDP Ports As Match Criteria ..........8-10

Specifying Protocol Identifiers As Match Criteria ...................................................8-13

Specifying the Type of Service (ToS) As Match Criteria .........................................8-15

Specifying TCP-Established Match Criteria ...........................................................8-15

Specifying User-Defined Criteria ............................................................................8-16

Specifying the Action of Inbound Traffic Filters and Templates ....................................8-16

Specifying the Log Action .......................................................................................8-19

Disabling and Reenabling IP Traffic Filters on an IP Interface ......................................8-20

Configuration Examples ...............................................................................................8-20

Creating an IP Traffic Filter Template .....................................................................8-20

Applying the Filter Template to an IP Traffic Filter ..................................................8-21

Creating a Traffic Filter Without Using a Filter Template ........................................8-22

308645-14.00 Rev 00

Appendix A Site Manager Protocol Prioritization Parameters

Priority Interface Parameter Descriptions ...................................................................... A-2

Prioritization Length Parameters ................................................................................... A-7

Appendix B Examples and Implementation Notes

Traffic Filter Example for Basic IP Network Security ...................................................... B-1

Inbound Traffic Filter Examples ..................................................................................... B-3

Protocol Prioritization Examples .................................................................................... B-7

Creating an Outbound Traffic Filter ......................................................................... B-7

Implementation Notes .................................................................................................. B-11

Filtering Outbound Frame Relay Traffic ....... ............................................. ....... ...... B -11

Filtering over a Dial Backup Line ........................................................................... B-11

Using a Drop-All Filter As a Firewall ..................................................................... B-12

Using Outbound Traffic Filters for LAN Protocols .................................................. B-13

Index

308645-14.00 Rev 00

Figures

Figure 2-1. Protocol Prioritization Dequeuing ............................................................2-3

Figure 2-2. Bandwidth Allocation Algorithm ...............................................................2-6

Figure 2-3. Strict Dequeuing Algorithm ......................................................................2-8

Figure 2-4. Priority Queue Statistics for the Queue Size Example ...........................2-13

Figure 2-5. Reconfigured Priority Queue Statistics for the Queue Size Examples ..2-14 Figure 3-1. Header Reference Fields for Transparent Bridge Encapsulation Methods 3-2

Figure 4-1. Predefined Data Link Criteria for Outbound Traffic Filters .......................4-4

Figure 4-2. Predefined IP Criteria for Outbound Traffic Filters ...................................4-6

Figure 4-3. Data Link Reference Points in an SRB Packet Bridged over

Bay Networks Proprietary Frame Relay ...................................................4-8

Figure 4-4. Data Link Reference Points in an IEEE 802.2 LLC Header .....................4-8

Figure 4-5. IP Reference Points in an IP-Encapsulated SRB

Packet Bridged over PPP ........................................................................4-9

Figure 6-1. Inbound Traffic Filters Window .................................................................6-3

Figure 6-2. Filter Template Management Window ......................................................6-5

Figure 6-3. Create Template Window .........................................................................6-5

Figure 6-4. Edit Template Window .............................................................................6-8

Figure 6-5. Create Filter Window .............................................................................6-11

Figure 6-6. Edit Filters Window ................................................................................6-13

Figure 6-7. Add User-Defined Field Window ............................................................6-18

Figure 6-8. Filters Window Showing Filter Precedence ...........................................6-19

Figure 6-9. Change Precedence Window ............ ...... ....... .......................................6-20

Figure 6-10. Filters Window Showing New Order of Precedence ....................... ...... .6-2 0

Figure 7-1. Displaying the Priority/Outbound Filters Window .....................................7-3

Figure 7-2. Priority/Outbound Filters Window ............................................................7-3

Figure 7-3. Filter Template Management Window ......................................................7-6

Figure 7-4. Create Priority/Outbound Template Window ............................................7-6

Figure 7-5. Prioritization Length Window ...................................................................7-7

Figure 7-6. Edit Priority/Outbound Template Window ..............................................7-11

308645-14.00 Rev 00

Figure 7-7. Create Filter Window .............................................................................7-14

Figure 7-8. Edit Priority/Outbound Filters Window ...................................................7-16

Figure 7-9. Add User-Defined Field Window ............................................................7-21

Figure 7-10. Priority/Outbound Filters Window Showing Filter Precedence ..............7-22

Figure 7-11 . Change Precedence Window ......................................................... ...... .7-2 3

Figure 7-12. Priority/Outbound Filters Window Showing New Order

of Precedence ........................................................................................7-23

xii

308645-14.00 Rev 00

Tables

Table 1-1. Predefined Inbound Traffic Filter Criteria .................................................1-8

Table 1-2. Predefined Outbound Traffic Filter Criteria ...............................................1-9

Table 1-3. Inbound Traffic Filter Actions ..................................................................1-12

Table 1-4. Outbound Traffic Filter Actions ...............................................................1-12

Table 1-5. Summary of Traffic Filter Support ..........................................................1-14

Table 3-1. Transparent Bridge Encapsulation Support .............................................3-3

Table 3-2. Predefined Criteria for Transparent Bridge Inbound Traffic Filters ...........3-3

Table 3-3. Predefined Criteria for SRB Inbound Traffic Filters ..................................3-5

Table 3-4. Predefined Criteria for DECnet Phase IV Inbound Traffic Filters .............3-7

Table 3-5. Predefined Criteria for DLSw Inbound Traffic Filters ................................3-8

Table 3-6. Predefined Criteria for IP Inbound Traffic Filters ......................................3-9

Table 3-7. User-Defined Criteria for IP Inbound Traffic Filters ................................3-10

Table 3-8. Predefined Criteria for IPX Inbound Traffic Filters ..................................3-11

Table 3-9. Predefined Criteria for LLC2 Inbound Traffic Filters ...............................3-12

Table 3-10. Predefined Criteria for OSI Inbound Traffic Filters .................................3-13

Table 3-11. Predefined Criteria for VINES Inbound Traffic Filters .............................3-14

Table 3-12. Predefined Criteria for XNS Inbound Traffic Filters ................................3-15

Table 4-1. Predefined Data Link Criteria for Outbound

Traffic Filters 4-2

Table 4-2. Predefined IP Criteria for Outbound Traffic Filters ...................................4-5

Table 4-3. Data Link Reference Points .....................................................................4-7

Table 4-4. IP Reference Points ................................................................................4-9

Table 5-1. Format for Specifying MAC Addresses ....................................................5-2

Table 5-2. Functional MAC Addresses .....................................................................5-3

Table 5-3. SAP Codes ........................................................................ ...... ....... .........5-4

Table 5-4. Fr a me Relay NLPIDs ...............................................................................5-5

Table 5-5. PPP Protocol IDs .................. ...... ....... ...... ....... ...... ...... ....... ...... ....... ...... ...5-5

Table 5-6. Source and Destination TCP Ports ..........................................................5-6

Table 5-7. Source and Destination UDP Ports ..........................................................5-6

308645-14.00 Rev 00

xiii

Table 5-8. Ethernet Type Codes ...............................................................................5-7

Table 5-9. IP Protocol ID Codes .............................................................................5-10

Table 5-10. IP Type of Service Codes .......................................................................5-10

Table 6-1. Using the Edit Template Window .............................................................6-9

Table 6-2. Using the Edit Filters Window ................................................................6-14

Table 7-1. Using the Edit Priority/Outbound Template Window ..............................7-12

Table 7-2. Using the Edit Priority/Outbound Filters Window ...................................7-17

Table 8-1. TCP and UDP Match Criteria Parameters ............................................ .8-11

Table 8-2. Common TCP Ports ...............................................................................8-12

Table 8-3. Common UDP Ports ..............................................................................8-12

Table 8-4. Common Protocol IDs for IP Traffic ........................................................8-14

Table 8-5. Actions and Dependencies for Inbound IP Traffic Filters .......................8-17

Table B-1. Predefined Criteria, Ranges, and Actions for Sample Inbound Traffic Filters B-5

Table B-2. User-Defined Criteria and Ranges for Sample Inbound Traffic Filters .... B-6

Table B-3. Sample Criteria, Ranges, and Actions for Protocol Prioritization ............ B-9

xiv

308645-14.00 Rev 00

This guide describes how to configure traffic filters and prioritize traffic on a Nortel Networks

You can use Site Manager to configure traffic filters on a router. You can use the Bay Command Console (BCC

Before You Begin

Before using this guide, you must complete the following procedures. For a new router:

™

router.

Preface

™

) to configure IP inbound traffic filters on a router.

• Install the router (see the installation guide that came with your router).

• Connect the router to the network and create a pilot configuration file (see

Make sure that you are runni ng the lates t versio n of Nortel Netw orks BayRS Site Manager software. For information about upgrading BayRS and Site Manager, see the upgrading guide for your version of BayRS.

308645-14.00 Rev 00

Quick-Starti ng Router s , Conf igur ing BaySt ac k Remote Acc ess , or Connecting ASN Routers to a Network).

™

and

Configuring Traffic Filters and Protocol Prioritization

Text Conventions

This guide uses the following text conventions:

angle brackets (< >) Indicate that you choose the text to enter based on the

description inside the brackets. Do not type the brackets when entering the command.

Example: If the command syntax is:

ping

ip_address

ping 192.32.10.12

>, you enter:

bold text

Indicates command names and options and text that you need to enter.

Example: Enter

show ip {alerts | routes

Example: Use the

dinfo

command.

braces ({}) Indicate required elements in syntax descriptions

where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

Example: If the command syntax is:

show ip {alerts | routes show ip alerts or show ip routes

}

, you must enter either:

, but not both.

brackets ([ ]) Indicate optional elements in syntax descriptions. Do

not type the brackets when entering the command. Example: If the command syntax is:

show ip interfaces [-alerts show ip interfaces

]

, you can enter either:

show ip interfaces -alerts

ellipsis points (. . . ) Indicate that you repeat the last element of the

command as needed.

xvi

Example: If the command syntax is:

ethernet/2/1 ethernet/2/1

parameter> <value

and as many parameter-value pairs as

needed.

. . .

, you enter

308645-14.00 Rev 00

Preface

italic text Indicates file and directory names, new terms, book

titles, and va riables in command syntax descriptions. Where a variable is two or mor e words, the words are connected by an underscore.

Example: If the command syntax is:

show at

valid_route

is one variable and you substitute one value

for it.

screen text Indicates system output, for example, prompts and

system messages.

Acronyms

Example:

Set Trap Monitor Filters

separator ( > ) Shows menu paths.

Example: Protocols > I P ide nti fies the IP option on the Protocols menu.

vertical line (

) Separates choices for command keywords and

arguments. Enter only one of the choices. Do not type the vertical line when enteri ng the command.

Example: If the command syntax is:

show ip {alerts | routes show ip alerts

}

, you enter either:

show ip routes

, but not both.

ANSI American National Standards Institute APPN Advanced Peer-to-Peer Networking ARP Address Resolution Protocol ATM Asynchronous Transfer Mode CCITT International Telegraph and Telephone Consultative

CLNP Connectionless Network Protocol

308645-14.00 Rev 00

Committee (now ITU-T)

xvii

Configuring Traffic Filters and Protocol Prioritization

CSMA/CD carrier sense multiple access/collision detection DE discard eligible DLC data link control DLCI data link connection identifier DLCMI Data Link Control Management Interface DLSw data link switching DSAP destination service access point FDDI Fiber Distributed Data Interface FTP File Transfer Protocol HDLC high-level data li nk control HSSI high-speed serial interface ICMP Internet Con trol Message Proto col IP Internet P rotocol IPX Internet Packet Exchange ISDN Integrated Services Digital Ne twork

xviii

ISO Inte rnational Organization for Standardization ITU-T International Telecommunications

Union–Telecommunications sector (formerly CCITT) LAN local area network LAT Local Area Transport LLC Logical Link Control LNM LAN Network Manager MAC media access control MCE1 multichannel E1 MCT1 multichannel T1 MSB most significant bit NLPID network layer protocol ID OSI Open Systems Interconnection OSPF Open Shortest Path First (protocol)

308645-14.00 Rev 00

Preface

PPP Point-to-Point Protocol PRI primary rate interface RIF routing information field RII routing information indicator RIP Routing Information Protocol SAP service access point SDLC Synchronous Data Link Control SMDS switched multimegabit data service SNA Systems Network Architecture SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol SRB source routing bridge SSAP source service access point STP shielded twisted pair TCP/IP Transmission Control Protocol/Internet Protocol Telnet Telecommunication network TFTP Trivial File Transfer Protocol UDP User Datagram Protocol UTP unshielded twisted pair VINES Virtual Network Systems WAN wide area network XNS Xerox Network System

308645-14.00 Rev 00

xix

Configuring Traffic Filters and Protocol Prioritization

Hard-Copy Technical Ma nua ls

You can print selected technical manuals and release notes free, directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the product for which you need documentation. Then locate the specific category and model or version for your hardw are or soft ware product . Usi ng Adobe Ac robat Re ader, you can open the manuals and releas e notes, search for the sections you ne ed, and print them on most standard printers. You can download Acrobat Reader free from the Adobe Systems Web site, www.adobe.com.

You can purchase selected documentation sets, CDs, and technical publications through the collateral catalog. The catalog is located on the World Wi de Web at

support.baynetworks.com/catalog.html and is divided into sections arranged

alphabetically:

• The “CD ROMs” section lists available CDs.

• The “Guides/Books” section lists books on technical topics.

• The “Technical Manuals” section lists available printed documentation sets.

How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nort el Net wor ks s ervice pr ogram, c ontact one of the f ollowing Nortel Networks Technical Solutions Centers:

Technical Solutions Center Telephone Number

Billerica, MA 800-2LANWAN (800-252-6926) Santa Clara, CA 800-2LANWAN (800-252-6926) Valbonne, France 33-4-92-96-69-68 Sydney, Australia 61-2-9927-8800 Tokyo, Japan 81-3-5402-7041

308645-14.00 Rev 00

Chapter 1

Using Traffic Filters

This chapter describes concepts and terms to help you understand and plan for traffic filter configurations on Nortel Networks routers.

Topic Page

What Are Traffic Filters? 1-1 What Is Protocol Prioritization? 1-3 Filtering Strategies 1-4 Traffic Filter Components 1-6 Using Filter Templates 1-13 Summary of Traffic Filter Support 1-14

What Are Traffic Filters?

Traffic filters are router files that instruct an interface to selectively handle specified network traffic (packets, frames, or datagrams). You determine which packets receive special handling based on infor mation f ie lds in t he pack et header s.

Using traffic filters, you can reduce network congestion and control access to network resources by blocking, forwarding, logging, or prioritizing specified traffic on an interface.

Note:

Do not confuse traffic filters with other router filters. Traffic filters help you manage customer traffic. Routing filters help you manage routing control traffic (such as route table updates).

308645-14.00 Rev 00

1-1

Configuring Traffic Filters and Protocol Prioritization

Nortel Networks routers support two types of traffic filters:

• Inbound traffic filters act on packets that the rout er is receiving.

• Outbound traffic filters act on packets t hat the router is forwardin g. You can create traffic filters on the following router interfaces:

• Ethernet (10BASE-T and 100BASE-T)

• FDDI

• HSSI

•MCE1

•MCT1

• Synchronous

• Token ring You can apply multiple traffic filters to a single interface. When more than one

filter applies to a packet, the order of filters determines the filtering result.

Inbound Traffic Filters

1-2

Inbound traffic filters act on packets arriving at a particular router interface. Most sites use inbound traffic filters primaril y for secu rity, to restrict access to nodes in a network.

When you configure inbound traffic filters, you specify a set of conditions that apply to the traffic of a particular bridging or routing protocol. The Configuration Manager supports inbound traffic filters for the following protocols:

• Transparent bridge (four encapsulation methods: Ethernet, 802.2 LLC, 802.2

LLC with SNAP, and Novell Proprietary)

• Native source route bridging (SRB)

•IP

•IPX

• XNS

•OSI

• DECnet Phase IV

•VINES

• DLSw

• LLC2 (APPN and LNM)

308645-14.00 Rev 00

Chapter 3 provides protocol-specific information for designing inbound traffic filters. Chapt er 6 explains ho w to use the Conf iguration Manager to apply inbound traffic filters.

Outbound Traffic Filters

Outbound traffic filters act on packets that the router forwards to a local area network (LAN) or wide area network (WAN) through a particular interface. Most sites use outbound traffic filters to ensure timely delivery of critical data, or to restrict traffic leaving the local network.

Outbound traffic filters are not based on a routing protocol, as are inbound traffic filters. When you con fi gure outbo und traffic filters, you s pecify a s et of cond ition s that apply to the following packet headers:

• Data link control (DLC) header

•IP header To use outbound traffic filters, you must select Protocol Priority as one of the

configured prot ocols on an interface. Protocol Priority is enabled by default on circuits configured with Frame Relay or PPP. Otherwise, you must enable Protocol Priority the first time you configure outbound traffic filters on an interface.

Using Traffic Filters

Chapter 4 provides information for designing outbound traffic filters. Chapter 7 explains how to use the Configuration Manager to enable Protocol Priority and apply outbound traffic filters.

What Is Protocol Prioritization?

Protocol prioritization is an outbound traffic filter mechanism. With Protocol Priority enabled on an interface, the router sorts traffic into

prioritized delivery queues (High, Normal, and Low), called priority queues. Priority queues affect the sequence in which data leaves an interface; they do not affect traffic as it arrives at the router. You use outbound traffic filters to specify how traffic is sorted into priority queues. By default, all outbound traffic goes to the Normal queue.

See Chapter 2 to learn more about priority queuing and dequeuing.

308645-14.00 Rev 00

1-3

Configuring Traffic Filters and Protocol Prioritization

Filtering Strategies

This section recommends ways you might use traffic filters in a network. See Appendix B for specific examples.

Direct Traffic

You can create traf f i c f i lter s that affect a particular protocol’s traffic. F or e xampl e, you can forward all IP traffic to a next-hop address. You can also create traffic filters th at affect certain locations on a b ridged network. F or example, if you want all traffic from a node with a particular source MAC address (perhaps an application server) to take precedence over other traffic, you can use protocol prioritization to assign a high priority to any traffic with that source address.

Drop or Accept Traffic

You can configure a router interface to accept only specified traffic and drop all other packets by configuring inbound traffic filters with specific accept criteria.

Or, to accept most traffic and drop only specified packets, you can configure inbound traffic filters for the traffic you want to drop.

Note:

For example, to prevent all NetBIOS traffic from ente ring a particular LAN segment, you can create an inbound traffic filter to drop all packets with a destination or source SAP code of F0.

Prioritize Traffic

You can use protocol prioritization to expedite traffic coming from a particular source or going to a particular destination.

When a router treats all packets equally, there is no way to ensure consistent network services for users who are working with real-time applications. Bulk transfer applications use too much of the available bandwidth and reduce interactive response time. These problems are especially noticeable on low-speed WAN interfaces.

1-4

Drop filters are generally more efficient than Accept filters.

308645-14.00 Rev 00

You can also improve application response time and prevent session timeouts by implementing protocol prioritization.

Combine Filters

On most interfaces, you can apply as many as 31 inbound and 31 outbound t ra ffic filters for each protocol. You can configure IP interf aces to su pport as many as 127 inbound traffic filters.

As you add filters to an interface, the Configuration Manager numbers them chronologically (Filter No. 1, Filter No. 2, Filter No. 3, and so on). The filter rule number determines the filter’s precedence. Lower numbers have higher precedence; Filter No. 1 has the highest precedence. If a packet matches two filters, the filter with the high est precedence (lowest number) applies.

After you create traffic filters, you can change their precedence by reordering them. See “Changing Inbound Traffic Filter Precedence” on page 6-18 (inbound traffic filters) or “Changing Outbound Traffic Filter Precedence” on page 7-21 (outbound traffic filters).

Using Traffic Filters

Build a Firewall

If your filtering strategy involves blocking most or all inbound traffic (a firewall) you can create a Drop-all filter for each protocol on the interface. That means for each protocol you are filtering, you choose a filter criterion that appears in every packet of the protocol (for example, a MAC address).

You can also create exceptions to the Drop-all filter by adding more-specific, higher-precedence filters to allow only specified traffic on an interface. See “Using a Drop-All Filter As a Firewall” on page B-12 for more information about combining filters to accept certain traffic.

308645-14.00 Rev 00

1-5

Configuring Traffic Filters and Protocol Prioritization

Traffic Filter Components

The Configuration Manager creates traffic filters from template files that contain filtering information. Traffic filter templates consist of three components:

• Criteria

The portion of the incoming packet, frame, or datagram header to be examined

•Ranges

Numeric values (often addresses) to be compared with the contents of examined packets

• Actions

What happens to packets that match the criteria and ranges specified in a filter

To create a traffic filter, you apply a filter template to a particular router interface.

Table 1-5

filter criteria and actions supported on specific interfaces.

(at the end of this ch apter) summa rizes th e inbound an d outbound t raf fi c

Criteria

1-6

A f

ilter criterion is the portion of a packet, frame, or datagram header to be

examined. You can break down any packet into at least three components:

• The DLC (or data link) header. Examples of data link header types include:

-- Token ring (802.5)

-- Ethernet V.2 and IEEE 802.3

-- FDDI

-- PPP and Nortel Networks Standard

-- Frame Relay

• The upper-level protocol header. Examples of protocol header types include:

-- IP and TC P

-- Source route bridging (SRB)

-- DLSw

•User data

308645-14.00 Rev 00

Using Traffic Filters

A traffic filter criterion is defined by a byte length and an offset from common bit patterns (reference points) in the data link or protocol header. The criterion includes the length of the filtered pattern and an offset from the known reference point. The traffic filter us es thi s information to locate which portion of a packet t o examine.

For bridged traffic, predefined criteria are part of the data link header. For routed traffic, a predefined criterion can be part of the data link header or an upper-level protocol header.

Inbound traffic filter criteria use reference points in the upper-level protocol header. You select inbound criteria based on the protocol of the incoming traffic. Outbound traffic filters use reference points in only the IP or DLSw protocol headers. You select outbound criteria based on the WAN protocol configured on the interface (transparent bridge, SRB, PPP, or Frame Relay).

Predefined and User-Defined Criteria

The Configuration Manager provides a selection of default filter criteria (predefined criteria) for both inbound and outbound traffic filters. Predefined criteria consist of predefined offsets and lengths from common reference points.

You can also def ine a c rite rion b ase d on bit patt ern s in a pack et hea der that are not supported in predefined criteria (user-defined criteria). To apply user-defined criteria, you specify the bit length and offset from a supported reference point. Chapter 3 lists the supported reference points for inbound traffic filters. lists the reference points for outbound traffic filters.

To fit your site’s traffic patterns, you can use a combination of predefined and user-defined criteria in up to 32 traffic filters on each interface.

308645-14.00 Rev 00

1-7

Configuring Traffic Filters and Protocol Prioritization

Predefined Criteria

Table 1-1 summarizes the predefined inbound traffic filter criteria for supported

protocols.

Table 1-1. Predefined Inbound Traffic Filter Criteria

Traffic Type Predefined Inbound Filter Criteria

Transparent bridge (Four data link encapsulation

methods: Ethernet, 802.2 LLC, Novell Proprietary, 802.2 LLC with SNAP)

SRB (Native only; IP-encapsulated SRB

is not supported) DECnet Phase IV Area (Source or Destination)

DLSw MAC Address (Source or Destination)

IP Type of Service

IPX Network (Source or Destination)

OSI OSI Area (Source or Destination)

MAC Address (Source or Destination) Ethernet Type Novell

802.2 LLC Length

802.2 LLC DSAP

802.2 LLC SSAP

802.2 LLC Control

802.2 SNAP Length

802.2 SNAP Protocol ID

802.2 SNAP Ethernet Type MAC Address (Source or Destination)

DSAP SSAP NetBIOS Name (Source or Destination)

Node (Source or Destination)

DSAP SSAP

IP Address (Source or Destination) UDP Port (Source and/or Destination) TCP Port (Source and/or Destination) UDP or TCP Source Port UDP or TCP Destination Port Established TCP Protocols Protocol Type

Host Address (Source or Destination) Socket (Source or Destination)

System ID (Source or Destination)

(continued)

1-8

308645-14.00 Rev 00

Using Traffic Filters

Table 1-1. Predefined Inbound Traffic Filter Criteria

Traffic Type Predefined Inbound Filter Criteria

LLC2 MAC Address (Source or Destination)

DSAP SSAP

VINES Protocol Type

VINES Address (Source or Destination)

XNS Network (Source or Destination)

Address (Source or Destination) Socket (Source or Destination)

(continued )

Table 1-2 summarizes the predefined outbound traffic filter criteria for data link

and IP headers.

Note: See Configuring DLSw Services for information about criteria for

outbound traffic filters based on the DLSw header.

Table 1-2. Predefined Outbound Traffic Filter Criteria

Header Traffic Typ e Predefined Outbound Filter Criteria

IP header IP Type of Service

308645-14.00 Rev 00

Priority_IP Address (Source and/or Destination) UDP Port (Source and/or Destination) TCP Port (Source and/or Destination) Established TCP Protocol Type

Native SRB SSAP

Destination Address

Source Address PPP Protocol ID Frame Relay 2-byte DLCI

3-byte DLCI

4-byte DLCI

NLPID

(continued)

1-9

Configuring Traffic Filters and Protocol Prioritization

Table 1-2. Predefined Outbound Traffic Filter Criteria

Header Traffic Typ e Predefined Outbound Filter Criteria

Data link header Transparent bridge

(Data Link Type)

Native SRB SSAP

PPP Protocol ID Frame Relay 2-byte DLCI

MAC Address (Source or Destination)

Ethernet Type

Novell

802.2 Length

802.2 DSAP

802.2 SSAP

802.2 Control

802.2 SNAP Length

802.2 SNAP Protocol ID

802.2 SNAP Ethernet Type

DSAP

3-byte DLCI

4-byte DLCI

NLPID

Ethernet Type

(continued)

User-Defined Criteria

1-10

To apply customized criter ia that use fields that are not represented i n a protocol’s predefined criteria, you can create a user-defined criterion. You specify its location in the packet header by specifying the following:

• Reference point A known bit position in the packet header

• Offset The first posit ion of the filtered bit pattern in relation to the reference point

(measured in bits)

• Length The total bit length of the filtered pattern

308645-14.00 Rev 00

+ 154 hidden pages

Avaya Traffic Filters and Protocol Prioritization User Manual

Configuring Traffic Filters and Protocol Prioritization

Contents

Figures

Tables

Before You Begin

Preface

Text Conventions

Acronyms

Hard-Copy Technical Ma nua ls

How to Get Help

What Are Traffic Filters?

Inbound Traffic Filters

Outbound Traffic Filters

What Is Protocol Prioritization?

Filtering Strategies

Direct Traffic

Drop or Accept Traffic

Prioritize Traffic

Combine Filters

Build a Firewall

Traffic Filter Components

Criteria

Predefined and User-Defined Criteria