Allied Telesis X900-12XT/S - Manual
Allied Telesis X900-12XT/S – Manual, read for free online in PDF format. We hope this helps you resolve any issues you may have. If you have further questions, please contact us through the contact form.
Table of Contents:
- Page 2 – Contents; These Notes are available from
- Page 3 – Creating hardware ACLs; “The; Creating IP hardware ACLs; IP hardware ACLs filter packets from the following IP protocols:; Number range
- Page 4 – IP packets; a single host. To specify this, enter the keyword; host; and then the address:; any; ICMP packets; You can filter ICMP messages on the basis of:
- Page 5 – TCP and UDP; You can filter TCP and UDP packets on the basis of:; To determine which ports to filter, use the following keywords:
- Page 6 – Creating MAC address hardware ACLs; The command syntax is:; all MAC addresses. To specify this, enter the keyword; The effects of the action keywords in ACLs; Let us consider the effect of each the possible action keywords.
- Page 7 – Making filters by applying hardware ACLs to ports; For IP hardware ACLs:
- Page 8 – Making filters by using QoS class-maps; Therefore, the basic procedure for using a class-map as a filter is:; deny traffic from one VLAN ID, you need an ACL with action of; and addresses of
- Page 9 – Specify what the class-map will match on (see; This puts you into class-map configuration mode.; Specifying what the class-map will match on; combination
- Page 10 – Matching on “inner” keywords for nested VLANs; match tpid
- Page 11 – Matching on TCP flag; commands or specify the flags in one command as a space-
- Page 12 – Matching on eth-format and protocol; or; “The logic of the operation of the hardware filters”; Applying the policy-map to ports
- Page 13 – The logic of the operation of the hardware filters; in the order in which you attach them to the port; end in an implicit deny action to drop; Combining interface ACLs and QoS class-maps; If the action on the interface ACL is; permit
- Page 14 – Examples; Blocking all multicast traffic; This example uses an interface ACL with an action of deny.
- Page 15 – Blocking all multicast traffic except one address
- Page 16 – Mirroring ARP packets
- Page 17 – Blocking TCP sessions in one direction; only
- Page 18 – How many filters can you create?; The filter rules table; You apply an ACL to a port (with the; policy input; commands are
- Page 19 – destination
- Page 20 – Are there enough bytes for your set of filters?; the total number of; For example, this set of ACLs would work:; Too long; But this set of ACLs would not work:
- Page 21 – Some protocols also use filters, so use some of the length; CPU
C613-16119-00 REV A
www.alliedtelesis.com
AlliedWare Plus
TM
OS
How To |
Introduction
The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful
hardware based packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU of the switch, and do
not affect the throughput of the switch. It is possible to configure over 1000 different filters,
and still have complete wire speed throughput on the switch.
On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using
hardware
ACLs
(Access Control Lists). The following configuration methods are available:
1.
To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type,
you simply create one or more ACLs and apply them to a port.
You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL
to allow traffic from a source IP address to a destination address, then a second ACL to
drop all (other) traffic from that source IP address).
This How To Note calls ACLs that are applied to ports
interface ACLs
.
2.
To make a filter based on a range of other packet settings, you use QoS match commands
in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to
apply the class-maps to a policy-map and port.
This note describes both approaches. Then it gives a series of examples, and ends by
discussing how many filters you can make.
Configure Hardware Filters on SwitchBlade x908,
x900-12XT/S, and x900-24 Series Switches
"Loading the manual" means you need to wait until the file loads and becomes available for online reading. Some manuals are very large, and the time they take to appear depends on your internet speed.
Summary
Page 2 | AlliedWare Plus™ OS How To Note Introduction Contents Introduction .............................................................................................................................................. 1 Which products and software version does this Note apply to? .....................
Page 3 | AlliedWare Plus™ OS How To Note Creating hardware ACLs Creating hardware ACLs Hardware ACLs contain both the match criteria and the action to take on matching traffic. There are two types of hardware ACL: IP address and MAC address. These are indexed by their ID number. IP hardware ACLs hav...
Page 4 | AlliedWare Plus™ OS How To Note Creating hardware ACLs IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The command syntax is: awplus(config)#access-list <3000-3699> < action > ip < source-ip-address > < destination-ip-a...
