Allied Telesis X900-12XT/S - Manuals

Allied Telesis X900-12XT/S – Manual in PDF format online.

Manuals:

Manual

Manual Allied Telesis X900-12XT/S

Summary

Page 2 - Contents; These Notes are available from

Page 2 | AlliedWare Plus™ OS How To Note Introduction Contents Introduction .............................................................................................................................................. 1 Which products and software version does this Note apply to? .....................

Page 3 - Creating hardware ACLs; “The; Creating IP hardware ACLs; IP hardware ACLs filter packets from the following IP protocols:; Number range

Page 3 | AlliedWare Plus™ OS How To Note Creating hardware ACLs Creating hardware ACLs Hardware ACLs contain both the match criteria and the action to take on matching traffic. There are two types of hardware ACL: IP address and MAC address. These are indexed by their ID number. IP hardware ACLs hav...

Page 4 - IP packets; a single host. To specify this, enter the keyword; host; and then the address:; any; ICMP packets; You can filter ICMP messages on the basis of:

Page 4 | AlliedWare Plus™ OS How To Note Creating hardware ACLs IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The command syntax is: awplus(config)#access-list <3000-3699> < action > ip < source-ip-address > < destination-ip-a...

Page 5 - TCP and UDP; You can filter TCP and UDP packets on the basis of:; To determine which ports to filter, use the following keywords:

Page 5 | AlliedWare Plus™ OS How To Note Creating hardware ACLs TCP and UDP packets You can filter TCP and UDP packets on the basis of: z source IP address and/or destination IP address (using the same syntax as when filtering IP packets) z source and/or destination TCP/UDP ports. The command syntax...

Page 6 - Creating MAC address hardware ACLs; The command syntax is:; all MAC addresses. To specify this, enter the keyword; The effects of the action keywords in ACLs; Let us consider the effect of each the possible action keywords.

Page 6 | AlliedWare Plus™ OS How To Note The effects of the action keywords in ACLs Creating MAC address hardware ACLs MAC address hardware ACLs filter packets on the basis of their source or destination MAC address. The command syntax is: awplus(config)#access-list <4000-4699> < action >...

Page 7 - Making filters by applying hardware ACLs to ports; For IP hardware ACLs:

Page 7 | AlliedWare Plus™ OS How To Note Making filters by applying hardware ACLs to ports Making filters by applying hardware ACLs to ports You can create a filter by simply applying one or more ACLs to a port, as long as you can select the matching traffic through hardware ACL keywords, as describ...

Page 8 - Making filters by using QoS class-maps; Therefore, the basic procedure for using a class-map as a filter is:; deny traffic from one VLAN ID, you need an ACL with action of; and addresses of

Page 8 | AlliedWare Plus™ OS How To Note Making filters by using QoS class-maps Making filters by using QoS class-maps QoS class-maps allow you to match on a much wider range of packet attributes than ACLs by themselves. They do this by determining the match criteria from an ACL, or from match comma...

Page 9 - Specify what the class-map will match on (see; This puts you into class-map configuration mode.; Specifying what the class-map will match on; combination

Page 9 | AlliedWare Plus™ OS How To Note Making filters by using QoS class-maps 3. Specify what the class-map will match on (see page 9 ). This involves: z attaching the ACL to the class-map z using other match commands to further limit what the traffic will match the class-map (unless the ACL’s set...

Page 10 - Matching on “inner” keywords for nested VLANs; match tpid

Page 10 | AlliedWare Plus™ OS How To Note Making filters by using QoS class-maps Matching on “inner” keywords for nested VLANs The match tpid , match inner-tpid , match inner-vlan , and match inner-cos commands all apply to nested VLAN configuration. In this situation, the packets arriving at the co...

Page 11 - Matching on TCP flag; commands or specify the flags in one command as a space-

Page 11 | AlliedWare Plus™ OS How To Note Making filters by using QoS class-maps Matching on TCP flag Unlike the other match commands, you can match on multiple TCP flags. The switch combines the specified flags by ANDing them together. To specify the multiple flags, either make multiple match tcp-f...

Page 12 - Matching on eth-format and protocol; or; “The logic of the operation of the hardware filters”; Applying the policy-map to ports

Page 12 | AlliedWare Plus™ OS How To Note Making filters by using QoS class-maps Matching on eth-format and protocol Ethernet format and protocol are specified together, as a pair. You can either specify the command as: match eth-format < keyword > protocol < keyword-or-number > or match...

Page 13 - The logic of the operation of the hardware filters; in the order in which you attach them to the port; end in an implicit deny action to drop; Combining interface ACLs and QoS class-maps; If the action on the interface ACL is; permit

Page 13 | AlliedWare Plus™ OS How To Note The logic of the operation of the hardware filters The logic of the operation of the hardware filters The operation of the filters follows the standard ACL logic: if a packet matches an ACL on the port, the comparison process stops and the action attached to...

Page 14 - Examples; Blocking all multicast traffic; This example uses an interface ACL with an action of deny.

Page 14 | AlliedWare Plus™ OS How To Note Examples Examples Blocking all multicast traffic This example uses an interface ACL with an action of deny. Consider a situation where multiple clients are attached to the switch, with each client attached to a different port. Each client has a specific serv...

Page 15 - Blocking all multicast traffic except one address

Page 15 | AlliedWare Plus™ OS How To Note Examples Blocking all multicast traffic except one address This example uses two interface ACLs, one with an action of permit and one with an action of deny. Use this type of configuration when you want to discard a wide range of traffic but want to forward ...

Page 16 - Mirroring ARP packets

Page 16 | AlliedWare Plus™ OS How To Note Examples Mirroring ARP packets This example uses a QoS class-map. Use this type of configuration when you want to mirror a subset of the incoming traffic on a port, and you need to use QoS match commands to select the mirrored traffic. Consider a situation w...

Page 17 - Blocking TCP sessions in one direction; only

Page 17 | AlliedWare Plus™ OS How To Note Examples Blocking TCP sessions in one direction This example uses two QoS class-maps. Administrators often want to block the establishment of TCP sessions in one direction, but allow TCP sessions to be established in the opposite direction. To do this, it is...

Page 18 - How many filters can you create?; The filter rules table; You apply an ACL to a port (with the; policy input; commands are

Page 18 | AlliedWare Plus™ OS How To Note How many filters can you create? How many filters can you create? The total number of filters that can be created is not an exact number, but depends on which fields the various filters are matching on. So, to understand how to work out whether the set of fi...

Page 19 - destination

Page 19 | AlliedWare Plus™ OS How To Note How many filters can you create? 2. The profile (mask) The other item is called the profile. Conceptually, this is a 16-byte mask that decides which set of bytes should be extracted from a packet as it enters the filtering process, to be compared against all...

Page 20 - Are there enough bytes for your set of filters?; the total number of; For example, this set of ACLs would work:; Too long; But this set of ACLs would not work:

Page 20 | AlliedWare Plus™ OS How To Note How many filters can you create? Are there enough bytes for your set of filters? Of course, the mask cannot increase without limit—it has a maximum size of 16 bytes. When it reaches the 16-byte limit, no more ACLs or QoS match commands can be created which w...

Page 21 - Some protocols also use filters, so use some of the length; CPU