ページ1に含まれる内容の要旨
TM
AlliedWare OS
How To | Configure Hardware Filters on AT-9900, x900-48,
and x900-24 Series Switches
Introduction
The AT-9900, x900-48, and x900-24 series switches support a powerful hardware based
packet-filtering facility.
These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.
Because the filters are hardware-based, they put no load on the CPU of the switch, and have
no affe
ページ2に含まれる内容の要旨
Introduction What information will you find in this document? This document contains the following: Introduction .............................................................................................................................................. 1 Which products and software versions does this information apply to? ............................ 2 Creating dedicated hardware filters .................................................................................................... 3 Con
ページ3に含まれる内容の要旨
Creating dedicated hardware filters Creating dedicated hardware filters Before we get into the details of the filter creation, we need to look at the underlying packet classification process. Configuring packet classification Dedicated hardware filters and QoS use the same packet classification process. The basic construct in the classification process is a classifier. The syntax for creating a classifier on the switch is: CREate CLASSifier=rule-id [MACSaddr={macadd|ANY|DHCPSnooping}] [MACDad
ページ4に含まれる内容の要旨
Creating dedicated hardware filters Configuring Layer 4 source and destination port number masks A common filtering requirement is the ability to filter on a range of TCP or UDP port numbers. For example, we often want to be able to allow through all packets with a TCP destination port greater than 1024, as such packets are deemed to be replies coming back to sessions initiated from the other side of the switch.The l4smask and l4dmask parameters make it possible for a single classifier to ma
ページ5に含まれる内容の要旨
Creating dedicated hardware filters When packets arrive at a customer port of a nested VLAN, the “inner” parameters will match the attributes of the first tag in the packets. This is because when the packet is forwarded from the core port, that first tag will have become the inner tag. So, from the point of view of the nested VLAN, the tag that is on the packet when it arrives into the customer port is the inner tag. When nested VLANs are disabled, and “inner” parameters have been configur
ページ6に含まれる内容の要旨
Creating dedicated hardware filters The logic of the operation of the hardware filters The operation of the filters follows the standard ACL logic: if a packet matches an filter, the comparison process stops and the action attached to the filter is performed. If a packet fails to match any of the filters, then the default action (forward) is taken. Note: Hardware filters will act on packets that are destined for the switch itself (packets that would be passed up to the switch's own CPU) in ex
ページ7に含まれる内容の要旨
Combining hardware filters and QoS Combining hardware filters and QoS The switch compares the packet with every hardware filter before it compares the packet with any QoS flow group. If the packet matches a hardware filter, the switch takes the action specified by that hardware filter and stops the comparison process. If a packet matches both a hardware filter and a QoS flow group, the packet only gets matched against the hardware filter. It bypasses the QoS process. If the hardware filter
ページ8に含まれる内容の要旨
How many filters can you create? Extra rules used when combining QoS and hardware filters In fact, QoS can cause the limit on the number of hardware filters to be reduced rather more radically than might be initially evident. To see why this is, we have to understand a bit more about how the rule table is used. When a packet is to be compared against rules in the rule table, the comparison does not have to start at the top of the table—it can start at other points in the table. The decision
ページ9に含まれる内容の要旨
How many filters can you create? The following figure shows the copies of these rules. 1 Rule 1 Port Start 11 2 Rule 2 2 1 3 Rule 3 3 1 4 Rule 4 49 5 59 6 6 1 7 ... ... 8 ... ... 9 Copy of rule 1 10 Copy of rule 2 11 Copy of rule 3 12 Copy of rule 4 13 QoS rule #1 52114 QoS rule #2 Table that maps ingress port Rule table to the starting point of the rule comparison process When a QoS policy has been applied to ports 4 and 5, all the hardware filter rules have to be replicated further down in t
ページ10に含まれる内容の要旨
How many filters can you create? Protocol type—2 bytes Ethernet format—2 bytes VLAN ID—2 bytes IP protocol type (TCP, UDP, etc)—1 byte source IP address—4 bytes destination IP address—4 bytes TCP port number—2 bytes UDP port number—2 bytes DSCP—1 byte For example, if you make a hardware filter that matches on destination IP address and source TCP port, this adds 7 bytes to the mask: 1 byte for the IP protocol field (to indicate TCP) 4 bytes for the destination IP address 2 bytes for the source
ページ11に含まれる内容の要旨
How many filters can you create? Okay length For example, this set of filters would work: source MAC address source UDP port destination IP address + destination TCP port The total number of bytes for the switch to check in a packet would be: source MAC address + IP protocol type + source TCP/UDP port + destination IP address + destination TCP/UDP port = 6 + 1 + 2 + 4 + 2 = 15 bytes Too long But this set of filters would not work: source MAC address destination MAC address destination IP addres
ページ12に含まれる内容の要旨
How many filters can you create? How to see the current filter resource usage on the switch The show switch command outputs a number of counters that display the current usage of filtering resources. A typical output from this command, and a discussion of each of the values it outputs, is shown below: Command output Description Traffic Control Unit,hardware Total number of classifiers/filter rules available in the system. resource usage: This is the sum of the rules available on the base sys
ページ13に含まれる内容の要旨
Appendix A: How to use the layer 4 mask in classifiers Command output Description Profile #1: Profile used to match on packets Number of bytes being used in the profile for matching IPv4 bytes used ......... 3 of 16 IPv4 packets Other-Eth bytes used .... 5 of 16 Number of bytes being used in the profile for matching non-IPv4 ethernet packets Device Resource, device #1: Resources used by device number 2 - accelerator card 1 default rule in the IPv6 card Number of rules used ........ 1 One 8
ページ14に含まれる内容の要旨
Appendix A: How to use the layer 4 mask in classifiers Example 1: ports 2000-2003 Let’s say we want to have a UDP port range of 2000-2003, then the mask we need to have is: 2000 = 00010011 10001100 2001 = 00010011 10001101 2002 = 00010011 10001110 2003 = 00010011 10001111 The changed bits from 2000-2003 are bolded. We must now write a L4 mask which will meet these requirements. The easiest way to do is, we must set the changed bits (between 2000 and 2003) in the mask to 0. In our example, the
ページ15に含まれる内容の要旨
Appendix A: How to use the layer 4 mask in classifiers Example 2: ports 5004-5008 In some more complex situations, we may need more than one classifier to cover all the range we want to. Let’s take UDP destination ports between 5004-5008 5004 = 00010011 10001100 5005 = 00010011 10001101 5006 = 00010011 10001110 5007 = 00010011 10001111 5008 = 00010011 10010000 According to the bolded bits, we may think that the changed bits are the last 5 bits so the mask should be 11111111 11100000. 5 But r
ページ16に含まれる内容の要旨
Appendix A: How to use the layer 4 mask in classifiers So our biggest block fits into the range 512-767. The next second biggest block is 128 in our example … it should fit into 384-511. ... 256 - 383 384 - 511 ... ... With these 2 blocks, we cover from 384-767. If we keep repeating the same procedure for the other blocks, we get the commands in the following table. In some of the cases, the blocks need to be divided into smaller blocks. In our example, instead of having a single block of 4,
ページ17に含まれる内容の要旨
Appendix A: How to use the layer 4 mask in classifiers The following table shows the port ranges for the largest blocks. L4 mask: FC00 F800 F000 E000 C000 8000 0000 number of ports: 1024 2048 4096 8192 16384 32768 65536 00 00 00 0 1024 2048 4096 8192 16384 32768 65536 2048 4096 8192 16384 32768 65536 3072 6144 12288 24576 49152 4096 8192 16384 32768 65536 5120 10240 20480 40960 6144 12288 24576 49152 7168 14336 28672 57344 8192 16384 32768 65536 9216 18432 36864 10240 20480 40960 11264 22528
ページ18に含まれる内容の要旨
L4 mask: FC00 F800 F000 E000 C000 8000 0000 number of ports: 1024 2048 4096 8192 16384 32768 65536 49152 50176 51200 52224 53248 54272 55296 56320 57344 58368 59392 60416 61440 62464 63488 64512 65536 USA Headquar ters | 19800 Nor th Cr eek Parkwa y | Suite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Eur opean Headquar ters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91