background image

Page 6 | AlliedWare™ OS How To Note: Hardware Filters

Creating dedicated hardware filters

The logic of the operation of the hardware filters

The operation of the filters follows the standard ACL logic: if a packet matches an filter, the 
comparison process stops and the action attached to the filter is performed. If a packet fails 
to match any of the filters, then the default action (forward) is taken.

Note:

Hardware filters will act on packets that are destined for the switch itself (packets 
that would be passed up to the switch's own CPU) in exactly the same way as they 
act on packets that were destined to be forwarded directly by the switching chip.

The effects of the action parameters

Let us consider the effect of each the possible action keywords.

Action

What it does

When do you need this action?

discard

Drops the traffic.

Use this when the filtering policy is to disallow certain 
traffic flows. 

forward

Forwards the traffic normally.

Use this when you want to discard a wide range of traffic, 
but still forward some small subset of traffic within that 
range.

copy

Forwards the traffic normally, and 
also sends a copy of each packet to 
the CPU.

Use this when you want software monitoring of a certain 
packet flow. If you want to log, or count, or output debug 
pertaining to a certain stream, then create a filter that 
matches the packets in the stream, and specify copy for 
the action.

copy,discard

Drops the traffic, but also sends a 
copy of each packet to the CPU.

Use this when you want software monitoring of a certain 
packet flow that is being dropped. If you want to log, 
count, or output debug pertaining to a certain disallowed 
stream, then create a filter that matches the packets in the 
stream, and specify copy,discard for the action.

setl2qos

Note that this action has the other parameters associated with it, as the following syntax shows:

add switch hwfilter[=<

filter-id

>] classifier=<

rule-id

> action=setl2qos 

[l2qosqueue=0..7] [priority=0..7] [bandwidthclass=1..3]

This action means you can use hardware filters to set the queue, 802.

1

p user priority or bandwidth class for packets. 

There is an elaborate QoS mechanism available for allocating these values to packets, but this filter type provides a 
simple method if you do not require a full QoS configuration. The principle use for this filter action, though, is as a 
mechanism for elevating the probability of CPU reception for packets that you determine to be “important”.

In heavily congested networks, data streams can sometimes use up all the available bandwidth of the CPU receive 
process. This increases the probability of losing infrequently-sent control or management packets, for example, 
routing protocol packets (BGP, OSPF, PIM, DVMRP) or STP packets. By creating an appropriate classifier and 
hardware filter, such packets can be given higher priority forwarding up to the CPU.

If you are using the filter to prioritise packets going up to the CPU, you only need to specify a value for the 

l2qosqueue

 parameter. The higher the value given to this parameter, the higher the priority the matching packets 

will be given in forwarding up to the CPU. It is possible to specify the 

priority

 and 

bandwidthclass

 parameters 

in this case, but they will have no effect, because the CPU ignores these parameters. The default value for the 

l2qosqueue

 parameter is 0.

The 

priority

 parameter specifies the 802.

1

p user priority with which to re-mark matching packets. The default is 0.

The 

bandwidthclass

 parameter specifies the bandwidth class (colour) to assign matching packets to. The default 

is 

1

 (green).

Summary of Contents for AT-9900 Series

Page 1: ...he throughput of the switch It is possible to configure over 1000 different filters and still have complete wire speed throughput on the switch The following configuration methods are available 1 To f...

Page 2: ...en combining QoS and hardware filters 8 2 The profile mask 9 Are there enough bytes for your set of filters 10 Some protocols also use filters so use some of the length 11 How to see the current filte...

Page 3: ...B DIAg NLSp IPXwan ipxsocketnum ANY TCPSport portid port range ANY TCPDport portid port range ANY UDPSport portid port range ANY UDPDport portid port range ANY L4SMask mask L4DMask mask L5BYTE01 byteo...

Page 4: ...ote see page 13 Note The default value of each mask is FFFF This means that if you specify a port number without specifying a mask then the classifier matches only that one value of the port number Th...

Page 5: ...hey will all be treated like core ports if at least one of the ports is a core port Creating hardware filters Once you have created a classifier create a filter The filter uses the classifier and spec...

Page 6: ...matches the packets in the stream and specify copy discard for the action setl2qos Note that this action has the other parameters associated with it as the following syntax shows add switch hwfilter f...

Page 7: ...cket as if it belongs to the default traffic class for the port s QoS policy For this reason we only recommend combining hardware filters and QoS if all your hardware filters result in traffic being d...

Page 8: ...an be configured on different ports So the rules for allocating packet to flow groups can differ from port to port Hence QoS can result in the rule table containing different sets of rules for differe...

Page 9: ...filters that can be created Also the protocols that use filters see page 11 create at least one entry each 2 The profile mask The other item that affects the number of filters you can create is called...

Page 10: ...already matches on those fields If you next make a hardware filter that matches on source UDP port this also does not add any length to the mask because it shares the same 2 bytes as the source TCP po...

Page 11: ...n IP address destination TCP UDP port 6 6 1 4 2 19 bytes Some protocols also use filters so use some of the length The following protocols use filters and therefore use up some of the available profil...

Page 12: ...one block on the base system for packets arriving in via any other port z one block allocated on the IPv6 accelerator Number of rules per application MLD Snooping 4 Accel Card IPv6 1 Switch HwFilter 2...

Page 13: ...they are both 1 then the result is 1 otherwise the result is 0 Let s look at some examples Profile 1 IPv4 bytes used 3 of 16 Other Eth bytes used 5 of 16 Profile used to match on packets z Number of b...

Page 14: ...choose the number of the ports as 4 power of 2 to simplify the example Before going into the complex examples there are some points to remember for the L4 mask calculation z if the beginning port is...

Page 15: ...drop Example 3 ports 333 777 A more complex situation let s try to write the classifiers for UDP ports between 333 777 As we are trying to get rid of odd numbers in the beginning of our port range we...

Page 16: ...ed 2 x 2 blocks one at the start classifier 2 and one at the end classifier 8 256 384 383 511 Port range Number of ports Command 333 334 335 336 351 352 383 384 511 512 767 768 775 776 777 1 2 16 32 1...

Page 17: ...12288 24576 49152 4096 8192 16384 32768 65536 5120 10240 20480 40960 6144 12288 24576 49152 7168 14336 28672 57344 8192 16384 32768 65536 9216 18432 36864 10240 20480 40960 11264 22528 45056 12288 245...

Page 18: ...ts reserved Information in this document is subject to change without notice All company names logos and product designs that are trademarks or registered trademarks are the property of their respecti...

Reviews: