C613-16119-00 REV A

www.alliedtelesis.com

AlliedWare Plus

TM

OS

How To |

Introduction

The SwitchBlade x908, x900-12XT/S, and x900-24 series switches support a powerful
hardware based packet-filtering facility.

These switches can filter on a range of Layer 2, Layer 3, and Layer 4 packet attributes, and
perform a variety of different actions on the packets that match the filters.

Because the filters are hardware-based, they put no load on the CPU of the switch, and do
not affect the throughput of the switch. It is possible to configure over 1000 different filters,
and still have complete wire speed throughput on the switch.

On the AlliedWare Plus OS, hardware-based packet filtering is carried out by using hardware
ACLs (Access Control Lists). The following configuration methods are available:

1.

To make a simple filter based on IP address, MAC address, TCP/UDP port, or ICMP type,
you simply create one or more ACLs and apply them to a port.

You can build up a filter hierarchy by applying multiple ACLs to a port (e.g. make one ACL
to allow traffic from a source IP address to a destination address, then a second ACL to
drop all (other) traffic from that source IP address).

This How To Note calls ACLs that are applied to ports interface ACLs.

2.

To make a filter based on a range of other packet settings, you use QoS match commands
in one or more QoS class-maps, mostly in combination with ACLs. Then you use QoS to
apply the class-maps to a policy-map and port.

This note describes both approaches. Then it gives a series of examples, and ends by
discussing how many filters you can make.

Configure Hardware Filters on SwitchBlade x908,
x900-12XT/S, and x900-24 Series Switches