Understand filter interactions – Net Optics Smart Filtering none User Manual

33

*** Confidential - DO NOT Distribute ***

Director

Understand filter interactions

It is important to understand that Director uses Content Addressable Memory (CAM) technology to implement filters.

As each filter is defined, it is stored in the next available entry in the CAM. Each packet header is compared in the

CAM, and the CAM returns the index of the first filter that the packet header matched. That filter, and only that filter,

controls which monitoring ports receive a copy of the packet. Other filters are not executed for that packet. Therefore,

filters are not completely independent; one filter can affect the operation of another.

Let's walk through an example of a filter interaction that may be unexpected.

First, we will set up a filter for an IP address:

filter add in_ports=n1.5 ip_src=192.186.10.0 action=redir redir_ports=m.1

filter commit

Network Port 5

Monitor Port 1

Source IP =

192.168.10.0 –

192.168.10.15

filter add in_ports=n1.5 ip_src=192.168.10.0 ip_src_mask= 240 action=redir redir_ports=m.1

CAM

Address

Filter

1

n1.5 ip_src=192.186.10.0 m.1

A simple IP address filter, shown with CAM

Figure 34:

All traffic from Network Port 5 that comes from IP address 192.186.10.0 matches the first CAM entry and therefore is

copied to Monitor Port 1.

Next, suppose we want another monitoring tool to see all the TCP traffic from Network Port 5, so we set up this filter:

filter add in_ports=n1.5 ip_proto=6 action=redir redir_ports=m.2

filter commit

Monitor Port 2

Protocol =

TCP

Network Port 5

Monitor Port 1

Source IP =

192.186.10.0

filter add in_ports=n1.5 ip_src=192.186.10.0 action=redir redir_ports=m.1
filter add in_ports=n1.5 ip_proto=6 action=redir redir_ports=m.2

Filter interactions

are not shown!

CAM

Address

Filter

1

n1.5 ip_src=192.186.10.0 m.1

2

n1.5 ip_proto=TCP m.1

Incorrect flow diagram of two filters; filter interaction in CAM is neglected

Figure 35: