Avaya Configuring Traffic Filters and Protocol Prioritization User's Manual
Contents
1. 117348 A Rev A Examples and Implementation Notes Using Outbound Traffic Filters for LAN Protocols 117348 A Rev A In certain configurations implementing outbound traffic filters for LAN protocols may cause a decline in throughput performance For LAN circuits where the forwarding rate of the router is critical Bay Networks recommends that you monitor the throughput performance after configuring outbound LAN traffic filters If you notice an unacceptable decline in performance use inbound traffic filters to accomplish the filtering goal A Accept filters 1 4 B 12 actions traffic filter See traffic filter actions adding actions inbound 6 9 6 14 outbound 7 12 7 16 7 17 criteria inbound 6 9 6 14 outbound 7 12 7 16 7 17 ranges 5 1 to 5 10 address ranges See ranges Advanced Peer to Peer Networking APPN 3 12 applying templates inbound traffic filter 6 10 outbound traffic filter 7 13 APPN See Advanced Peer to Peer Networking bandwidth allocation dequeuing algorithm 2 3 Bay Networks Press xix bit swapped format 5 2 blocking filters 1 5 B 12 bridging source route inbound actions 3 6 inbound criteria 3 5 outbound actions 4 9 outbound criteria 4 2 ranges 3 5 transparent inbound actions 3 4 117348 A Rev A Index inbound criteria 3 2 outbound actions 4 9 outbound criteria 4 2 4 4 C Clipped Packets Count 2 12 2 15 clock speed 2 4 configuring inbound traffic filte2. The OSI filtering actions are Accept Drop and Log 117348 A Rev A ar Configuring Traffic Filters and Protocol Prioritization VINES Criteria and Actions You can filter inbound VINES traffic based on specified bit patterns in the VINES header Predefined VINES Criteria Table 3 10 lists the predefined criteria for VINES inbound traffic filters and the reference field offset and length for each criterion Table 3 10 Predefined Criteria for VINES Inbound Traffic Filters Protocol Type VINES BASE 40 2 48 Destination Address VINES BASE User Defined VINES Criteria In addition to the predefined VINES filter criteria you can create traffic filters with user defined criteria by specifying an offset and length to this reference field in the VINES header Reference Field Description VINES BASE Points to the first byte in the VINES header VINES Actions The VINES filtering actions are Accept Drop and Log 3 14 117348 A Rev A Inbound Traffic Filter Criteria and Actions XNS Criteria and Actions You can filter inbound XNS traffic based on specified bit patterns in the XNS header Predefined XNS Criteria Table 3 11 lists the predefined criteria for XNS inbound traffic filters and the reference field offset and length for each criterion Table 3 11 Predefined Criteria for XNS Inbound Traffic Filters Criterion Name Reference Field Destination Network XNS_ BASE Destination Address XNS_ BASE Dest
3. ccceecccseeeeeee eens 4 5 Data Link Reference Points in an SRB Packet Bridged over Bay Networks Proprietary Frame Relay 4 7 Data Link Reference Points in an IEEE 802 2 LLC Header 4 7 IP Reference Points in an IP Encapsulated SRB Packet Bridged over PPP 4 8 Inbound Traffic Filters WiNdOW oc saicct tare care eensesicciannasanceknadidaneshavaseveskountwexers 6 3 Filter Template Management WINCOW ccccccsssssseeeeeeeeesseeeeeeeneseeeeess 6 5 Create Template Window cccccccccsessseeseeeeeeeeeees MEIEREI PETEN n 6 5 edit lemplate WINGOW sisirin a Create Filter WiINdOW ccccccsseeeeeeeeeseeeeeeeeeeaees e A 6 11 Edit Filters WiNdOW siscicinsaacisensedonisnaidniaisiadiaxascensiaeiateavainsdsinresinlatnaaceianis 6 13 Add User Defined Field Window 00 cc0 EEEE TEETE EET 6 18 Filters Window Showing Filter Precedence ccccececeeeeeeseeeeeeeeees 6 19 Change Precedence Window ccccccsssecececeeeeeeeeceeceaeeeeeeeeesuaeeeeeeeeeaas 6 20 Filters Window Showing New Order of Precedence c seeeeeeeeeees 6 20 Displaying the Priority Outbound Filters Window 066 PEE 7 3 Priority Outbound Filters WiINdOW cc ccceesecceeeeeeeeeeeeeceseeeeeeeeesaaaeeeeees 7 3 Filter Template Management Window PAMPE E TATEA 7 6 Create Priority Outbound Template WiNdOW ccssesseeeeeeeeeeeeeeeeseeeees 7 6 PTA LO INON ci
4. 5 Click on OK The Filters window opens Table 6 2 describes how to add delete or modify predefined criteria ranges and actions in the Edit Filters window Figure 6 6 6 12 117348 A Rev A Applying Inbound Traffic Filters Figure 6 6 Edit Filters Window 117348 A Rev A oe Configuring Traffic Filters and Protocol Prioritization Table 6 2 Using the Edit Filters Window Adda 1 Choose Criteria gt Add gt criterion The Add A filter can have only one criterion criterion Range window opens You must specify at least one range for the 2 Type arange in the Minimum value and niter Maximum value fields then click on OK Delete a 1 Select the criterion to delete in the Filter A filter must have a criterion Specify a criterion Information field new criterion after deleting one 2 Click on Delete The Delete Criteria window opens 3 Click on Delete Adda 1 Select the criterion in the Filter Information field You can add up to 100 ranges If the range Anga 2 Click on Add The Add Range window opens cS Ota ele value Ope we yao the Minimum value field only Use the 3 Type a range in the Minimum value and prefix Ox to specify a hexadecimal number Maximum value fields then click on OK Zero is not a valid entry Selected ranges appear in the Range Min and Max fields at the bottom of the Edit Filters window Delete a 1 Select the range to delete in the Filter You must specify at least one range fo
5. DISABLE Sets the Frame Relay discard eligible DE bit for packets sent to the Low queue Select DISABLE if you do not want to set the DE bit for all Frame Relay packets in the Low queue 1 3 6 1 4 1 18 3 5 1 4 1 1 37 117348 A Rev A Parameter Path Default Options Function Instructions MIB Object ID Site Manager Protocol Prioritization Parameters Discard Eligible Bit Normal Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface DISABLE ENABLE DISABLE Sets the Frame Relay discard eligible DE bit for packets sent to the Normal queue By default Frame Relay packets in the Normal queue do not have the DE bit set Select ENABLE if you want to set the DE bit for all Frame Relay packets in the Normal queue 1 3 6 1 4 1 18 3 5 1 4 1 1 38 Prioritization Length Parameters Parameter Path Default Options Function Instructions MIB Object ID 117348 A Rev A Use the following descriptions as guidelines when you edit parameters in the Prioritization Length window Packet Length Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Priority Outbound Filters gt Create gt Create Priority Outbound Template gt Actions gt Length gt Prioritization Length None O to 4608 bytes Defines a packet length measurement by which each packet that passes the filter
6. s location in the packet With predefined criteria the locations are established See Chapter 3 for the supported protocol header reference points you can use to specify user defined criteria for inbound traffic filters To add a user defined criterion Site Manager Procedure You do this System responds 1 Display the Edit Filters window Figure 6 6 or Edit Template window Figure 6 4 for the selected circuit and protocol 2 Choose Criteria gt User Defined The Add User Defined Field window opens Figure 6 7 3 Inthe REF field choose the protocol specific header reference point 4 Inthe OFFSET field specify a bit offset from the reference point 5 In the LENGTH field specify the length of the criterion 6 Inthe Minimum value and Maximum value fields specify a range for the criterion 7 Click on OK The Edit Template window or Edit Filters window opens 8 Continue editing the template or filter See Table 6 1 Using the Edit Template Window or Table 6 2 Using the Edit Filters Window 6 17 Configuring Traffic Filters and Protocol Prioritization LEFT 32 hits Minims weber file Heinen values Figure 6 7 Add User Defined Field Window Changing Inbound Traffic Filter Precedence 6 18 You can assign as many as 31 inbound traffic filters per protocol to each router interface You can assign as many as 127 inbound traffic filters for IP As you add filters to an interface the
7. Addan 1 Choose Action gt Add gt action With the exception of the Log action each action template has only one action Delete 1 Select an action in the Filter Information field You must specify at least one action ina an action template 2 Click on Delete The Delete Action window opens 3 Click on Delete Save the 1 Click on OK The Filter Template Management Be sure you have specified template window opens e Only one criterion e Only one action e 1 100 ranges 117348 A Rev A oy Configuring Traffic Filters and Protocol Prioritization Creating an Inbound Traffic Filter 6 10 You create an inbound traffic filter by applying a filter template to an interface Note You should create the filters on an interface in order of precedence The first filter you create has the highest precedence and a rule number of 1 Subsequent filters that you create have lower precedence For more information see Changing Inbound Traffic Filter Precedence later in this chapter To create an inbound traffic filter Site Manager Procedure You do this System responds 1 Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window 2 Click on Create The Create Filter window opens Figure 6 5 3 Select a circuit in the Interfaces field Te 4 Select a template in the Templates field If the Templates field is empty complete the steps in Preparing Inbound T
8. Be careful not to confuse traffic filters with other router filters such as route filters which force filtered protocol traffic to take particular routes 1 1 Configuring Traffic Filters and Protocol Prioritization Bay Networks routers support two types of traffic filters e Inbound traffic filters act on packets that the router is receiving e Outbound traffic filters act on packets that the router is forwarding You can create traffic filters on the following router interfaces e Ethernet IOBASE T and 1OOBASE T e FDDI e HSSI e MCEI e MCTI e Synchronous e Token ring You can apply multiple traffic filters to a single interface When more than one filter applies to a packet the order of filters determines the filtering result Inbound Traffic Filters Inbound traffic filters act on packets arriving at a particular router interface Most sites use inbound traffic filters primarily for security to restrict access to nodes in a network When you configure inbound traffic filters you specify a set of conditions that apply to the traffic of a particular bridging or routing protocol The Configuration Manager supports inbound traffic filters for the following protocols e Transparent bridge four encapsulation methods Ethernet 802 2 LLC 802 2 LLC with SNAP and Novell Proprietary e Native source route bridging SRB e IP e IPX e XNS e OSI e DECnet Phase IV e VINES e DLSw e LLC2 APPN and LNM 1173
9. It specifies that if the next hop address specified is unreachable the frame is dropped Forward to IP Address Specifies that any frame that matches the filter will be forwarded to a single address in a list of specified IP addresses The destination address of the original packet changes to the specified IP address Forward to Next Hop Interfaces Specifies that any frame that matches the filter will be duplicated and forwarded to a group of next hop IP addresses that you specify If none of the next hop interfaces is active the router forwards packets that match the filter to the packet destination address unless you also specify Drop If Next Hop Is Unreachable Forward to First Up Next Hop Interface Specifies that any frame that matches the filter will be forwarded to a specified next hop router or to a network connected to the router If the specified hop is not reachable the filter tries all addresses on the next hop interfaces list using ARP messages If none of the next hop interfaces is reachable the router forwards packets that match the filter to the packet destination address unless you also specify Drop If Next Hop Is Unreachable 117348 A Rev A Inbound Traffic Filter Criteria and Actions e Detailed Logging For every packet that matches the filter criteria and ranges the filter adds an entry containing IP header information to the system Events log IPX Criteria and Actions You filter inbound IPX traffic
10. Tha Add Pande window ovens consists of a single value type the value in 3 9 pens the Minimum value field only Use the 3 Type a range in the Minimum value and prefix 0x to specify a hexadecimal number Maximum value fields then click on OK Zero is not a valid entry Modify a 1 Select the range to modify in the Filter Ranges are listed below the criterion in the range Information field Filter Information field Selected ranges appear in the Range Min and Range Max ee ee fields at the bottom of the Edit 3 Type new values in the Range Min and Range Priority Outbound Template window Max fields Delete a 1 Select the range to delete in the Filter You must specify at least one range for range Information field each criterion 2 Click on Delete The Delete Range window opens 3 Click on Delete Addan 1 Choose Action gt Add gt action With the exception of the Log action each action template has only one action Delete 1 Select an action in the Filter Information field You must specify at least one action ina an action template 2 Click on Delete The Delete Action window opens 3 Click on Delete Save the 1 Click on OK The Filter Template Management Be sure you have specified template window opens e Only one criterion e Only one action e 1 100 ranges 7 12 117348 A Rev A Applying Outbound Traffic Filters Creating an Outbound Traffic Filter You create an outbound traffic filter
11. The new template appears in the templates list 12 Click on Done The Filters window opens 13 Click on Create The Create Filter window opens A Name field 15 Select a tempate in tne Tempas tea OOOO 6 Seeciacroutnmemeracestea o Chapter 6 provides detailed procedures for creating inbound traffic filters and traffic filter templates B 4 117348 A Rev A Table B 1 Configure a subset of allowed Telnet TFTP and FTP users Configure a router to drop BootP requests from particular clients Drop inbound Telnet traffic 117348 A Rev A filtering goals Examples and Implementation Notes Table B 1 lists sample predefined criteria ranges and actions for some common Predefined Criteria Ranges and Actions for Sample Inbound Traffic Filters Fiering Goat Criteria Path Ranges Action Path Notes SS Criteria gt Add gt IP Source Address Criteria gt Add gt UDP Frame gt UDP Destination Port Criteria gt Add gt IP gt TCP Frame gt TCP Destination Port Client IP source addresses Use dotted decimal format Action gt Add gt Accept MAC addresses of Action gt Add gt the BootP clients 23 See Table 5 6 in Chapter 5 for a list of common TCP port ranges Action gt Add gt Drop This strategy works only if the destination IP address is one of the router s interfaces and if the protocol or well known port is Telnet TFTP or FTP For a more secur
12. Using Traffic Filters For each traffic filter criterion you also specify the valid range a series of target values that apply to the criterion For most criteria you specify an address range There must be at least one target value for each criterion The range can be just one value or a set of values You enter a minimum and a maximum value to specify the range For a range of only one value you enter only the minimum value the Configuration Manager automatically uses that value for both the minimum and maximum value For example if the filter criteria is MAC Source Address you must specify which addresses you want the filter to examine If you specify OxOOO0A2000001 as the minimum range value and OxOO00A2000003 as the maximum range value the router checks for packets with a MAC source address between 0x0000A2000001 and 0x0O000A2000003 inclusive Note Chapter 5 lists valid ranges for common traffic filter criteria and explains how to specify some common address ranges The filter action determines what happens to packets that match a filter criterion s ranges You can apply the following actions to any traffic filter e Accept The router processes any packet that matches the filter criteria and ranges e Drop The router does not route any packet that matches the filter criteria and ranges e Log For every packet that matches the filter criteria and ranges the router sends an entry to the system Events log You can specify
13. Using the Edit Template Window Adda 1 Choose Criteria gt Add gt criterion The Add A template can have only one criterion criterion Range window opens You must specify at least one range ina 2 Type arange in the Minimum value and tempiate Maximum value fields then click on OK Delete a 1 Select the criterion to delete in the Filter A template must have a criterion Specify a criterion Information field new criterion after deleting one 2 Click on Delete The Delete Criteria window opens 3 Click on Delete Adda 1 Select the criterion in the Filter Information field You can add up to 100 ranges If the range range S Cle con dd Tha Add Pande windew onene consists of a single value type the value in 3 9 pens the Minimum value field only Use the 3 Type a range in the Minimum value and prefix Ox to specify a hexadecimal number Maximum value fields then click on OK Zero is not a valid entry Modify a 1 Select the range to modify in the Filter Ranges are listed below the criterion in the range Information field Filter Information field Selected ranges appear in the Range Min and Range Max ee en fields at the bottom of the Edit Template 3 Type new values in the Range Min and Range _ window Max fields Delete a 1 Select the range to delete in the Filter You must specify at least one range for range Information field each criterion 2 Click on Delete The Delete Range window opens 3 Click on Delete
14. carrier sense multiple access collision detection discard eligible data link control data link connection identifier Data Link Control Management Interface data link switching destination service access point Fiber Distributed Data Interface File Transfer Protocol high level data link control high speed serial interface Internet Control Message Protocol Internet Protocol Internet Packet Exchange Integrated Services Digital Network International Organization for Standardization International Telecommunications Union Telecommunications sector formerly CCITT local area network Local Area Transport Logical Link Control LAN Network Manager media access control multichannel E1 multichannel T1 most significant bit XVII NLPID OSI OSPF PPP PRI RIF RII RIP SAP SDLC SMDS SNA SNAP SNMP SRB SSAP STP TCP IP Telnet TFTP UDP UTP VINES WAN XNS Configuring Traffic Filters and Protocol Prioritization network layer protocol ID Open Systems Interconnection Open Shortest Path First protocol Point to Point Protocol primary rate interface routing information field routing information indicator Routing Information Protocol service access point Synchronous Data Link Control switched multimegabit data service Systems Network Architecture Subnetwork Access Protocol Simple Network Management Protocol source routing bridge source service access point shielded twisted pair Transmission Control Pr
15. criterion is compared The action that is applied to each packet depends on whether it is less than equal to or greater than the value you specify This action also depends on the values of the Less Than or Equal Queue parameter and the Greater Than Queue parameter Specify a packet length value in bytes 1 3 6 1 4 1 18 3 5 1 4 4 1 7 A 7 Configuring Traffic Filters and Protocol Prioritization Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID A 8 Less Than or Equal Queue Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Priority Outbound Filters gt Create gt Create Priority Outbound Template gt Actions gt Length gt Prioritization Length NORMAL HIGH LOW NORMAL Specifies the queue in which a packet is placed if its length is less than or equal to the value of the Packet Length parameter For example if Packet Length is set to 1024 bytes any packet that is 1024 bytes or less is placed in the queue you specify Accept the default NORMAL or select LOW or HIGH 1 3 6 1 4 1 18 3 5 1 4 4 1 8 Greater Than Queue Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Priority Outbound Filters gt Create gt Create Priority Outbound Template gt Actions gt Length gt Prioritiza
16. ee eee ee a ee ee ee en ae ee ene eee ane nee ee Sere ere 3 12 OSI Criteria and Actions 0008 Pee eee a eee re erent eee ere ee 3 13 Predefined OSI Criteria REOLA TE AE AE E EAE EEEE MEREEN T AE 3 13 User Defined OSI Criteria EE EEEE EE AoT TERE EEE PEET EEE TAE EEEE 3 13 A arrear ETEA EAE 3 13 VINES Criteria and Actions sea apc sas pete eee tees E ate aa 3 14 Predefined VINES Criteria ci wasessiermskmisieiandriewsmirnatonteaniaheurneasiondeean 3 14 User Defined VINES Criteria ccce MEARE A TEA EAEE ETE a 3 14 E AO E iana E 3 14 XNS Criteria and Actions 006 ELS ieee opis RA ALE ETA E iets PAETE ETE E SE 3 15 Predefined XNS Criteria 0 EPEN LENEE STREE EEE EEE EA LETERE EPEE T IEEE T FOA TTE 3 15 User Defined XNS Criteria ccceeeeccseeeeeeeees ee ere PEE EEEE eed ID Fe ee VE aE 3 15 Chapter 4 Outbound Traffic Filter Criteria and Actions Selecting Predefined Criteria PEPEE EIET eee PEPEE ET EE E 4 2 Predefined Data Link Criteria ooo ccc cccccccecceceececeeeeeeecececeeeueeeeeeseeeeeueeeeeeeeneneenenes 4 2 Predefined IP Criteria c00 MEENA A EEE EAEE abet EEEN 4 4 Specifying Criteria Common to IP and Data Link Headers cecceceeeeeeeeeeeeeees 4 5 Selecting User Defined Criteria 2 0 0 ccccccccccccsseseceeeeeeseeeeeeeeaeeseceeeseuaaseceesssaaaeeeessenaaees 4 6 Data LNK Ph POMNIE a iaic pak tesdinercincse s
17. inbound traffic filter applying to an interface 6 10 copying 6 6 creating 6 4 7 4 7 9 7 10 7 13 7 15 deleting actions 6 9 6 14 deleting criteria 6 9 deleting ranges 6 9 Index 6 editing 6 6 6 7 naming 6 4 renaming 6 6 user defined criteria 6 17 7 20 templates outbound traffic filter creating 7 4 deleting actions 7 12 7 16 deleting criteria 7 12 7 16 deleting ranges 7 12 editing 7 9 7 10 naming 7 4 renaming 7 9 traffic filter actions Accept 1 11 4 9 defined 1 11 Detailed Logging 3 11 Drop 1 11 4 9 Drop If Next Hop Is Unreachable 3 10 Forward to First Up Next Hop Interface 3 10 Forward to IP Address 3 10 Forward to Next Hop Interfaces 3 10 High 4 10 inbound adding 6 9 6 14 DECnet Phase IV 3 7 deleting 6 9 6 14 DLSw 3 8 IP 3 10 IPX 3 12 LLC2 3 12 OSI 3 13 SRB 3 6 transparent bridge 3 2 3 4 VINES 3 14 XNS 3 15 Length 4 10 Log 1 11 4 9 Low 4 10 No Call 4 10 No Reset 4 10 outbound adding 7 12 7 16 7 17 deleting 7 12 7 17 117348 A Rev A source route 4 2 4 4 4 9 transparent bridge 4 2 4 9 traffic filter types Accept B 12 blocking B 12 Drop all B 12 inbound 1 2 outbound 1 2 priority 2 2 traffic filters actions 1 11 adding to an interface 1 13 components of 1 6 defined 1 1 inbound adding to an interface 6 10 creating 6 10 7 13 creating templates 6 3 defined 1 2 deleting from an interface 6 16
18. 802 2 LLC with 802 2 LLC DSAP SNAP 802 2 LLC SSAP 802 2 LLC Control 802 2 SNAP Length 802 2 SNAP Protocol ID 802 2 SNAP Ethernet Type SRB MAC Address Source or Destination DSAP Native only IP encapsulated SRB SSAP is not Supported NetBIOS Name Source or Destination DECnet Phase IV Area Source or Destination Node Source or Destination DLSw MAC Address Source or Destination DSAP SSAP Type of Service IP Address Source or Destination UDP Port Source and or Destination TCP Port Source and or Destination UDP or TCP Source Port UDP or TCP Destination Port Established TCP Protocols Protocol Type Network Source or Destination Host Address Source or Destination Socket Source or Destination OSI Area Source or Destination System ID Source or Destination continued 117348 A Rev A Using Traffic Filters Table 1 1 Predefined Inbound Traffic Filter Criteria continued Traffic Type Predefined Inbound Filter Criteria LLC2 MAC Address Source or Destination DSAP SSAP VINES Protocol Type VINES Address Source or Destination XNS Network Source or Destination Address Source or Destination Socket Source or Destination Table 1 2 summarizes the predefined outbound traffic filter criteria for data link and IP headers Note See Configuring DLSw Services for information about criteria for outbound traffic filters based on the DLSw header Table 1 2 Predefined Outboun
19. A 6 Discard Eligible Bit Normal A 7 Enable A 2 Greater Than Queue 7 8 A 8 High Queue Percent Bandwidth A 5 High Queue Size A 2 117348 A Rev A High Water Packets Clear A 4 Less Than or Equal Queue 7 7 A 8 Low Queue Percent Bandwidth A 6 Low Queue Size A 3 Max High Queue Latency A 3 Normal Queue Percent Bandwidth A 5 Normal Queue Size A 3 Packet Length A 7 Prioritization Algorithm Type A 4 performance Drop filters 1 4 outbound traffic filters B 13 precedence and Drop all filters B 12 inbound traffic filters 6 18 outbound traffic filters 7 21 predefined criteria 1 7 Prioritization Algorithm Type parameter A 4 prioritization protocol See protocol prioritization priority filters See protocol prioritization protocol prioritization Clipped Packets Count 2 12 2 15 defined 2 1 4 10 dequeuing algorithms bandwidth allocation 2 3 strict dequeuing 2 7 Discard Eligible Bit Low parameter A 6 Discard Eligible Bit Normal parameter A 7 dropped packets 2 12 2 15 editing interface parameters 2 14 Enable parameter A 2 examples B 9 Frame Relay A 3 Greater Than Queue parameter 7 8 A 8 High Queue Percent Bandwidth parameter A 5 High Queue Size parameter A 2 High Water Packets Clear parameter A 4 High Water Packets Mark 2 15 latency 2 13 Less Than or Equal Queue parameter 7 7 A 8 117348 A Rev A Low Queue Percent Bandwidth parameter A 6 Low Queue Size parameter A 3 Max Hi
20. Bridge Encapsulation Support ceseeeeees MERRER TETEE 3 3 Predefined Criteria for Transparent Bridge Inbound Traffic Filters 3 3 Predefined Criteria for SRB Inbound Traffic Filters ceeeeeeeeeeeeeeeees 3 5 Predefined Criteria for DECnet Phase IV Inbound Traffic Filters 3 7 Predefined Criteria for DLSw Inbound Traffic Filters AETA 3 8 Predefined Criteria for IP Inbound Traffic Filters oscsccccccsccccececncc 3 9 Predefined Criteria for IPX Inbound Traffic Filters 00000000 MEPETI EEIT 3 11 Predefined Criteria for LLC2 Inbound Traffic Filters ceeeeeeeeee eee 3 12 Predefined Criteria for OSI Inbound Traffic Filters 0 eee 3 13 Predefined Criteria for VINES Inbound Traffic Filters cceeeeeeeee eee 3 14 Predefined Criteria for XNS Inbound Traffic Filters 00 0 0 eeeeeeeeeeeee ees 3 15 Predefined Data Link Criteria for Outbound Traffic Filters e 4 2 Predefined IP Criteria for Outbound Traffic Filters ee eer 4 4 Data LINK Relerence FG baroiaren aninion Taa 4 6 IP Reference Points ccccceceees POPE APEA PE EIEE AE A severe 4 8 Format for Specifying MAC Addresses seeeeeeeeeeeaeeeeeeeeeeeeeeeeeaaaes 5 2 Functional MAC Addresses 0ccccseeceeeeeeeeees ER AE ee eee ee ee eee 5 3 Be arcs ct ender nd vasa rE 5 4 mame Ray We scrissi an nw eerie ee 5 5 Ok ERA A EA sie E EAA
21. By default packets transmitted on dial on demand lines always trigger the router to establish a connection e No Reset Packets that match the filter criteria and ranges are processed but do not reset the inactivity timer Note Although No Call and No Reset are available when creating any outbound traffic filter these actions are useful only on dial up interfaces such as synchronous modem lines or MCT interfaces configured with ISDN PRI 117348 A Rev A 117348 A Rev A Outbound Traffic Filter Criteria and Actions You can use the dial service actions to configure outbound traffic filters that specify or reduce the type of traffic that initiates dial connections For example you can use dial service actions to configure a dial on demand interface to exchange IP RIP and IPX RIP SAP routing updates only when the router initiates connections for data transmission This reduction in update only traffic called dial optimized routing prevents unnecessary connections and reduces line costs See Configuring Dial Services for information about dial services such as dial on demand and dial optimized routing 117348 A Rev A Chapter 5 Specifying Common Criterion Ranges For every inbound or outbound traffic filter criterion you must specify a valid range a series of target values appropriate for the criterion For many criteria you specify an address range This chapter explains how to specify common address ranges and lists v
22. Chapter 2 7 1 Configuring Traffic Filters and Protocol Prioritization Displaying the Priority Outbound Filters Window You must complete the following tasks to configure outbound traffic filters on an interface e Add the Protocol Priority protocol if it is not already enabled On circuits configured with Frame Relay or PPP protocol prioritization is enabled by default Otherwise you must enable protocol prioritization the first time you configure outbound traffic filters e Display the Configuration Manager Priority Outbound Filters window To display the Priority Outbound Filters window and if necessary enable protocol prioritization Site Manager Procedure You do this System responds 1 Display the Configuration Manager window 2 Click on the circuit interface connector for For Ethernet FDDI HSSI synchronous example COM1 XCVR2 or token ring interfaces the Edit Connector window opens For MCE1 or MCT1 interfaces the Logical Lines window opens 3 Click on Edit Circuit or for MCE1 MCT1 The Circuit Definition window opens the click on Circuit circuit you selected is highlighted 4 lf Protocol Priority appears in the The Select Protocols window opens Protocols field go to step 7 otherwise choose Protocols gt Add Delete 5 Select Protocol Priority from the list of protocols The Protocol Priority option is located near the bottom of the list 6 Click on OK The Circuit Definition wind
23. Criterion Name Field bits Ethemet Ethernet Type lt a 802 2 LLC Length 16 Ethernet 802 3 and PPP e pe i om foe coma foma e e 3 3 Configuring Traffic Filters and Protocol Prioritization User Defined Transparent Bridge Criteria You can create bridge traffic filters with user defined criteria by specifying an offset and length to these supported reference fields MAC Points to the first byte of the MAC Destination Address DATA_LINK Points to the first byte of the DATA_LINK reference field Transparent Bridge Actions In addition to the Accept Drop and Log actions that are common to all inbound traffic filters there are two transparent bridge actions e Flood Specifies that any frame that matches the filter will be forwarded to all transparent bridge circuits except for the circuit from which it was received e Forward to Circuit List Specifies that any frame that matches the filter will be forwarded to the specified circuits Note The circuit names that you specify for the Forward to Circuits action are case sensitive For example if the circuit name is E21 but you type e21 the filter will not be saved You can specify the Log action with any of the other actions However you should specify the Log action only to record abnormal events otherwise the Events log will fill up with filtering messages leaving no room for critical log messages 3 4 117348 A Rev A Inbound Traffic Filter Criteria an
24. Default Options Function Instructions MIB Object ID A 2 Use the following descriptions as guidelines when you edit parameters in the Edit Protocol Priority Interface window Enable Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface Enable Enable Disable Toggles protocol prioritization on and off on this interface If you set this parameter to Disable all outbound traffic filters will be disabled on this interface Setting this parameter to Disable is useful if you want to temporarily disable all outbound traffic filters rather than delete them Set to Disable if you want to temporarily disable all protocol prioritization activity on this interface Set to Enable if you previously disabled protocol prioritization on this interface and now want to reenable it 1 3 6 1 4 1 18 3 5 1 4 1 1 2 High Queue Size Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 20 Any integer value Specifies the maximum number of packets in the High queue at any one time regardless of packet size Accept the default or specify a new value 1 3 6 1 4 1 18 3 5 1 4 1 1 4 117348 A Rev A Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Opti
25. Interface to obtain the value of the wfVinesIfEntry wfVinesIfAdr MIB object 5 3 Configuring Traffic Filters and Protocol Prioritization Specifying Source and Destination SAP Code Ranges Table 5 3 lists some common SAP codes The SAP code consists of a 7 bit SAP address and a 1 bit Command Response field Table 5 3 SAP Codes eT oe ISO Network Layer LLC Broadcast a The Command Response bit makes the 0x00 byte look like 0x01 Use these values to specify a range for any Source or Destination SAP traffic filter criteria 5 4 117348 A Rev A Specifying Common Criterion Ranges Specifying Frame Relay NLPID Ranges Table 5 4 lists some common Frame Relay network layer protocol ID NLPID values You use these values to specify ranges for NLPID criteria in an outbound traffic filter Table 5 4 Frame Relay NLPIDs ee o P a Use this value only to specify ranges for the criterion selected by choosing Criteria gt Add gt IP gt Frame Relay gt NLPID on the Create Priority Outbound Template window Do not use a data link criterion to specify IP traffic Specifying PPP Protocol ID Ranges Table 5 5 lists some common PPP protocol ID values See RFC 1700 for a complete list You use these values to specify ranges for Protocol ID criteria in an outbound traffic filter Table 5 5 PPP Protocol IDs 0033 Stream Protocol ST2 a Use this value only to specify ranges for the criterion selected by choosing Crit
26. Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 20 percent O to 100 percent If you select the bandwidth allocation dequeuing algorithm this parameter specifies the percentage of the synchronous line s bandwidth allocated to normal priority traffic Specify the percentage of the line s bandwidth allocated to normal priority traffic The High Queue Normal Queue and Low Queue values must total 100 1 3 6 1 4 1 18 3 5 1 4 1 1 26 A 5 Configuring Traffic Filters and Protocol Prioritization Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID A 6 Low Queue Percent Bandwidth Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 10 percent O to 100 percent If you select the bandwidth allocation dequeuing algorithm this parameter specifies the percentage of the synchronous line s bandwidth allocated to low priority traffic Specify the percentage of the line s bandwidth allocated to low priority traffic The High Queue Normal Queue and Low Queue Percent Bandwidth values must total 100 1 3 6 1 4 1 18 3 5 1 4 1 1 26 Discard Eligible Bit Low Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface ENABLE ENABLE
27. Networks Customer Service ccccccseseecccceceeeeeececeeaeeseeeeeseeeeeeceeeeseeeeeeeesessaeseeeeeeeeas xix Hon O GOLNOI saarnan ia em eek ea E A EAT AEAT AA E E XX Chapter 1 Using Traffic Filters a E E a N NE A A E N EIE AN I E EE E E E 1 1 Inbound Traffic Filters 08 M EE OA LEN EA EEES T PEA E R E EE 1 2 CFO Tame FIEIS sansirnir ne E EERE 1 3 What Is Protocol Prioritization oaaannoaaannnneennenennnnnennnnnnnnnnnennnenennnnnne PAETE EE E 1 3 Filtering Strategies cccccceeccccccecsssseeceeeeeeeseeeeeeeeeseeeeeeeeseeeeeeeeseeaueeeeessseeaeeeeesseaaaeeeeeeeaas 1 4 E E aE S I ere ere AEE NE E OEE 1 4 Beats go rti ATE E PNA E A A A T E T 1 4 Pe I T E 1 4 E UN 0 iE N 1 5 RE T E R ere ener Meee tear rem 1 5 Tame Fier COTO rice pecan iaimsaveancinaprtninnnsascansnnnsreieatariatslsctepamaceina Manse ees 1 6 Criteria pieteritalaieanecehessesecesvasaineegstaseresetadienenes AEA OPEO EEA E 1 6 Predefined Criteria cccccccccssscccssececeesececeeeeeteeeceseeeeeceeeesseseesseaeeeseaeeessaeeessaes 1 8 User Defined Criteria cccccccsseeeeeeeeees MEE EEEE RE eames E ETEA wee 1 10 E E A R A 1 11 E EEA A A Rec re neta nome toon errant err eres tere 1 11 Diak al Wt e E AA AEE A oats NESE A E S T 1 13 Summary of Traffic Filter Support EAE EO AE E T ee ee 1 14 117348 A Rev A V Chapter 2 Using Protocol Prioritization Queues About Protocol Prioritization eee ee ee ES E c
28. Queues Monitoring Protocol Prioritization Statistics 117348 A Rev A To monitor and manage protocol prioritization you use the Statistics Manager to view Statistics in the MIB object group wfApplication wfDatalink wfProtocolPriorityGroup For information about using the Statistics Manager to view MIB objects and create custom screen reports see Configuring and Managing Routers with Site Manager To determine whether there are enough buffers in each priority queue for the traffic flow on your network use the Statistics Manager to examine the following protocol prioritization statistics e High Water Packets Mark The greatest number of packets that have been in each queue e Clipped Packets Count The number of packets that have been discarded from each queue The router discards packets from priority queues that become full Note To determine whether statistics reflect a transient event you may want to reset the statistics and check again later before changing the priority queuing configuration You can reset the High Water Packets Mark using the Configuration Manager Edit Protocol Priority Interface window You can reset both the Clipped Packets Count and High Water Packets Mark using the Statistics Manager Generally if a queue s Clipped Packets Count is high and the High Water Packets Mark is close to its queue size that queue does not have enough buffers 2 15 117348 A Rev A Chapter 3 Inbound Traffic Filter Crite
29. World Wide Web at support baynetworks com XIX Configuring Traffic Filters and Protocol Prioritization How to Get Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Bay Networks service program call one of the following Bay Networks Technical Solutions Centers Technical Solutions Center Telephone number Faxnumber Billerica MA 800 2LANWAN 508 916 3514 Santa Clara CA 800 2LANWAN 408 495 1188 Valbonne France 33 4 92 96 69 68 33 4 92 96 69 98 Sydney Australia 61 2 9927 8800 61 2 9927 881 1 Tokyo Japan 81 3 5402 0180 81 3 5402 0173 XX 117348 A Rev A Chapter 1 Using Traffic Filters This chapter describes concepts and terms to help you understand and plan for traffic filter configurations on Bay Networks routers What Are Traffic Filters What Is Protocol Prioritization What Are Traffic Filters 117348 A Rev A Traffic filters are router files that instruct an interface to selectively handle specified network traffic packets frames or datagrams You determine which packets receive special handling based on information fields in the packet headers Using traffic filters you can reduce network congestion and control access to network resources by blocking forwarding logging or prioritizing specified traffic on an interface Note
30. and ranges the router sends an entry to the system Events log You can specify the Log action in combination with other actions Detailed Log For every packet that matches the filter criteria and ranges the router adds a more detailed entry to the system Events log containing IP header information Note Specify the Log actions to record abnormal events only otherwise the Events log will fill up with filtering messages leaving no room for critical log messages 4 9 Configuring Traffic Filters and Protocol Prioritization Prioritizing Actions You can apply the following actions to outbound traffic filters for WAN protocols e High Directs packets that match the filter criteria and ranges to the High queue e Low Directs packets that match the filter criteria and ranges to the Low queue e Length Uses the length of packets to determine the priority queue Outbound traffic filters with a prioritizing action are called priority filters Note You can apply prioritizing actions only to MCE1 MCT1 and synchronous interfaces The Configuration Manager does not support priority filters on the LAN interfaces See Chapter 2 for detailed information about protocol prioritization Dial Service Actions 4 10 You can apply the following actions to outbound traffic filters for interfaces configured as dial up lines e No Call Packets that match the filter criteria and ranges are dropped and do not initiate a dial connection
31. ccccecceeeeeecceeeeaeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeseaaas 3 5 User Defined SRB Criteria ccccccssssseeeeees ee re Se er eee mend Be ee AAA ATi 3 6 DECnet Phase IV Criteria and Actions 0 AL ne eer A N 3 7 Pee re EO sai pincietaizcetesisiiavives davies aiai 3 7 User Defined DECnet Criteria ccee ere re eee META ETETE snot Gs i A y E A E A E A A E eens E T pee 3 7 DLSw Criteria and Actions 006 season EE PEA MAPEP EE 3 8 Predefined DLSw Criteria sics aisiicrcvescnvnisnseisnsehasdaisessecrenssverstisheteceanasassdraevatasiensvadbanens 3 8 User Defined DLSw Criteria cccccesseeseeeees A eeianaes eee Hier Be AEAEE EEEE 3 8 BETTI A FN a E 3 9 vi 117348 A Rev A Predefined IP Criteria 2 0 0 0 cccccccccccscecececcccccecscecucececucecesecececseccucauauausenenscsuecauacauaenes 3 9 User Defined IP Criteria NEEE EEA A AAEN AE ETEA EEEN 3 9 O a AE ATE EA 3 10 IPX Criteria and Actions 0 ceeeeee PEELE E PI EET PEAL EAE PAELLA ATT 3 11 Predefined IPX Criteria cccccccccceccceccceesceceeenecesceeeeeeeneeeeeeeeeeeeeeeeueeeeeeeeeeeaneeaneeeneees 3 11 User Defined IPX Criteria ccnn PEENTE N PEPEE EE e E E EEEE 3 11 LLOG Gitter ano ACCIONS oocsucnroninieanriiiide a ER 3 12 Pd LLZ CITOI yi dca gp vapesintradecisidbinseiouav nade aia isoa 3 12 User Defined LLC2 Criteria ccccccceceeeeeees Sods paises ai T PERIE TEPEE ET AAEE nines LE i 8p
32. editing 6 11 enabling 6 15 media and protocols supported 1 2 precedence 6 18 outbound 7 1 adding to an interface 7 13 creating templates 7 4 defined 1 2 deleting 7 19 disabling 7 18 editing 7 14 enabling 7 18 High action 4 10 LAN protocols B 13 Length action 4 10 Low action 4 10 media and protocols supported 1 3 No Call action 4 10 No Reset action 4 10 performance B 13 precedence 7 21 reordering 7 21 precedence 1 5 B 12 117348 A Rev A ranges 1 11 strategies 1 4 templates 1 13 traffic forwarding strategy B 12 transparent bridge See bridging transparent U UDP port ranges 5 6 user defined criteria components of 1 7 inbound DECnet Phase IV 3 7 DLSw 3 8 IP 3 9 IPX 3 11 LLC2 3 12 OSI 3 13 specifying 6 17 6 18 SRB 3 6 transparent bridge 3 4 VINES 3 14 XNS 3 15 outbound 4 8 data link 4 6 IP 4 8 specifying 7 20 V VINES actions 3 14 criteria 3 14 ranges 5 3 X XNS actions 3 15 criteria 3 15 Index 7
33. empty the priority queues to transmit traffic Generally the router transmits higher priority traffic first Other configurable values in the protocol prioritization scheme also affect the transmission of traffic Two of these values are the maximum size of the queue queue depth and the line delay latency described in Tuning Protocol Prioritization later in this chapter Protocol prioritization is considered an outbound filter mechanism for these reasons e You use outbound traffic filters to specify how traffic is prioritized e Priority queues affect the sequence in which data leaves an interface they do not affect traffic as it arrives at the router Outbound traffic filters include prioritizing actions for specifying priority queues See Prioritizing Actions in Chapter 4 The following sections describe how the router prioritizes traffic into queues and the options for dequeuing e Priority Queuing 66 The Dequeuing Process Priority Queuing 2 2 With protocol prioritization enabled on an interface the router sends each packet leaving an interface to one of three priority queues e High queue e Normal queue e Low queue The router automatically queues packets that do not match a priority filter to the Normal queue To send traffic to the other queues you create outbound traffic filters that include a prioritizing action These are called priority filters 117348 A Rev A Using Pr
34. name has exactly 15 characters 3 5 Configuring Traffic Filters and Protocol Prioritization See Chapter 5 for information about specifying SAP and MAC address criteria User Defined SRB Criteria 3 6 In addition to the predefined filter criteria you can create SRB inbound traffic filters with user defined criteria by specifying an offset and length to these reference fields in the SRB header NEXT_RING Points to the first byte of the NEXT_RING reference field HEADER_START Points to the first byte of the Destination MAC Address DATA_LINK Points to the first byte of the DATA_LINK reference field SRB Actions In addition to the Accept Drop and Log actions common to all inbound traffic filters there are two SRB actions e Direct IP Explorers Specifies that any explorer frame that matches the filter will be sent to some number of IP addresses You must specify these IP addresses For this action to work IP encapsulation must be configured on the filter s interface If IP encapsulation is not configured and a frame matches the filter the frame will be flooded as if no filter exists e Forward to Circuits Specifies that any frame that matches the filter will be forwarded to some number of circuits on the same router You must specify these circuits Note The circuit names that you specify for the Forward to Circuits action are case sensitive For example if the circuit name is E21 but you type e21 the filter wil
35. particular interface you first display the Filters window for the protocol you are filtering To display the Filters window for all protocols except DLSw Site Manager Procedure You do this System responds 1 Display the Configuration Manager window 2 Click on the circuit interface connector for The Edit Connector window opens example COM1 XCVR2 3 Click on Edit Circuit The Circuit Definition window opens the circuit you selected is highlighted 4 Choose Protocols gt Edit protocol gt Traffic The Filters window for the selected circuit Filters and protocol opens Figure 6 1 The menu path to the Filters window is protocol specific To display the Filters window for DLSw Site Manager Procedure You do this System responds 1 Display the Configuration Manager window 2 Choose Protocols gt DLSw gt Traffic Filters The DLS Filters window opens Inbound Although the Filters window is protocol specific you use it the same way for all protocols Figure 6 1 shows the Bridge Filters window 117348 A Rev A Applying Inbound Traffic Filters Apply lean ate i ERIE Frrr Li rir Filter Enable Filter Has Figure 6 1 Inbound Traffic Filters Window Preparing Inbound Traffic Filter Templates To add an inbound traffic filter to a router interface you apply a protocol specific traffic filter template to the circuit However you do not always need to create a templa
36. parties from whom Bay Networks has acquired license rights Bay Networks will not grant any Software license whatsoever either explicitly or implicitly except by acceptance of an order for either Software or for a Bay Networks product Equipment that is packaged with Software Each such license is subject to the following restrictions 1 Upon delivery of the Software Bay Networks grants to licensee a personal nontransferable nonexclusive license to use the Software with the Equipment with which or for which it was originally acquired including use at any of licensee s facilities to which the Equipment may be transferred for the useful life of the Equipment unless earlier terminated by default or cancellation Use of the Software shall be limited to such Equipment and to such facility Software which is licensed for use on hardware not offered by Bay Networks is not subject to restricted use on any Equipment however unless otherwise specified on the Documentation each licensed copy of such Software may only be installed on one hardware item at any time Licensee may use the Software with backup Equipment only if the Equipment with which or for which it was acquired is inoperative Licensee may make a single copy of the Software but not firmware for safekeeping archives or backup purposes Licensee may modify Software but not firmware or combine it with other software subject to the provision that those portions of the res
37. regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Trademarks of Bay Networks Inc ACE AFN AN BCN BLN BN BNX CN FN FRE GAME LN Optivity PPX Bay Networks SynOptics SynOptics Communications Wellfleet and the Wellfleet logo are registered trademarks and Advanced Remote Node ANH ARN ASN BayseSIS BayStack BayStream BCNX BLNX EZ Install EZ Internetwork EZ LAN IP AutoLearn PathMan PhonePlus Quick2Config RouterMan SN SPEX Switch Node Bay Networks Press the Bay Networks logo and the SynOptics logo are trademarks of Bay Networks Inc Third Party Trademarks All other trademarks and registered trademarks are the property of their respective owners Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Networks Inc reserves the right to make changes to the products described in this document without notice Bay Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product are Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and
38. the Log action in combination with other actions Note Specify the Log action only to record abnormal events otherwise the Events log will fill up with filtering messages leaving no room for critical log messages Configuring Traffic Filters and Protocol Prioritization Table 1 3 lists additional protocol specific actions for inbound traffic filters See Chapter 3 for more information Table 1 3 Inbound Traffic Filter Actions All protocols Transparent bridge Flood Forward to Circuit List Native SRB Direct IP Explorers Forward to Circuits Forward to Next Hop Drop If Next Hop Is Unreachable Forward to IP Address Forward to Next Hop Interface Forward to First Up Next Hop Interface Detailed Logging Table 1 4 lists the actions for outbound traffic filters See Chapter 4 for more information Table 1 4 Outbound Traffic Filter Actions Filtering Actions Prioritizing Actions Dial Service Actions Detailed Log a Outbound traffic filters with a prioritizing action are sometimes called priority filters Except for the log actions inbound and outbound traffic filter actions are mutually exclusive you can only apply one action to each filter 117348 A Rev A Using Traffic Filters Using Filter Templates 117348 A Rev A When you create traffic filters it is important to understand the difference between a traffic filter template and an actual traffic filter A traffic filter template is a reusable pred
39. window opens Figure 7 6 3 Add or delete predefined criteria ranges and actions Table 7 1 4 Click on OK The Filter Template Management window opens 5 Click on Done The Priority Outbound Filters window opens Figure 7 2 Table 7 1 describes how to add delete or modify predefined criteria ranges and actions in the Edit Priority Outbound Template window Figure 7 6 To add a user defined criterion see Specifying User Defined Criteria later in this chapter To add the Length action see Specifying Prioritization Length earlier in this chapter 7 10 117348 A Rev A Applying Outbound Traffic Filters Figure 7 6 Edit Priority Outbound Template Window 117348 A Rev A 7 11 Configuring Traffic Filters and Protocol Prioritization Table 7 1 Using the Edit Priority Outbound Template Window Adda 1 Choose Criteria gt Add gt criterion The Add A template can have only one criterion criterion Range window opens You must specify at least one range ina 2 Type arange in the Minimum value and tempiate Maximum value fields then click on OK Delete a 1 Select the criterion to delete in the Filter A template must have a criterion Specify a criterion Information field new criterion after deleting one 2 Click on Delete The Delete Criteria window opens 3 Click on Delete Adda 1 Select the criterion in the Filter Information field You can add up to 100 ranges If the range range 5 Cleon dd
40. 01 Nixdorf 0400 XNS IDP 0600 XNS Address Translation 0601 0800 X 25 0801 CHAOSnet 0804 X 25 Level 3 0805 ARP 0806 XNS 0807 Symbolix 081C Xyplex 0888 088A UB Debugger 0900 XNS Address Translation 0A00 0A01 continued 57 Configuring Traffic Filters and Protocol Prioritization Table 5 8 Ethernet Type Codes continued Description Ethernet Type or Ethertype Code 0x Banyan VINES OBAD DEC 6000 6009 DEC MOP 6001 6002 6003 DEC LAT 6004 LAVC 6007 3COM 6010 6014 UB Download 7000 UB NUI 7001 UB Boot Broadcast 7002 Proteon 7030 Cabletron 7034 Cronous 8003 8004 HP Probe 8005 Nestar 8006 Excelan 8010 Silicon Graphics 8013 8014 8015 HP Apollo Native Ethernet 8019 oss continued 5 8 117348 A Rev A 117348 A Rev A Table 5 8 Ethernet Type Codes continued Description Spider Nixdorf Siemens Pacer Software Applitek Intergraph Harris 3M IBM SNA Retix Bridge Management AARP Shiva HP Apollo Symbolics Waterloo Software IPX over Frame Relay Novell DEC MOP XNS Bridge Comm Management 3Com Specifying Common Criterion Ranges Ethernet Type or Ethertype Code 0x 809F 80A3 5 9 Configuring Traffic Filters and Protocol Prioritization Specifying IP Protocol ID and Type of Service Ranges 9 10 The Internet Protocol version 4 IPv4 specifies an 8 bit Protocol field to identify the next level protocol Table 5 9 lists some common Protocol ID codes for
41. 117348 A Rev A When configuring protocol prioritization on a synchronous interface on which you have configured a dial backup line consider the following If the primary line is running PPP and the line fails the router automatically transfers all of the priority queues and outbound traffic filters you have configured on the primary line to the backup line If the primary line is running a WAN protocol other than PPP and fails The router transfers IP outbound traffic filters to the backup line regardless of which protocol was running on the primary line The router does not transfer data link protocol prioritization or outbound traffic filters to the backup line You must manually configure new data link outbound traffic filters on the backup line after that line is activated Be careful when configuring outbound traffic filters on a backup line As soon as the primary line is reactivated it uses the priority queues and filters you configured for the backup line These priority queues and filters may be completely inappropriate for the protocol running on the primary line Configuring Traffic Filters and Protocol Prioritization Using a Drop All Filter as a Firewall If your filtering strategy involves forwarding most traffic and dropping only specified packets you need only configure filters with a drop action Drop filters for the traffic you want the router to reject If your strategy involves blocking most traffic and a
42. 2067 Action gt IP gt Add This example shows traffic leavinga TCP Destination Port gt High Queue how to give DLSw particular See Table 5 6 traffic priority over synchronous in Chapter 5 for other protocols on the interface in the a list of interface To modify High queue common TCP the priority of specific port ranges types of DLSw traffic at the TCP level use DLSw protocol prioritization as described in Configuring DLSw Services continued 117348 A Rev A B 9 Configuring Traffic Filters and Protocol Prioritization Table B 3 Sample Criteria Ranges and Actions for Protocol Prioritization continued Filtering Goal Criteria Path Action Path Notes Place RIP traffic Criteria gt Add gt IP gt IP gt in the Low queue UDP Destination Port Place OSPF Criteria gt Add gt IP gt IP gt traffic in the High Protocol Type queue Place Criteria gt Add gt IP gt IP gt OSPF BGP traffic Type of Service in the High queue Place Spanning Criteria gt Add gt Datalink Tree Protocol gt Source Routing gt STP traffic in DSAP SSAP Control the High queue Place Criteria gt Add gt Datalink synchronous gt 802 2 SNAP Ethernet pass through traffic in the High queue Prioritize FTP Criteria gt Add gt IP gt Telnet and other Source Address large packet data traffic by placing smaller packets in the Low queue B 10 Action gt IP gt Add gt Low Queue
43. 48 A Rev A Using Traffic Filters Chapter 3 provides protocol specific information for designing inbound traffic filters Chapter 6 explains how to use the Configuration Manager to apply inbound traffic filters Outbound Traffic Filters Outbound traffic filters act on packets that the router forwards to a local area network LAN or wide area network WAN through a particular interface Most sites use outbound traffic filters to ensure timely delivery of critical data or to restrict traffic leaving the local network Outbound traffic filters are not based on a routing protocol as are inbound traffic filters When you configure outbound traffic filters you specify a set of conditions that apply to the following packet headers e Data link control DLC header e IP header To use outbound traffic filters you must select Protocol Priority as one of the configured protocols on an interface Protocol Priority is enabled by default on circuits configured with Frame Relay or PPP Otherwise you must enable Protocol Priority the first time you configure outbound traffic filters on an interface Chapter 4 provides information for designing outbound traffic filters Chapter 7 explains how to use the Configuration Manager to enable Protocol Priority and apply outbound traffic filters What Is Protocol Prioritization 117348 A Rev A Protocol prioritization is an outbound traffic filter mechanism With Protocol Priority enabled on an
44. A A EE T A T 5 5 Source and Destination TCP Ports ccccecccecseeeeeeeseeeeeseeeneees see sdeetes 5 6 Source and Destination UDP Ports ccccceeeccceeeeceeeeeeeeeeeeteeeeeeneeeeeees 5 6 Ethernet Type Codes c MEE EEE DEET EEEE EE ETETETT s D 7 IP Protocol ID Codes cei sisiimvakiassiueiaianiansdueysiadueyawhiavenddnetiamasbesatamravedanis 5 10 xiii Table 5 10 IF Type of Servic CSS serinsiiansriraeneonerasros sineat aaraa 5 10 Table 6 1 Using the Edit Template Window 008 re ene 6 9 Table 6 2 Using the Edit Filters WiNdoOW issxaasvenns tenance xiarcieincsassxetansarecensareee 6 14 Table 7 1 Using the Edit Priority Outbound Template Window PETETA 7 12 Table 7 2 Using the Edit Priority Outbound Filters WINdOW ccccseceeeeeeeeee eee 7 17 Table B 1 Predefined Criteria Ranges and Actions for Sample Inbound Traffic Filters B 5 Table B 2 User Defined Criteria and Ranges for Sample Inbound Traffic Filters B 6 Table B 3 Sample Criteria Ranges and Actions for Protocol Prioritization B 9 XIV 117348 A Rev A 117348 A Rev A About This Guide If you are responsible for configuring traffic filters to filter and prioritize router traffic you need to read this guide Learn about traffic filter concepts and procedures Chapter 1 Learn about protocol prioritization concepts and set protocol Chapter 2 prioritization configuration p
45. Action gt IP gt Add gt High Queue Action gt IP gt Add gt High Queue 0x42 DSAP Action gt Datalink gt or o Add gt High Queue 0x03 Control code Ox80FF Action gt Datalink gt Add gt High Queue Client IP Action gt IP gt Add addresses gt Length See Table 5 7 in Chapter 5 for a list of common UDP port codes See Table 5 9 in Chapter 5 for a list of common IP Protocol and Type codes See Table 5 3 in Chapter 5 for a list of SAP codes In the Prioritization Length window specify Packet Length 500 bytes Less Than or Equal Queue Low Greater Than Queue High 117348 A Rev A Examples and Implementation Notes Implementation Notes This section contains notes about the following Filtering Outbound Frame Relay Traffic Filtering over a Dial Backup Line Using a Drop All Filter as a Firewall Using Outbound Traffic Filters for LAN Protocols Filtering Outbound Frame Relay Traffic When creating outbound filters for Frame Relay traffic keep in mind that Frame Relay packets in the Low queue have the discard eligible DE bit set by default The DE bit is off by default in Frame Relay packets in the Normal and High queues You can change the default setting of the DE bit for packets in the Low and Normal queues using the Edit Protocol Priority Interface window See Enabling Protocol Prioritization in Chapter 2 for instructions Filtering over a Dial Backup Line
46. Click on Apply The filter s action is now disabled or enabled 117348 A Rev A oS Configuring Traffic Filters and Protocol Prioritization Deleting an Inbound Traffic Filter Deleting an inbound traffic filter permanently removes the filter from the circuit but does not affect the template used to create the filter temporarily You can do this by disabling the filter on a circuit See Enabling or Disabling an Inbound Traffic Filter earlier in this chapter Note Instead of deleting a filter you may want to turn off the filter To delete an inbound traffic filter from a circuit Site Manager Procedure You do this System responds Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window 2 Select the filter to delete There is no confirmation of a filter deletion Make sure you select a filter you want to delete 3 Click on Delete The filter no longer appears in the Filters window 6 16 117348 A Rev A Applying Inbound Traffic Filters Specifying User Defined Criteria 117348 A Rev A The Edit Filters window and Edit Template window provide a User Defined criterion option for most protocols The User Defined option allows you to set up a user defined criterion based on bit patterns in the packet header that are not supported in predefined criteria Adding user defined criteria is similar to adding predefined criteria except you must specify the criterion
47. Configuration Manager numbers them chronologically 1 2 3 and so on as shown in Figure 6 8 The number determines the filter precedence lower filter numbers have higher precedence If a packet matches two filters the filter with the highest precedence lowest number applies For example if the first filter on the interface 1 accepts a packet and the second filter 2 drops the same packet filter 1 has precedence and the interface accepts the packet Figure 6 8 shows how the Filters window displays the filters on an interface The first filter listed has the highest precedence You should create filters on an interface in order of precedence However if you do not or if your filtering strategy changes you can use the Filters window to rearrange the precedence of existing filters 117348 A Rev A Applying Inbound Traffic Filters H bridge dropiht tons init a2 bridge drop_ial Ea Fo ly Mi ariari Fa Template Create ERIE PPT oo Dia pte Wank uae ss ip Falter Enable Filter Haar Figure 6 8 Filters Window Showing Filter Precedence To change the order of precedence for inbound traffic filters Site Manager Procedure You do this System responds 1 Display the Filters window Figure 6 1 2 Select the filter whose precedence you want to change 3 Click on Reorder The Change Precedence window opens Figure 6 9 4 Click on INSERT BEFORE or INSERT The selected filter s n
48. Configuring Traffic Filters and Protocol Prioritization BayRS Version 12 00 Site Manager Software Version 6 00 Part No 117348 A Rev A September 1997 AS Bay Networks am Bay Networks 4401 Great America Parkway 8 Federal Street Santa Clara CA 95054 Billerica MA 01821 Copyright 1988 1997 Bay Networks Inc All rights reserved Printed in the USA September 1997 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Bay Networks Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license A summary of the Software License is included in this document Restricted Rights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 Gi1 of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notice for All Other Executive Agencies Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government
49. E EE EP AT ETE TE 7 9 viii 117348 A Rev A a et EEEE EEE EE R 7 9 Editing a Template E EEE OE AE A ETE verte 7 10 Creating an Outbound Traffic Filter ccsvstacixnasverarextereniayhaataiaeavicqominmermantiaenaniee 7 13 Editing an Outbound Traffic Filter sie T ATE TA apoio MEET 7 14 Enabling or Disabling an Outbound Traffic Filter 2 0 00 cceecccceecseeeeeeeeeeseeseeeeeeeseeeeeeees 7 18 Deleting an Outbound Traffic Filter eeee ee E ern ee 7 19 Specifying User Defined Criteria ccccccccccccssssseeeeeeeeeeeceeeeeaeeeeceeeeeaaaseeeesssaaaeseeeeseaas 7 20 Changing Outbound Traffic Filter Precedence cccccccsseececceeeseeeeeeeeeeecaesseeesaaeeeess 7 21 Appendix A Site Manager Protocol Prioritization Parameters Priority Interface Parameter Descriptions cccceccecseeeeeseeeeeceeeeeseeseesseeeeneneeesseeeeseaes A 2 Prioritization Length Parameters eer ere reer eee eee eee eee A 7 Appendix B Examples and Implementation Notes Traffic Filter Example for Basic IP Network Security cccccseeeeeeceeeeeeeeeeeeeeeeeeeeeeeeas B 1 Inbound Traffic Filter Examples a E A EE ET T TE B 3 Protocol Prioritization Examples cccccseseeceeeeeeeeeeeeeeeeeeeseeeeeaeaeeeseeeeessageeseeaeeesseeeneas B 7 Creating an Outbound Traffic Filter ieee P EEE TEREE o gt Pre Gert NOIOSE avrnasiondsincssioiestwnstaarateycenasastones i
50. E EEEE E E 5 10 Chapter 6 Applying Inbound Traffic Filters Displaying the Inbound Traffic Filters Window ccc eccceeeees PEO T ETE E A 6 2 Preparing Inbound Traffic Filter Templates ccccccccsseeeceeeeeecseeeceeeeeeeeeeeseeeeeesaeeeeeaes 6 3 Creating a Template c00 jonishasoqdes timate PEPE EAER reese ee eee 6 4 RN kt E A EAN PE A E E P EAE N 6 6 Copying lemplate ssis srossirirosisicrdoisoisresioraidssiroi ienie EAE E TEE OE 6 6 EN N a E E 6 7 Creating an Inbound Traffic Filter MIETTE ETEEN EA PIETEN TE MEET EEEE EE TEE 6 10 TCs an I Nane FROT seassa apaia 6 11 Enabling or Disabling an Inbound Traffic Filter PEERI PEET EE AET 6 15 Deleting an Inbound Traffic Filter ia vule sie ineeecpeivet cosa ties eatamicenestar tei aisensady aia teeiiernis 6 16 Specifying User Defined Criteria ccccseseeeeeeee EEEE EEE EE E EEE E EEE nied 6 17 Changing Inbound Traffic Filter Precedence cccsssseceeceeeeseeeeeeseeeeseeeeessaeaeeeeeensees 6 18 Chapter 7 Applying Outbound Traffic Filters Displaying the Priority Outbound Filters Window c0 PEEP EE EEEE 7 2 Preparing Outbound Traffic Filter Templates E MAEI AEE N ORT IEEE TEE 7 4 Creating a Template 008 eae PEEN EEE EA KEELE es 7 4 SAN Prioritization Lengi dareiacsscatserinitesedaziortiacainaisinorsiatianmacinstiociaasenels 7 7 Customizing Templates P A
51. Ethernet 10BASE T or 100BASE T FDDI a Ethernet 802 2 LLC LLC with SNAP and Novell encapsulations b Plus additional actions for transparent bridge SRB and IP filters see Chapter 3 c 802 2 LLC and LLC with SNAP encapsulations Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridget DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Transparent bridge DECnet IV DLSw IP IPX LLC2 OSI SRB XNS VINES Summary of Traffic Filter Support Protocol Criteria Supported Filter Actions Supported Transparent bridge IP SRB Transparent bridge IP SRB Transparent bridge IP SRB Transparent bridge Frame Relay IP PPP SRB Transparent bridge Frame Relay IP PPP SRB Transparent bridge Frame Relay IP PPP SRB Transparent bridge Frame Relay IP PPP SRB Accept Drop Log 9 Accept Drop Log t Accept Drop Log t Accept Drop Log t Accept Drop Log t Accept Drop Log Accept Drop Log Accept Drop Log Accept Drop Log Accept Drop Log High Queue Low Queue Length No Call No Reset Accept Drop L
52. IP traffic Table 5 10 lists IP Type of Service codes See RFC 1700 for information Table 5 9 IP Protocol ID Codes Description Protocol ID Code decimal ICMP Internet Control Message Packets IGP Interior Gateway Protocol Table 5 10 IP Type of Service Codes Description Type of Service Code 111 Network Control Mt Internetwork Control CRITIC ECP Flash Override Flash Immediate Priority Routine You use these codes to specify ranges for Protocol or Type of Service criteria in inbound or outbound IP traffic filters Select these criteria as follows e For an inbound traffic filter In either the Create IP Template or Edit IP Filters window choose Criteria gt Add gt IP gt Type of Service Protocol ID e For an outbound traffic filter In either the Create Priority Outbound Template window or Edit Priority Outbound Filters window choose Criteria gt Add gt IP gt IP gt Type of Service Protocol 117348 A Rev A 117348 A Rev A Chapter 6 Applying Inbound Traffic Filters This chapter describes how to use the Configuration Manager to configure inbound traffic filters To complete the procedures in this chapter you must be familiar with protocol specific filtering criteria and actions See Chapter 3 for this information 6 1 Configuring Traffic Filters and Protocol Prioritization Displaying the Inbound Traffic Filters Window 6 2 To apply inbound traffic filters to a
53. Water Packets Mark is 20 This indicates that the High queue has been full at least once and that the router has discarded 226 packets From this information you can conclude that you have not assigned enough buffers to the High queue for the amount of high priority traffic on this interface To prevent additional high priority traffic from being discarded you can reconfigure the size of the queues or reevaluate the amount of traffic assigned to the High queue Reconfiguring Queue Size Suppose that you now look at the statistics of the Normal and Low queues and find that the Low queue has a Clipped Packets Count of zero and a High Water Packets Mark of 06 Figure 2 4 Therefore you can conclude that there have never been more than six packets in the Low queue and the router has not discarded any low priority packets Queue Size 20 Queue Size 20 Queue Size 20 Clipped Packets Count 226 Clipped Packets Count 0 Clipped Packets Count 0 High Water Packets Mark 20 High Water Packets Mark 10 High Water Packets Mark 06 NO O N O 20 O O AUIEN h O PLE h O PEE O O High Normal Low TF0004A Figure 2 4 Priority Queue Statistics for the Queue Size Example In this case you may choose to decrease the Low queue size to 10 and increase the High queue size to 30 Figure 2 5 2 12 117348 A Rev A ow O N O O O 117348 A Rev A Using Protocol Prioritization Queue
54. affic filter permanently removes the filter from the circuit but does not affect the template used to create the filter Note Instead of deleting a filter you may want to turn off the filter temporarily You can do this by disabling the filter on a circuit See Enabling or Disabling an Outbound Traffic Filter earlier in this chapter To delete an outbound traffic filter from a circuit Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Select the filter to delete There is no confirmation of a filter deletion Make sure you select a filter you want to delete 3 Click on Delete The filter no longer appears in the Priority Outbound Filters window 117348 A Rev A ay Configuring Traffic Filters and Protocol Prioritization Specifying User Defined Criteria 7 20 The Edit Priority Outbound Filters window and Edit Priority Outbound Template window provide a User Defined criterion option The User Defined option allows you to set up a user defined criterion based on bit patterns in the packet s data link or IP header that are not supported in predefined criteria Adding user defined criteria is similar to adding predefined criteria except you must specify the criterion s location in the packet With predefined criteria the locations are established See Chapter 4 for the supported IP and data link header reference points you can use to spe
55. alid ranges 5 1 Configuring Traffic Filters and Protocol Prioritization Specifying MAC Address Ranges When you create a traffic filter that includes a Source or Destination MAC Address criterion you specify the MAC address range in either canonical format or most significant bit MSB format Table 5 1 lists the MAC address formats Table 5 1 Format for Specifying MAC Addresses Address Type Address Format eooo e a For example to drop the address 0x123456789ABC specify the filter range in bit swapped format 0x482C6A1E593D The following sections provide information about specifying SRB source MAC addresses and functional MAC addresses SRB Source MAC Addresses Consider the following when specifying source MAC addresses for SRB traffic filters 5 2 Set the MSB to 1 by adding the First Bit Set MAC Address 0x800000000000 to the source MAC address For example to filter token ring packets with the source MAC address of 0x400037450440 first add 0x800000000000 Then specify the result 0xC00037450440 as the criteria range If you use a sniffer to analyze packets for their source MAC address keep in mind that the routing information indicator RII is set to 1 if the routing information field RIF is present and is set to 0 if there is no RIF Bit O the 0x80 bit of byte 0 the leftmost byte is the RII bit which indicates the presence of the RIF bit For example a sniffer decodes LAA with the first b
56. amples of using outbound traffic filters for protocol prioritization goals Table B 3 Sample Criteria Ranges and Actions for Protocol Prioritization Filtering Goal Criteria Path Action Path Notes Place LAT traffic Criteria gt Add gt Datalink 6004 Action gt Datalink gt See Table 5 8 in in the High queue gt Datalink Type gt Add gt High Queue Chapier 5 for a list of since LAT is a Ethernet type common Ethernet time sensitive Type codes protocol Note If this is a Frame Relay interface specify SNAP instead of Ethernet Type Place ICMP Criteria gt Add gt IP gt IP gt Action gt IP gt Add See Table 5 9 in traffic in the Low Protocol gt Low Queue Chapter 5 for a list of queue ICMP is common IP Protocol not a and Type codes time sensitive protocol Place SNA traffic Criteria gt Add gt Datalink DSAP values Action gt Datalink gt You can also choose in the High queue gt Source Routing gt 0x04 to 0x05 Add gt High Queue SSAP Destination DSAP 0x08 to 0x09 MAC Address or 0x0c to 0x0d Note To prioritize Source MAC Note To prioritize IP encapsulated Address as the IP encapsulated SNA See Chapter 5 SNA traffic choose criteria traffic choose Criteria gt for information Action gt IP gt Add Add gt IP gt Source on specifying gt High Queue Routing gt DSAP MAC address or SAP criteria ranges Place all DLSw Criteria gt Add gt IP gt IP gt 2065 to
57. an build user defined criterion Figure 4 5 shows an example of where those reference points are located in a packet Table 4 4 IP Reference Points HEADER_START Points to the first byte in the IP header HEADER_END Points to the first byte following the IP header IP_WAN_HEADER_START Points to the beginning of the header beginning of the packet for PPP and Frame Relay packets IP_ WAN HEADER_END Points to the first byte following the DLCl in a Frame Relay packet and the first byte following the protocol ID in a PPP packet IP_SR_START Points to the beginning of the SRB packet which is the high order byte of the destination address IP_SR_DATA_LINK Points to the first byte following the RIF f _ WAN_HEADER_START IP START P_SR_DATA_LINK IP i HEADER_END E TF0010A HEADER_END aes Figure 4 5 IP Reference Points in an IP Encapsulated SRB Packet Bridged over PPP 4 8 117348 A Rev A Outbound Traffic Filter Criteria and Actions Selecting Actions For outbound traffic filters you can specify different types of actions Filtering Actions Prioritizing Actions Dial Service Actions Filtering Actions 117348 A Rev A You can apply the following actions to an outbound traffic filter Accept The router processes any packet that matches the filter criteria and ranges Drop The router does not route any packet that matches the filter criteria and ranges Log For every packet that matches the filter criteria
58. arameters Select inbound traffic filter criteria and actions Chapter 3 Select outbound traffic filter criteria and actions Chapter 4 Select ranges for inbound and outbound traffic filter criteria Chapter 5 Use the Configuration Manager to create inbound traffic filters Chapter 6 Use the Configuration Manager to create outbound traffic filters Chapter 7 Obtain information about Site Manager parameters this is the same Appendix A information you obtain using Site Manager online Help Review configuration examples and implementation notes Appendix B Before You Begin Before using this guide make sure that you are running the latest version of Bay Networks Site Manager and router software For instructions see Upgrading Routers from Version 7 I1 xx to Version 12 00 For a new router you must first complete the following procedures 1 Install the router see the installation manual that came with your router 2 Connect the router to the network and create a customized configuration file see Quick Starting Routers Configuring BayStack Remote Access or Connecting ASN Routers to a Network XV Configuring Traffic Filters and Protocol Prioritization Conventions bold text brackets J italic text quotation marks screen text separator gt vertical line I Xvi Indicates text that you need to enter command names and buttons in menu paths Example Enter wism amp Example Use the di
59. ated 14 May 1991 as may be amended from time to time shall apply for interoperability purposes Licensee must notify Bay Networks in writing of any such intended examination of the Software and Bay Networks may provide review and assistance Notwithstanding any foregoing terms to the contrary if licensee licenses the Bay Networks product Site Manager licensee may duplicate and install the Site Manager product as specified in the Documentation This right is granted solely as necessary for use of Site Manager on hardware installed with licensee s network This license will automatically terminate upon improper handling of Software such as by disclosure or Bay Networks may terminate this license by written notice to licensee if licensee fails to comply with any of the material provisions of this license and fails to cure such failure within thirty 30 days after the receipt of written notice from Bay Networks Upon termination of this license licensee shall discontinue all use of the Software and return the Software and Documentation including all copies to Bay Networks Licensee s obligations under this license shall survive expiration or termination of this license 117348 A Rev A Contents About This Guide Fe ee aE TEE XV Be E EREE stents teers cies er asses mea ea L E E E E xvi ELE U ARATE OEE E A EEEE E E NETE EE T AA E ANA T E xvii Ordering Bay Networks Publications 006 MAERA A ere AE rere E xix Bay
60. based on specified bit patterns in the IPX header Predefined IPX Criteria Table 3 7 lists the predefined criteria for IPX inbound traffic filters and the reference field offset and length for each criterion Table 3 7 Predefined Criteria for IPX Inbound Traffic Filters Destination Address IPX_ BASE User Defined IPX Criteria In addition to the predefined filter criteria you can create traffic filters with user defined criteria by specifying an offset and length to this reference field in the IPX header Reference Field Description IPX_ BASE Points to the first byte in the IPX header IPX Actions The IPX filtering actions are Accept Drop and Log 117348 A Rev A 3 11 Configuring Traffic Filters and Protocol Prioritization LLC2 Criteria and Actions You can filter inbound LLC2 traffic based on specified bit patterns in the LLC2 header Adding an IBM protocol to a circuit automatically adds LLC2 LLC2 traffic filters apply to LLC2 routed over Frame Relay also known as native SNA over Frame Relay and to any protocol running over LLC2 including Advanced Peer to Peer Networking APPN and LAN Network Manager LNM Predefined LLC2 Criteria Table 3 8 lists the predefined criteria for LLC2 inbound traffic filters and the reference field offset and length for each criterion Table 3 8 Predefined Criteria for LLC2 Inbound Traffic Filters Criterion Name Reference Field Offset Length Destination MAC Addres
61. bound IP traffic filters to limit services to specific IP source and destination addresses Inbound Traffic Filter Examples later in this appendix provides an example of allowing only a specified subset of Telnet TFTP and FTP users B 1 Configuring Traffic Filters and Protocol Prioritization To create an inbound IP traffic filter that prevents access to a network through TCP and UDP ports Site Manager Procedure You do this System responds 1 In the Site Manager main window choose The Configuration Manager window Tools gt Configuration Manager gt Remote Dynamic Local gt contig file 2 Click on the connector for the configured The Edit Connector window opens IP circuit for example COM2 3 Click on Edit Circuit The Circuit Definition window opens the circuit you selected is highlighted 4 Choose Protocols gt Edit IP gt Traffic The IP Filters window opens Filters 5 Click on Template The Filter Template Management window opens 6 Click on Create The Create IP Filter Template window opens 7 Specify a descriptive name in the Filter Name field for example accepted 8 Choose Criteria gt Add gt TCP or UDP The Add Range window opens Frame gt TCP or UDP Source Port 9 Type 0 in the Minimum value field and The Add Range window closes The 9999 in the Maximum value field then criterion and range now appear in the click on OK Filter Information field of the Create IP Filter Template w
62. by applying a filter template to an interface Note You should create the filters on an interface in order of precedence The first filter you create has the highest precedence and a rule number of 1 Subsequent filters that you create have lower precedence For more information see Changing Outbound Traffic Filter Precedence later in this chapter To create an outbound traffic filter Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Click on Create The Create Filter window opens Figure 7 7 3 Select a circuit in the Interfaces field TT 4 Select a template in the Templates field If the Templates field is empty complete the steps in Preparing Outbound Traffic Filter Templates 5 Inthe Filter Name field specify a name for the new filter It can be helpful to include the circuit name to differentiate the template from the filter For example specify Drop_Telnet_S42 as the name of a filter that drops outbound Telnet traffic on the synchronous circuit S42 For priority filters include the queue name For example specify SAB_DSAP_hiQas the name of a filter that places SRB traffic of a certain DSAP range in the High queue 6 Click on OK The Priority Outbound Filters window opens 117348 A Rev A os Configuring Traffic Filters and Protocol Prioritization Figure 7 7 Create Filter Window Editing an Outbound Traffic F
63. c you want to drop Note Drop filters are generally more efficient than Accept filters For example to prevent all NetBIOS traffic from entering a particular LAN segment you can create an inbound traffic filter to drop all packets with a destination or source SAP code of FO Prioritize Traffic You can use protocol prioritization to expedite traffic coming from a particular source or going to a particular destination When a router treats all packets equally there is no way to ensure consistent network services for users who are working with real time applications Bulk transfer applications use too much of the available bandwidth and reduce interactive response time These problems are especially noticeable on low speed WAN interfaces 117348 A Rev A Using Traffic Filters You can also improve application response time and prevent session timeouts by implementing protocol prioritization Combine Filters On most interfaces you can apply as many as 31 inbound and 31 outbound traffic filters for each protocol You can configure IP interfaces to support as many as 127 inbound traffic filters As you add filters to an interface the Configuration Manager numbers them chronologically Filter No 1 Filter No 2 Filter No 3 and so on The filter rule number determines the filter s precedence Lower numbers have higher precedence Filter No 1 has the highest precedence If a packet matches two filters the filter with the hig
64. ccepting only specified packets begin by defining filters to accept specified packets Accept filters Then add a filter on the interface to drop all packets a Drop all filter A Drop all filter describes the broadest range of packets you want to block from an interface To ensure that all unwanted traffic is dropped configure the Drop all filter to contain e Criteria that appears in every packet of the protocol you want to filter e The maximum value of the range e The minimum value of the range With a Drop all filter higher precedence Accept filters create exceptions or holes in the drop all range Since the highest precedence filter in a given address range determines the result of combined filtering within that range the router will process packets that match the Accept filters However the Drop all filter ensures that the router rejects all other traffic For example to configure a circuit that only accepts IP traffic addressed for destination address 192 32 28 55 apply a Drop all filter and one Accept filter as follows Filter Action Rule Number Start of Range End of Range 1 highest precedence 192 32 28 55 192 32 28 55 2 lower precedence 0 0 0 0 0 255 255 255 255 See Changing Filter Precedence in Chapter 6 inbound traffic filters or Chapter 7 outbound traffic filters for information about using the Configuration Manager to change filter precedence after filters have been applied to an interface
65. cify user defined criteria for outbound traffic filters To add a user defined criterion Site Manager Procedure You do this System responds 1 Display the Edit Priority Outbound Template window Figure 7 6 or Edit Priority Outbound Filters window Figure 7 8 2 Choose Criteria gt User Defined The Add User Defined Field window opens Figure 7 9 3 Inthe REF field choose the header reference point 4 Inthe OFFSET field specify a bit offset from the reference point 5 In the LENGTH field specify the length of the criterion 6 Inthe Minimum value and Maximum value fields specify a range for the criterion 7 Click on OK The Edit Priority Outbound Template window or Edit Priority Outbound Filters window opens 8 Continue editing the template or filter See Table 7 1 Using the Edit Priority Outbound Template Window or Table 7 2 Using the Edit Priority Outbound Filters Window 117348 A Rev A Applying Outbound Traffic Filters LEFT 32 hits Minims weber file Heinen values Figure 7 9 Add User Defined Field Window Changing Outbound Traffic Filter Precedence 117348 A Rev A You can assign as many as 31 outbound traffic filters based on data link criteria to each interface As you add filters to an interface the Configuration Manager numbers them chronologically 1 2 and so on and adds an IP or data link DL prefix as shown in Figure 7 10 The number determines the f
66. criterion criterion Range window opens You must specify at least one range for the 2 Type arange in the Minimum value and he Maximum value fields then click on OK Delete a 1 Select the criterion to delete in the Filter A filter must have a criterion Specify a criterion Information field new criterion after deleting one 2 Click on Delete The Delete Criteria window opens 3 Click on Delete Adda 1 Select the criterion in the Filter Information field You can add up to 100 ranges If the range range De Ciko Add Tedd Range window onene consists of a single value type the value in 7 9 pens the Minimum value field only Use the 3 Type a range in the Minimum value and prefix 0x to specify a hexadecimal number Maximum value fields then click on OK Zero is not a valid entry Modify a 1 Select the range to modify in the Filter Ranges are listed below the criterion in the range Information field Filter Information field Selected ranges appear in the Range Min and Max fields at Ee lO Mody the bottom of the Edit Priority Outbound 3 Type new values in the Range Min and Range __ Filters window Max fields Delete a 1 Select the range to delete in the Filter You must specify at least one range for range Information field each criterion 2 Click on Delete The Delete Range window opens 3 Click on Delete Addan 1 Choose Action gt Add gt action With the exception of the Log action each action filter has only one a
67. ction Delete 1 Select an action in the Filter Information field You must specify at least one action ina an action Glick on Delete The Delete Action window filter opens 3 Click on Delete Apply 1 Click on OK The Priority Outbound Filters Be sure you have specified the window opens e Only one criterion changes e Only one action 2 Click on Apply 4 100 ranges 117348 A Rev A inane Configuring Traffic Filters and Protocol Prioritization Enabling or Disabling an Outbound Traffic Filter There may be times when you want to turn off a filter temporarily Instead of deleting a filter from a circuit you can disable the filter and then reenable it later To disable or reenable an outbound traffic filter Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Select the filter to disable or enable The Filter Enable and Filter Name fields show the current status of the selected filter 3 Click on Values The Values Selection window opens 4 To disable the filter select Disabled To enable the filter select Enabled 5 Click on OK The Values Selection window closes The Filter Enable field in the Priority Outbound Filters window indicates the change 6 Click on Apply The filters action is now disabled or enabled 7 18 117348 A Rev A Applying Outbound Traffic Filters Deleting an Outbound Traffic Filter Deleting an outbound tr
68. d Actions Source Route Bridging Criteria and Actions You filter inbound source route bridging SRB traffic based on specified bit patterns in the native SRB frame header I P encapsulated SRB traffic filters are not supported SRB filters affect both explorer and routed frames However filters that include Next Ring as a criterion affect only routed frames because the Next Ring reference field does not appear in explorer frames See Configuring Bridging Services for information about explorer and routed frames Note The router applies SRB filters after it processes a packet The router receives the packet on the incoming interface and updates the routing information field RIF The filters that you configure then act on the updated RIF Predefined SRB Criteria 117348 A Rev A Table 3 3 lists the predefined criteria for SRB inbound traffic filters and the reference field offset and length for each SRB criterion Table 3 3 Predefined Criteria for SRB Inbound Traffic Filters Criterion Name Length bits Destination MAC Address HHEADER_START jo 48 Source MAC Address 48 Destination NetBIOS Name 120 Source NetBIOS Name 248 120 Specifying an SRB Criterion Range If you create an SRB filter that includes a Source or Destination NetBIOS Name criterion you type the NetBIOS name as the ASCII equivalent of the first 15 characters of the name If the name has fewer than 15 characters use ASCH spaces 0x20 to ensure that the
69. d Traffic Filter Criteria Traffic Type Predefined Outbound Filter Criteria IP header Type of Service Priority_IP Address Source and or Destination UDP Port Source and or Destination TCP Port Source and or Destination Established TCP Protocol Type Native SRB SSAP Destination Address Source Address Frame Relay 2 byte DLCI 3 byte DLCI 4 byte DLCI NLPID continued 117348 A Rev A 1 9 Configuring Traffic Filters and Protocol Prioritization Table 1 2 Predefined Outbound Traffic Filter Criteria continued Traffic Type Predefined Outbound Filter Criteria Data link header Transparent bridge MAC Address Source or Destination Data Link Type Ethernet Type Novell 802 2 Length 802 2 DSAP 802 2 SSAP 802 2 Control 802 2 SNAP Length 802 2 SNAP Protocol ID 802 2 SNAP Ethernet Type Native SRB SSAP DSAP Frame Relay 2 byte DLCI 3 byte DLCI 4 byte DLCI NLPID Ethernet Type User Defined Criteria To apply customized criteria that use fields that are not represented in a protocol s predefined criteria you can create a user defined criterion You specify its location in the packet header by specifying the following e Reference point A known bit position in the packet header e Offset The first position of the filtered bit pattern in relation to the reference point measured in bits e Length The total bit length of the filtered pattern 1 10 117348 A Rev A Ranges Actions 117348 A Rev A
70. der inbound traffic filters 3 9 outbound traffic filters 4 2 4 8 reference points inbound traffic filters 3 9 outbound traffic filters 4 8 IPX actions 3 12 criteria 3 11 specifying an Ethernet Type code 5 9 ISDN PRI filtering actions 4 10 L LAN Network Manager LNM 3 12 5 4 LAN protocols outbound traffic filters on B 13 performance B 13 LAT filter example B 9 latency 2 13 Length action 4 10 Less Than or Equal Queue parameter 7 7 A 8 line delay 2 13 LLC2 See Logical Link Control 2 LNM See LAN Network Manager Logical Link Control 2 LLC2 inbound traffic filters 3 12 Low action 4 10 Low Queue Percent Bandwidth parameter A 6 Low Queue Size parameter A 3 Index 4 Max High Queue Latency parameter A 3 modifying ranges inbound traffic filter 6 9 6 14 outbound traffic filter 7 12 7 16 7 17 most significant bit MSB 5 2 N naming templates inbound traffic filter 6 4 outbound traffic filter 7 4 NetBIOS filter example B 6 NetBIOS Name specifying range 3 5 NetBIOS traffic 4 2 No Call action 4 10 Normal queue 2 2 Normal Queue Percent Bandwidth parameter A 5 Normal Queue Size parameter A 3 O OSI actions 3 13 criteria 3 13 OSPF BGFP traffic prioritizing B 10 outbound traffic filters See traffic filters outbound P Packet Length parameter A 7 parameters protocol prioritization Clipped Packets Count 2 12 2 15 Discard Eligible Bit Low
71. dow opens click on the circuit interface connector on which you want to configure protocol prioritization 2 Click on Edit Circuit The Circuit Definition window opens the circuit you selected is highlighted 3 Look for Protocol Priority in the Protocols If Protocol Priority appears in the scroll box Protocols scroll box protocol prioritization is already enabled for this Site Manager automatically enables protocol interface prioritization for certain WAN protocols 4 If Protocol Priority does not appear inthe The Select Protocols window opens Protocols scroll box choose Protocols gt Add Delete 5 Scroll down the list of protocols and select Protocol Priority 6 Click on OK The Circuit Definition window opens From the Circuit Definition window you can do the following e Edit configuration parameters as described in Editing Protocol Prioritization Parameters later in this chapter e Configure an outbound traffic filter with a priority queue action as described in Chapter 7 2 9 Configuring Traffic Filters and Protocol Prioritization Tuning Protocol Prioritization When you enable Protocol Priority on a circuit the router uses default values that help determine how priority filters work These defaults are designed to work well for most configurations However you can customize or tune protocol prioritization to maximize its impact on your network This section covers the following topic
72. e method create a user defined filter see Table B 2 This filter will not stop remote users from establishing a Telnet session with the router To do that you must also create outbound traffic filters on the remote circuits B 5 Configuring Traffic Filters and Protocol Prioritization Table B 2 lists sample user defined criteria ranges and actions for some common filtering goals Table B 2 User Defined Criteria and Ranges for Sample Inbound Traffic Filters User Defined Criteria Filtering Goal Reference Field Offset Length Range 1 Drop inbound IP HEADER_END 107 0x0 to 0x0 Telnet and FTP 109 traffic on the synchronous interface that receives packets from the Internet Give certain Specify an 160 bits sum of all 32 bits Specify the VINES traffic Ethernet Type criteria that precede the hexadecimal that is bridged value of OxBAD Destination Network field Destination over Ethernet VINES or Network number precedence over 48 48 16 16 16 8 8 for example all other traffic 1234 On a DLSw DLS_DATA_START 376 Destination NetBIOS Names Specify NetBIOS circuit filter on NetBIOS Names are up to 16 bytes Name ranges NetBIOS Names long How they are using the ASCII 504 Source NetBIOS oriented in the equivalent of the Names field right first 15 characters justified or left in the name For The offset of 376 applies justified may names with less only if you want to filter depend on the than 15 the beg
73. eeienteboniaterestessenevsieseniacetioreinietionss B 11 Filtering Outbound Frame Relay Traffic cccccccssseeeeeeeeeeees PAE ETET NT B 11 Pier ee over a Dial A LINE so cdivduaiciniddacte tahininiadianaepeirardinaveiaaaenpenianaioeeeledesa B 11 Using a Drop All Filter as a Firewall cccccssssecccceseceeeeesseeeseeeeseeeseaeeeessaseeeeseas B 12 Using Outbound Traffic Filters for LAN Protocols ccccccccceesseeeeeeeseeeeeeeeeeeeenens B 13 Index 117348 A Rev A Figure 2 1 Figure 2 2 Figure 2 3 Figure 2 4 Figure 2 5 Figure 3 1 Figure 4 1 Figure 4 2 Figure 4 3 Figure 4 4 Figure 4 5 Figure 6 1 Figure 6 2 Figure 6 3 Figure 6 4 Figure 6 5 Figure 6 6 Figure 6 7 Figure 6 8 Figure 6 9 Figure 6 10 Figure 7 1 Figure 7 2 Figure 7 3 Figure 7 4 Figure 7 5 Figure 7 6 Figure 7 7 117348 A Rev A Figures Protocol Prorilizalon DEQUCIING cicsicinjssisisiieeeratisiatiamabcisinsieiminencis 2 3 Bandwidth Allocation Algorithm ccccccccseeeeceseeeeeeesaeeeeaeeeeaees EPEETAN 2 6 Sme LIENS AGOUTI areenaan aaia 2 8 Priority Queue Statistics for the Queue Size Example EE 2 12 Reconfigured Priority Queue Statistics for the Queue Size Examples 2 13 Header Reference Fields for Transparent Bridge Encapsulation Methods 3 2 Predefined Data Link Criteria for Outbound Traffic Filters e 4 3 Predefined IP Criteria for Outbound Traffic Filters
74. efeat the purpose of protocol prioritization With the strict dequeuing algorithm too much high priority traffic can result in discarding or clipping normal and low priority traffic To configure the percent of bandwidth for the priority queues you edit these Configuration Manager parameters e High Queue Percent Bandwidth e Normal Queue Percent Bandwidth e Low Queue Percent Bandwidth When changing bandwidth allocation remember that the percent of bandwidth for the High queue Normal queue and Low queue must total 100 percent Queue Size Queue size or gueue depth is the configurable number of packets that each priority queue can hold The default value for bandwidth allocation is 20 packets regardless of packet size Note The buffer size for priority queues is not configurable when using the strict dequeuing algorithm When you set the queue size you assign buffers which hold the packets to each queue A queue is full when it exceeds the buffer size The router discards clips traffic sent to a full queue To configure queue size you edit these Configuration Manager parameters e High Queue Size e Normal Queue Size e Low Queue Size e High Water Packets Clear Configuring Traffic Filters and Protocol Prioritization Queue Size Example Suppose that you use the default queue size 20 packets for all three priority queues The statistics indicate that the High queue s Clipped Packets Count is 226 and its High
75. efined specification for a traffic filter Each template contains a complete filter specification criterion range and action for one protocol but is not associated with a specific interface or circuit You create an actual traffic filter when you use the Configuration Manager to apply save a traffic filter template to a configured router interface You can apply a single template to as many interfaces as you want thus creating multiple filters for that protocol When you want to add a filter to an interface you have several options e If there is a template that contains the exact filtering instructions you want for this interface apply that template to the interface e If there is a template that contains filtering instructions similar to what you want copy rename and edit the template Then apply the new template to the appropriate interface e If there is no template containing filtering instructions similar to what you want for this interface you must create a template from scratch Then apply the new template to the appropriate interface e If there is an existing filter on the interface that contains instructions similar to what you want edit the existing filter and save it Configuring Traffic Filters and Protocol Prioritization Summary of Traffic Filter Support Table 1 5 summarizes the inbound and outbound traffic filter criteria and actions supported on specific interfaces Table 1 5 Network Interface
76. enia 7 7 Edit Priority Outbound Template Window cccceessssseeeeeeeseeseeeees 7 11 Greate Filter WINGOW eessen iE 7 14 xi Figure 7 8 Edit Priority Outbound Filters Window cacisiscrcmisnisiersntstncienmnieiners 7 16 Figure 7 9 Add User Defined Field Window cccccccsseeeeeeeseseeeeeeeeeeeeenes eee 7 21 Figure 7 10 Priority Outbound Filters Window Showing Filter Precedence 7 22 Figure 7 11 Change Precedence Window cccccsseseeccceeeeeeecaseeecsaaeeesseaeeeesaees 7 23 Figure 7 12 Priority Outbound Filters Window Showing New Order of Precedence 7 23 xii 117348 A Rev A Table 1 1 Table 1 2 Table 1 3 Table 1 4 Table 1 5 Table 3 1 Table 3 2 Table 3 3 Table 3 4 Table 3 5 Table 3 6 Table 3 7 Table 3 8 Table 3 9 Table 3 10 Table 3 11 Table 4 1 Table 4 2 Table 4 3 Table 4 4 Table 5 1 Table 5 2 Table 5 3 Table 5 4 Table 5 5 Table 5 6 Table 5 7 Table 5 8 Table 5 9 117348 A Rev A Tables Predefined Inbound Traffic Filter Criteria 2 00 ccccccceccecseeecseeeeneeteneesenens 1 8 Predefined Outbound Traffic Filter Criteria ccccecccceeeeeeeeeeees EREE 1 9 Inbound Traffic Filter ACt ONS ectesaranrsisentdcninatnncemonieiinmanean 1 12 Outbound Traffic Filter Actions ccccccceeeeeeees EESE E AEAEE 1 12 Summary of Traffic Filter Support nnn snoaannnnnsennnnnnnnnnnnnnsnnnnnnnonnnnenennne 1 14 Transparent
77. eria gt Add gt IP gt PPP gt Protocol ID on the Create Priority Outbound Template window Do not use a data link criterion to specify IP traffic 117348 A Rev A 2 Configuring Traffic Filters and Protocol Prioritization Specifying TCP and UDP Port Ranges 5 6 Table 5 6 lists some common TCP port values to use when specifying TCP source or destination port ranges in inbound or outbound IP traffic filters Table 5 6 Source and Destination TCP Ports Table 5 7 lists some common UDP port values to use when specifying UDP source or destination port ranges in inbound or outbound IP traffic filters Table 5 7 Source and Destination UDP Ports 117348 A Rev A Specifying Common Criterion Ranges Specifying Ethernet Type Ranges 117348 A Rev A Table 5 8 lists some common Ethernet Type codes to use when specifying Ethertype ranges in inbound or outbound traffic filters See RFC 1700 for a complete list Table 5 8 Ethernet Type Codes Description Ethernet Type or Ethertype Code 0x Bay Networks Synchronous Pass Through 80FF Bay Networks Source Route Traffic non Token Ring media 8101 Bay Networks Breath of Life Packet BofL 8102 Bridged Ethernet over RFC 1490 Frame Relay 0007 Bridged Token Ring over RFC 1490 Frame Relay 0009 Bridged FDDI over RFC 1490 Frame Relay 000A Bridged PDUs over RFC 1490 Frame Relay 000B 802 3 Length Field 0000 05EE 802 5 Length Field 0000 05FF Xerox PUP 0101 01FF 0200 02
78. estination Port 16 a Allows filtering on the ACK and RESET bits in the TCP header You do not specify a range for this criterion User Defined IP Criteria In addition to the predefined filter criteria you can create IP inbound traffic filters with user defined criteria by specifying an offset and length to these reference fields in the IP header HEADER_START Points to the first byte of the Type of Service HEADER_END Points to the last byte of the IP Destination Address 117348 A Rev A Ta Configuring Traffic Filters and Protocol Prioritization IP Actions 3 10 When specifying the user defined criterion length use 8 bits whenever possible IP inbound traffic filters with a length of 1 bit work only when aligned on a byte word boundary Lengths from 2 to 7 bits do not work In addition to the Accept Drop and Log actions common to all inbound traffic filters there are the following IP actions Forward to Next Hop Specifies that any frame that matches the filter will be forwarded to the next hop router You must specify the IP address of the next hop router If the next hop router is not reachable any packets matching the filter will be forwarded normally unless you also specify Drop If Next Hop Is Unreachable If you specify 255 255 255 255 as the next hop any frame that matches this filter will be forwarded normally Drop If Next Hop Is Unreachable This action is valid only when Forward to Next Hop is in use
79. ffic you use predefined criteria based on the data link header e For P routed traffic you use predefined criteria based on the IP header e For most WAN and LAN routing protocols you can use predefined criteria based on either the data link header or the IP header e For NetBIOS SNA and other DLSw encapsulated traffic you use predefined outbound traffic filter criteria based on the DLSw protocol header For information about DLSw outbound traffic filters see Configuring DLSw Services This section covers the following topics e Predefined Data Link Criteria e Predefined IP Criteria e Specifying Criteria Common to IP and Data Link Headers Predefined Data Link Criteria You can configure outbound traffic filters based on the predefined data link criteria listed in Table 4 1 Table 4 1 Predefined Data Link Criteria for Outbound Traffic Filters Packet Component Predefined Criteria Data link header MAC Source Address Data Link Type MAC Destination Address Ethernet Type Novell 802 2 Length 802 2 DSAP 802 2 SSAP 802 2 Control 802 2 SNAP Length 802 2 SNAP Protocol ID 802 2 SNAP Ethernet Type Ethertype continued 4 2 117348 A Rev A Outbound Traffic Filter Criteria and Actions Table 4 1 Predefined Data Link Criteria for Outbound Traffic Filters Packet Component Predefined Criteria Frame Relay 2 byte DLCI 3 byte DLCI 4 byte DLCI NLPID Ethernet Type Ethertype Figure 4 1 shows the Co
80. ffic filters 6 11 outbound traffic filters 7 14 enabling inbound traffic filters 6 15 outbound traffic filters 7 18 Ethernet Type ranges Frame Relay traffic 5 4 5 7 IPX over Frame Relay traffic 5 9 Events log Detailed Log action outbound traffic filters 4 9 Detailed Logging action inbound IP traffic filters 3 11 Log action 1 11 4 9 examples 117348 A Rev A DLSw B 9 FTP B 10 ICMP B 9 LAT B 9 NetBIOS Names B 6 OSPF B 10 protocol prioritization B 7 RIP B 10 SNA B 9 STP B 10 synchronous pass through B 10 Telnet B 10 extended traffic filters IP 1 5 F filter templates See templates firewall strategy 1 5 B 12 Flood action 3 4 Forward action 3 10 Forward to Circuit List action 3 4 3 6 Forward to First Up Next Hop Interface action 3 10 Forward to IP Address action 3 10 Forward to Next Hop Interfaces action 3 10 Forward to Peer action 3 8 Frame Relay Normal Queue Size parameter A 3 specifying an Ethernet Type code 5 4 5 7 FTP traffic prioritizing B 10 G Greater Than Queue parameter 7 8 A 8 H High action 4 10 High Queue Percent Bandwidth parameter A 5 High Water Packets Clear parameter A 4 High Water Packets Mark 2 15 Index 3 ICMP traffic example B 9 inbound traffic filters See traffic filters inbound IP extended traffic filters 1 5 inbound traffic filters actions 3 10 criteria 3 9 outbound traffic filters 4 4 IP hea
81. from a particular queue reaches the configured percentage the next higher priority queue begins to transmit traffic The amount of actual data transmitted depends on the clock speed of the circuit You can configure the clock speed on a synchronous interface by setting the External Clock Speed parameter in the Configuration Manager Edit Sync Parameters window See Configuring WAN Line Services The bandwidth allocation algorithm works as follows 1 The transmit queue scans the High queue If there is no traffic in the High queue the algorithm proceeds to step 3 2 The router empties all packets from the High queue up to the configured bandwidth percentage into the transmit queue and then transmits the packets The default bandwidth percentage for the High queue is 70 percent If the actual bandwidth use is less than the limit the router empties the High queue and proceeds to the Normal queue 3 The transmit queue scans the Normal queue If there is no traffic in the Normal queue the algorithm proceeds to step 5 4 The router empties all packets from the Normal queue up to the configured bandwidth percentage into the transmit queue and then transmits the packets The default bandwidth percentage for the Normal queue is 20 percent If the actual bandwidth use is less than the limit the router empties the Normal queue and proceeds to the Low queue 5 The transmit queue scans the Low queue If there is no traffic in the Low
82. gement window opens Figure 7 3 3 Click on Create The Create Priority Outbound Template window opens Figure 7 4 4 Specify a descriptive name for the template in the Filter Name field For example use the name Bridge01to03 for a template that contains information to filter bridge frames from the MAC source addresses 0x0000A2000001 to 0x0000A2000003 1 4 117348 A Rev A 117348 A Rev A Applying Outbound Traffic Filters Site Manager Procedure continued You do this System responds 5 Choose Criteria gt Add gt Datalink IP gt The Add Range window opens criterion To configure filters for P routed packets always choose IP instead of Datalink See Chapter 4 for information about the outbound traffic filter criteria for IP and data link headers 6 Specify the range to apply to the selected criterion To enter a hexadecimal number use the prefix Ox Zero is not a valid entry If the range consists of just one value specify that value in both fields See Chapter 5 for information about common traffic filter ranges 7 Click on OK The Create Priority Outbound Template window opens Figure 7 4 The new criterion and range appear in the Filter Information field 8 To add more ranges choose Range gt Add You can add up to 100 ranges in each template 9 Choose Action gt Add gt Datalink IP gt If you selected the Length action the action Prioritization Length window opens Figu
83. gh Queue Latency parameter A 3 Normal Queue Percent Bandwidth parameter A 5 Normal Queue Size parameter A 3 outbound traffic filters 7 1 Packet Length parameter A 7 Prioritization Algorithm Type parameter A 4 process 2 3 protocols supported 2 1 queue size 2 11 tuning 2 13 within DLSw 2 1 publications Bay Networks ordering xix Q queue size 2 11 queues priority High Normal Low See protocol prioritization R ranges inbound traffic filter changing 6 9 6 14 deleting 6 9 6 14 outbound traffic filter changing 7 12 7 16 7 17 deleting 7 12 7 17 specifying NetBIOS Name 3 5 SRB 3 5 token ring as MSB 5 2 VINES 5 3 reference points data link header 4 6 DECnet Phase IV 3 7 DLSw 3 8 IP header inbound traffic filters 3 9 Index 5 outbound traffic filters 4 8 IPX 3 11 LLC2 3 12 OSI 3 13 SRB 3 6 transparent bridge 3 2 VINES 3 14 XNS 3 14 RIP traffic prioritizing B 10 S SNA traffic 4 2 B 9 source route bridging SRB actions 3 6 criteria inbound 3 5 outbound 4 2 ranges 3 5 Spanning Tree Protocol STP traffic prioritizing B 10 SRB See source route bridging STP See Spanning Tree Protocol traffic strict dequeuing algorithm 2 7 synchronous pass through traffic prioritizing B 10 T TCP port ranges 5 6 Technical Solutions Centers xx Telnet traffic prioritizing B 10 template flt Site Manager file 7 9 templates 1 13 templates
84. gth type is LENGTH lt 1519 8 bit DSAP IEEE 802 2 LLC with SNAP Encapsulation MAC MAC Length Org Ethernet Destination Source Type DSAP SSAP Control Code Type 48 bit MAC destination address 48 bit MAC source address 16 bit length type is LENGTH lt 1519 DSAP SSAP Control is OxAAAA03 24 bit Organization Code 16 bit Ethernet Type Novell Proprietary Encapsulation MAC MAC Length 48 bit MAC destination address 48 bit MAC source address 8 bit SSAP 16 bit length type is LENGTH lt 1519 8 bit Control Next 16 bits are all ones part of IPX header TFOO07A Figure 3 1 Header Reference Fields for Transparent Bridge Encapsulation Methods Table 3 1 indicates which encapsulation methods are supported for specific router interfaces 3 2 117348 A Rev A Inbound Traffic Filter Criteria and Actions Table 3 1 Transparent Bridge Encapsulation Support Encapsulation Method Predefined Transparent Bridge Criteria 117348 A Rev A Each transparent bridge encapsulation method has specific predefined criteria for filtering frames These predefined criteria are based on an offset to a header reference field Figure 3 1 and are a specified length Table 3 2 lists the predefined criteria for each encapsulation method and the reference field offset and length for each criterion Table 3 2 Predefined Criteria for Transparent Bridge Inbound Traffic Filters Encapsulation Reference Offset Length Method
85. hest precedence lowest number applies After you create traffic filters you can change their precedence by reordering them See Changing Filter Precedence in Chapter 6 inbound traffic filters or Chapter 7 outbound traffic filters Build a Firewall If your filtering strategy involves blocking most or all inbound traffic a firewall you can create a Drop all filter for each protocol on the interface That means for each protocol you are filtering you choose a filter criterion that appears in every packet of the protocol for example a MAC address You can also create exceptions to the Drop all filter by adding more specific higher precedence filters to allow only specified traffic on an interface See Using a Drop All Filter as a Firewall in Appendix B for more information about combining filters to accept certain traffic 117348 A Rev A 1 5 Configuring Traffic Filters and Protocol Prioritization Traffic Filter Components Criteria The Configuration Manager creates traffic filters from template files that contain filtering information Traffic filter templates consist of three components Criteria The portion of the incoming packet frame or datagram header to be examined Ranges Numeric values often addresses to be compared with the contents of examined packets Actions What happens to packets that match the criteria and ranges specified in a filter To create a traffic filter you apply a fil
86. honae rennet AA 2 1 P a ETETE 2 2 De PrOCOSS reas cscs isen a 2 3 Bandwidth AlOCaNon ALGOT airssisscinirioniansiaidiaiiiinani iaa 2 4 Strict Dequeuing Algorithm ccceeeeee MEEA T ATETA SETEN PETTE saa 2 7 Enang FrOlOCOL FP GE I ereraa aiaiai 2 9 Tuning Protocol Prioritization EAEE EE EREE E TE E E E 2 10 Tuning COnGEpiS sueneniisisnarieniiern ran ernaia E ARAA aaan EAE 2 10 Percent of Bandwidth E E E ET cet made eons ane 2 10 A E ATETA 2 11 LOONT seraa EPEE EPE AIPE EEE AE PEETA E ee 2 13 Editing Protocol Prioritization Parameters seissiccsvirinyeccoreerendedorsiuinsenenmpsasarerennesenin 2 14 Monitoring Protocol Prioritization Statistics 00000000000 PE EEEE EAE EA 2 15 Chapter 3 Inbound Traffic Filter Criteria and Actions Transparent Bridge Criteria and Actions cccccccsssececceeeeeeecceeseeceeeeuceessaaeeeesseeeeessaaes 3 2 Predefined Transparent Bridge Criteria cccceecccccssseceeceesseeeseeeeeseseeeeeeeaaaees eee S User Defined Transparent Bridge Criteria ccccccssseccccesseeecceeececeeeeeeesseseeeeesaaes 3 4 Transparent Bridge Actions ccceeeeeeeeeeees AE EENE EETA EEEE EAEE E ee see 3 4 Source Route Bridging Criteria and Actions cccccceccccecessecceeeeseeeeeeeseceeseeeeeeessaeeeeeees 3 5 PS SRB TE sc cccci wade iehchuninstenaendyanodenioidgansebeieeteaestnaoeeeests MEE E EN 3 5 Specifying an SRB Criterion Range
87. ian dtis danetenditanarouinaranspiatiseeieteny 4 6 IP Reference Points 0000 sciatica EEI EELE EAT onder TETE TA 4 8 EAN Ea o A A E A E A E E A aie eee ae 4 9 Filtering ACtIOnS cccscarssmccscasseccnsscavess EEIE EEE PEE OE EA PEE EEEE 4 9 Prioritizing ACtIONS sicrevessasadnoressinencrensaiionserstennararawsasdaneierandeieeseranqdrarbeinisrinreareasens 4 10 117348 A Rev A vii Dial Service ACTIONS ea cascccicdvcnssvcsuscnisiaivnsed cordavawdsaarsesanwcaneesmead dnbatadsacebaavevwananadeawecimbans 4 10 Chapter 5 Specifying Common Criterion Ranges Specifying MAC Address Ranges ccccssseeeees a E ER wire SRB OUI MAC AGOGTESOOS atari inenscajscpesstnarasakdoiaretiseateaichieesiaviepeasiarscinrcnasnanviais 5 2 SRB Functional MAC Addresses 6 ieee EE EEE eaters Sees 5 3 Specifying VINES Address Ranges ers tnctverscitaidiexrseiarnesmnseondeiaskintieouisnarereteemn 5 3 Specifying Source and Destination SAP Code Ranges ee ent re 5 4 Specifying Frame Relay NLPID Ranges ccccccccscseeeeceeceeaeeeeeeeesseaeeeeeeessaasaeeeeesssseees DOD Specifying PPP Protocol ID Ranges 00006 NEEE EET EEE AE ETETETT Leper Specifying TCP and UDP Port Ranges ccccccccccesesseeeeeeeaeeeeeeeeeeaeeseceeessaeaeeeeeessneaees 5 6 Specifying Ethernet Type Ranges a ccaicccayesnccsoensceecacemineeioencaiouns TO ETETE TEPER PE e a i Specifying IP Protocol ID and Type of Service pangs EEFE E
88. igher if Number field you chose INSERT BEFORE or one lower if you chose INSERT AFTER than the number you For example in Figure 7 10 to place the selected specified filter 1 after filter 2 click on INSERT BEFORE and type 2 in the Precedence Number field 6 Click on OK The Priority Outbound Filters window opens The filters now appear in the new order of precedence Figure 7 12 1 22 117348 A Rev A Applying Outbound Traffic Filters Prentice Humejrr r Figure 7 11 Change Precedence Window lore Mil Lod Se Gabe l ma hi Se Oe Ht Ply Template Falter Enable Filter Haar Figure 7 12 Priority Outbound Filters Window Showing New Order of Precedence 117348 A Rev A nes Appendix A Site Manager Protocol Prioritization Parameters 117348 A Rev A This appendix contains reference information for the Site Manager protocol prioritization parameters Priority Interface Parameter Descriptions Prioritization Length Parameters For each parameter this appendix provides the following information Parameter name Configuration Manager menu path Default setting Valid parameter options Parameter function Instructions for setting the parameter MIB object ID A 1 Configuring Traffic Filters and Protocol Prioritization Priority Interface Parameter Descriptions Parameter Path Default Options Function Instructions MIB Object ID Parameter Path
89. ilter 7 14 After you apply an outbound traffic filter to an interface you can edit its criterion ranges or action If you used a template that you edited to suit your needs you may not need to make further edits When you customize a filter you have the following options e Add or delete predefined criteria e Add or delete user defined criteria e Add or delete actions e Add modify or delete ranges To add a user defined criterion see Specifying User Defined Criteria later in this chapter To add the Length action see Specifying Prioritization Length earlier in this chapter 117348 A Rev A Applying Outbound Traffic Filters To add predefined criteria ranges and actions or delete any criterion range or action Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Select a filter 3 Click on Edit The Edit Priority Outbound Filters window opens Figure 7 8 4 Add change or delete predefined criteria ranges and actions Table 7 2 5 Click on OK The Priority Outbound Filters window opens 117348 A Rev A 9 Configuring Traffic Filters and Protocol Prioritization Figure 7 8 Edit Priority Outbound Filters Window 7 16 117348 A Rev A Applying Outbound Traffic Filters Table 7 2 Using the Edit Priority Outbound Filters Window Adda 1 Choose Criteria gt Add gt criterion The Add A filter can have only one
90. ilter precedence lower filter numbers have higher precedence If a packet matches two filters the filter with the highest precedence lowest number applies For example if the first filter on the interface 1 accepts a packet and the second filter 2 drops the same packet filter 1 has precedence and the interface accepts the packet Figure 7 10 shows how the Priority Outbound Filters window displays the filters on an interface The first filter listed has the highest precedence You should create the filters on an interface in order of precedence However if you do not or if your filtering strategy changes you can use the Priority Outbound Filters window to rearrange the precedence of existing filters 7 21 Configuring Traffic Filters and Protocol Prioritization Loree aly Template i EOE 4 PPT oo Die rte Wa l LH y si iig lit sa Filter Enable Filter Hamr l n J A ae a a Figure 7 10 _ Priority Outbound Filters Window Showing Filter Precedence To change the order of precedence for outbound traffic filters Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Select the filter whose precedence you want to change 3 Click on Reorder The Change Precedence window opens Figure 7 11 4 Click on INSERT BEFORE or INSERT AFTER 5 Type a filter rule number in the Precedence The selected filter s number is either one h
91. ination Socket Source Network Source Address Source Socket User Defined XNS Criteria In addition to the predefined filter criteria you can create traffic filters with user defined criteria by specifying an offset and length to this reference field in the XNS header Reference Field Description XNS_BASE Points to the first byte in the XNS header XNS Actions The XNS filtering actions are Accept Drop and Log 117348 A Rev A ole Chapter 4 Outbound Traffic Filter Criteria and Actions You create outbound traffic filters using templates that consist of criteria ranges and actions To define a template you need to know the specific criteria and actions that Site Manager supports for outbound traffic filters This chapter lists the following e Predefined outbound traffic filter criteria and actions e Reference points for user defined criteria Selecting Predefined Criteria Selecting User Defined Criteria Selecting Actions For an overview of traffic filters templates and their criteria ranges and actions see Chapter 1 For instructions on using Site Manager to create outbound traffic filters see Chapter 7 Note For information about DLSw outbound traffic filters see Configuring DLSw Services 117348 A Rev A 4 1 Configuring Traffic Filters and Protocol Prioritization Selecting Predefined Criteria Outbound traffic filter criteria are based on the data link header or IP header e For bridged tra
92. indow 10 Choose Action gt Add gt Accept The action now appears in the Filter Information field 11 Click on OK The Filter Template Management window opens The new template appears in the templates list 4 SelctatenplateintheTemolaes fis 15 Select creutinihe meres fe SSS 16 Specify a descriptive name in the Filter Name field Use a name that indicates the circuit for example S47_ accepted B 2 117348 A Rev A Examples and Implementation Notes Site Manager Procedure continued You do this System responds 17 Click on OK The IP Filters window opens 18 Click on Apply The filter is applied to the circuit Inbound Traffic Filter Examples This section summarizes the steps for creating an inbound traffic filter and provides examples Table B 1 and Table B 2 for using inbound traffic filters to accomplish common filtering goals If Tables B 1 and B 2 do not include an example for the protocol you want to configure use these examples as guidelines for implementing inbound traffic filters for other traffic types Chapter 3 lists the inbound traffic filter criteria and actions for all supported protocols To create an inbound traffic filter Site Manager Procedure You do this System responds 1 In the Configuration Manager window The Circuit List window opens choose Circuits gt Edit Circuits 2 Select a circuit 3 Click on Edit The Circuit Definition window opens the circuit you selec
93. ing Traffic Filters and Protocol Prioritization Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID A 4 High Water Packets Clear Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 0 Any integer value Toggles the High Water Packets Clear bit When you change the queue depth by changing the value of the High Queue Size Normal Queue Size or Low Queue Size parameter you can also reset the high water mark by changing the value of this parameter When you change the value of this parameter you reset the high water mark for all three queues to zero Specify a new integer value for this parameter to clear the existing high water marks for the priority queues 1 3 6 1 4 1 18 3 5 1 4 1 1 19 Prioritization Algorithm Type Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface BANDWIDTH ALLOCATION BANDWIDTH ALLOCATION STRICT Selects the dequeuing algorithm that protocol prioritization uses to drain priority queues and transmit traffic With strict dequeuing the router always transmits traffic in the High queue before transmitting traffic in the other queues With bandwidth allocation dequeuing the router transmits traffic in a queue until the utilization percentage for that
94. inning of the application Before characters use NetBIOS Name field If creating the filter Ox20 as pad you want to find a criteria use an characters particular section of the analyzer to check NetBIOS Name the packets increase the offset by X 8 where X is the number of bytes into the NetBIOS Name field B 6 117348 A Rev A Examples and Implementation Notes Protocol Prioritization Examples This section summarizes the steps and provides examples Table B 3 for configuring protocol priority queues If Table B 3 does not include an example for the filter you want to configure use these examples as guidelines Chapter 7 provides detailed procedures for configuring outbound traffic filters Chapter 4 lists the outbound traffic filter criteria and actions Chapter 2 describes protocol prioritization and provides procedures for setting configuration parameters Creating an Outbound Traffic Filter To create an outbound traffic filter Site Manager Procedure You do this System responds 1 In the Configuration Manager window The Circuit List window opens choose Circuits gt Edit Circuits 3 Click on Edit The Circuit Definition window opens the circuit you selected is highlighted 4 Choose Protocols gt Edit Protocol Priority The Priority Outbound Filters window gt Priority Outbound Filters opens 5 Click on Template The Filter Template Management window opens 6 Click on Create The Create Priority O
95. interface the router sorts traffic into prioritized delivery queues High Normal and Low called priority queues Priority queues affect the sequence in which data leaves an interface they do not affect traffic as it arrives at the router You use outbound traffic filters to specify how traffic is sorted into priority queues By default all outbound traffic goes to the Normal queue See Chapter 2 to learn more about priority queuing and dequeuing Configuring Traffic Filters and Protocol Prioritization Filtering Strategies This section recommends ways you might use traffic filters in a network See Appendix B for specific examples Direct Traffic You can create traffic filters that affect a particular protocol s traffic For example you can forward all IP traffic to a next hop address You can also create traffic filters that affect certain locations on a bridged network For example if you want all traffic from a node with a particular source MAC address perhaps an application server to take precedence over other traffic you can use protocol prioritization to assign a high priority to any traffic with that source address Drop or Accept Traffic You can configure a router interface to accept only specified traffic and drop all other packets by configuring inbound traffic filters with specific accept criteria Or to accept most traffic and drop only specified packets you can configure inbound traffic filters for the traffi
96. it queue and then transmits the packets 9 The algorithm returns to step 1 whether or not the latency value is reached 2 Configuring Traffic Filters and Protocol Prioritization Figure 2 3 illustrates the strict dequeuing algorithm Scan the High queue Are there packets in the High queue Was the aximum transmi queue size reached Transmit all packets Was the latency value reached Are there packets in the Transmit all Was the Normal queue packets up to latency value the latency value reached Are there packets in the Low queue YES Transmit all packets up to the latency value ee TFO003A Figure 2 3 Strict Dequeuing Algorithm 2 8 117348 A Rev A Using Protocol Prioritization Queues Enabling Protocol Prioritization 117348 A Rev A You use the Configuration Manager to configure protocol prioritization To configure priority queues with default values do the following 1 Enable Protocol Priority on the circuit as described in this section 2 Apply outbound traffic filters with prioritizing actions to the circuit as described in Chapter 7 See the next section Tuning Protocol Prioritization to learn how to customize the way protocol prioritization works on a circuit To enable protocol prioritization Site Manager Procedure You do this System responds In the Configuration Manager window The Edit Connector win
97. iteria for DLSw inbound traffic filters and the reference field offset and length for each criterion Table 3 5 Predefined Criteria for DLSw Inbound Traffic Filters Destination MAC Address DLS BASE Source MAC Address DLS_BASE User Defined DLSw Criteria In addition to the predefined DLSw filter criteria you can create inbound traffic filters with user defined criteria by specifying an offset and length to these reference fields in the DLSw header DLS CTRL START Points to the start of the DLSw header DLS DATA START Points to the start of the DLSw data DLSw Actions The DLSw filtering actions are as follows e Drop Log Common to all inbound traffic filters e Forward to Peer Any frame that matches the filter will be sent to the specified DLSw circuits 3 8 117348 A Rev A Inbound Traffic Filter Criteria and Actions IP Criteria and Actions You can filter IP inbound traffic based on specified bit patterns in one of the following headers in an IP datagram e The IP header e The header of the upper level protocol TCP or UDP for example Predefined IP Criteria Table 3 6 lists the predefined criteria for IP inbound traffic filters and the reference field offset and length for each criterion Table 3 6 Predefined Criteria for IP Inbound Traffic Filters Criterion Name Reference Field Type of Service Protocol ID 72 IP Source Address IP Destination Address 128 UDP or TCP Source Port UDP or TCP D
98. l not be saved You can specify the Log action with any of the other actions However you should specify the Log action only to record abnormal events otherwise the Events log will fill up with filtering messages leaving no room for critical log messages 117348 A Rev A Inbound Traffic Filter Criteria and Actions DECnet Phase IV Criteria and Actions You can filter inbound DECnet Phase IV traffic based on specified bit patterns in the DECnet header Predefined DECnet Criteria Table 3 4 lists the predefined criteria for DECnet Phase IV inbound traffic filters and the reference field offset and length for each criterion Table 3 4 Predefined Criteria for DECnet Phase IV Inbound Traffic Filters Destination Area DEC4 BASE Destination Node DEC4 BASE User Defined DECnet Criteria In addition to the predefined DECnet Phase IV filter criteria you can create traffic filters with user defined criteria by specifying an offset and length to this reference field in the DECnet header Reference Field Description DEC4 BASE Points to the first byte in the header DECnet Actions The DECnet Phase IV filtering actions are Accept Drop and Log 117348 A Rev A 3 Configuring Traffic Filters and Protocol Prioritization DLSw Criteria and Actions You can filter inbound DLSw traffic based on specified bit patterns in the DLSw header as defined in RFC 1434 Predefined DLSw Criteria Table 3 5 lists the predefined cr
99. n about common traffic filter ranges 7 Click on OK The Add Range window closes The criterion and range appear in the Filter Information field of the Create Template window 8 To add more ranges choose Range gt Add Then repeat steps 6 and 7 You can add up to 100 ranges for each criterion 9 Choose Action gt Add gt action 10 Click on OK The Filter Template Management window opens Figure 6 2 The template appears in the templates list 6 4 117348 A Rev A Applying Inbound Traffic Filters Figure 6 2 Filter Template Management Window Figure 6 3 Create Template Window 117348 A Rev A a Configuring Traffic Filters and Protocol Prioritization Customizing Templates 6 6 There are two ways to customize a filter template Copy an existing template rename it and then edit it This preserves the original template and creates an entirely new template with the same criteria and actions You can then modify the new template to suit your needs Edit an existing template If you do not need to preserve the original template you can edit it without first copying and renaming it Changing a template does not affect interfaces to which the template has already been applied Note You can also edit or copy a template using a text editor The Configuration Manager stores all templates in the file template fit Copying a Template To duplicate an existing template Site Manage
100. nd traffic filter criteria are common to both the IP and data link headers such as the PPP Protocol ID SRB SSAP DSAP and Frame Relay DLCI and NLPID criteria To configure outbound traffic filters for P routed packets always select IP instead of Datalink when choosing the criterion If you create a filter using a data link criterion to identify an P routed packet for example using the Ethertype range of 0x0800 or the Protocol ID of 0x0021 the filter does not work because the router code recognizes the P routed packet and expects IP filter rules 4 5 Configuring Traffic Filters and Protocol Prioritization To configure criteria for both IP and data link reference points you create two filters one with the IP criterion and the other with the Datalink criterion For example if you want to prioritize Frame Relay traffic with data link connection identifier DLCI 400 in the High queue create filters for both the IP and Datalink DLCI criterion using a range value of 400 Selecting User Defined Criteria To create a filter with a user defined criterion you specify the offset and length to a supported reference point in the data link or IP packet header This section describes the following reference points for specifying user defined outbound traffic filter criteria e Data Link Reference Points e IP Reference Points Data Link Reference Points 4 6 Table 4 3 defines the reference points in the data link header from which yo
101. nfiguration Manager menu path for specifying these criteria See Chapter 7 for detailed instructions on creating outbound filters Figure 4 1 Predefined Data Link Criteria for Outbound Traffic Filters 117348 A Rev A 4 3 Configuring Traffic Filters and Protocol Prioritization Predefined IP Criteria You configure outbound traffic filters for routing protocols based on the predefined criteria listed in Table 4 2 Table 4 2 Predefined IP Criteria for Outbound Traffic Filters Packet Type or Component Predefined Criteria IP header Type of Service IP Source Address IP Destination Address Both Source Address and Destination Address UDP Source Port UDP Destination Port TCP Source Port TCP Destination Port TCP or UDP Source Port TCP or UDP Destination Port Established TCP Port Protocol MAC Destination Address MAC Source Address SSAP DSAP Frame Relay 2 byte DLCI 3 byte DLCI 4 byte DLCI NLPID You can assign as many as 31 outbound traffic filters with IP criteria to an interface Figure 4 2 shows the Configuration Manager menu path for specifying these criteria See Chapter 7 for detailed instructions on using Configuration Manager to create outbound traffic filters 4 4 117348 A Rev A Outbound Traffic Filter Criteria and Actions Figure 4 2 Predefined IP Criteria for Outbound Traffic Filters Specifying Criteria Common to IP and Data Link Headers 117348 A Rev A Several predefined outbou
102. nfo command Example ATM DXI gt Interfaces gt PVCs identifies the PVCs button in the window that appears when you select the Interfaces option from the ATM DXI menu Indicate optional elements You can choose none one or all of the options Indicates variable values in command syntax descriptions new terms file and directory names and book titles Indicate the title of a chapter or section within a book Indicates data that appears on the screen Example Set Bay Networks Trap Monitor Filters Separates menu and option names in instructions and internal pin to pin wire connections Example Protocols gt AppleTalk identifies the AppleTalk option in the Protocols menu Example Pin 7 gt 19 gt 20 Indicates that you enter only one of the parts of the command The vertical line separates choices Do not type the vertical line when entering the command Example If the command syntax is show at routes nets you enter either show at routes or show at nets but not both 117348 A Rev A Acronyms 117348 A Rev A ANSI APPN ARP CCITT CLNP CSMA CD DE DLC DLCI DLCMI DLSw DSAP FDDI FTP HDLC HSSI ICMP IP IPX ISDN ISO ITU T LAN LAT LLC LNM MAC MCEI MCTI MSB About This Guide American National Standards Institute Advanced Peer to Peer Networking Address Resolution Protocol International Telegraph and Telephone Consultative Committee now ITU T Connectionless Network Protocol
103. nly the IP or DLSw protocol headers You select outbound criteria based on the WAN protocol configured on the interface transparent bridge SRB PPP or Frame Relay Predefined and User Defined Criteria The Configuration Manager provides a selection of default filter criteria predefined criteria for both inbound and outbound traffic filters Predefined criteria consist of predefined offsets and lengths from common reference points You can also define a criterion based on bit patterns in a packet header that are not supported in predefined criteria user defined criteria To apply user defined criteria you specify the bit length and offset from a supported reference point Chapter 3 lists the supported reference points for inbound traffic filters Chapter 4 lists the reference points for outbound traffic filters To fit your site s traffic patterns you can use a combination of predefined and user defined criteria in up to 32 traffic filters on each interface 117348 A Rev A 1 7 Configuring Traffic Filters and Protocol Prioritization 1 8 Predefined Criteria Table 1 1 summarizes the predefined inbound traffic filter criteria for supported protocols Table 1 1 Predefined Inbound Traffic Filter Criteria Traffic Type Predefined Inbound Filter Criteria Transparent bridge MAC Address Source or Destination Ethernet Type Four data link encapsulation Novell methods Ethernet 802 2 LLC 802 2 LLC Length Novell Proprietary
104. og High Queue Low Queue Length No Call No Reset Accept Drop Log High Queue Low Queue Length No Call No Reset 117348 A Rev A Chapter 2 Using Protocol Prioritization Queues This chapter describes the priority queues that you can implement using outbound traffic filters protocol prioritization Topic About Protocol Prioritization Enabling Protocol Prioritization Tuning Protocol Prioritization For instructions on using the Configuration Manager to create outbound traffic filters see Chapter 7 About Protocol Prioritization 117348 A Rev A Site Manager supports protocol prioritization on synchronous serial HSSI MCE1 and MCT1 interfaces for the following WAN protocols e PPP e Bay Networks Standard PPP e Frame Relay Note The DLSw software also allows you to prioritize traffic within DLSw based on predefined or user defined fields at the TCP level For information about these DLSw prioritization filters see Configuring DLSw Services 2 1 Configuring Traffic Filters and Protocol Prioritization While the router is operating network traffic from various sources converges at each WAN interface Without protocol prioritization the router transmits packets in a first in first out FIFO order With Protocol Priority enabled on an interface the router sorts traffic into prioritized delivery queues High Normal and Low called priority queues The router uses a dequeuing algorithm to
105. on Socket 3 15 Source Address 3 15 Source Socket 3 15 criteria outbound traffic filter adding 7 12 7 16 7 17 common headers 4 5 data link header 4 2 defined 1 6 deleting 7 12 7 17 IP header 4 4 user defined 4 6 4 8 customer support programs xix Technical Solutions Centers xx D data link header outbound traffic filter criteria 4 2 reference points 4 6 DECnet Phase IV actions 3 7 criteria 3 7 deleting inbound traffic filters 6 16 outbound traffic filters 7 19 deleting actions inbound traffic filter 6 9 6 14 outbound traffic filter 7 12 7 17 deleting criteria inbound traffic filter 6 9 6 14 outbound traffic filter 7 12 7 17 deleting ranges inbound traffic filter 6 9 6 14 outbound traffic filter 7 12 7 17 dequeuing algorithms bandwidth allocation 2 3 117348 A Rev A strict dequeuing 2 7 Detailed Log action outbound traffic filters 4 9 Detailed Logging action inbound IP traffic filters 3 11 dial backup line filters on B 11 Direct IP Explorers action 3 6 disabling inbound traffic filters 6 15 outbound traffic filters 7 18 Discard Eligible Bit Low parameter A 6 Discard Eligible Bit Normal parameter A 7 DLSw actions 3 8 criteria 3 8 example B 9 inbound traffic filters 6 2 outbound traffic filters 2 1 prioritization 2 1 Drop If Next Hop Is Unreachable action 3 10 Drop all filters 1 5 B 12 dropping traffic 1 4 B 12 E editing inbound tra
106. ons Function Instructions MIB Object ID 117348 A Rev A Site Manager Protocol Prioritization Parameters Normal Queue Size Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 20 200 for Frame Relay Any integer value Specifies the maximum number of packets in the Normal queue at any one time regardless of packet size Accept the default or specify a new value For Frame Relay interfaces a value less than 200 might cause a broadcast message to be dropped clipped 1 3 6 1 4 1 18 3 5 1 4 1 1 5 Low Queue Size Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 20 Any integer value Specifies the maximum number of packets in the Low queue at any one time regardless of packet size Accept the default or specify a new value 1 3 6 1 4 1 18 3 5 1 4 1 1 6 Max High Queue Latency Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 250 milliseconds ms 100 to 5000 ms Specifies the greatest delay that a high priority packet can experience and consequently how many normal priority or low priority bits can be in the transmit queue at any one time Accept the default or specify a new value Bay Networks recommends accepting the default value of 250 ms 1 3 6 1 4 1 18 3 5 1 4 1 1 8 A 3 Configur
107. otocol Internet Protocol Telecommunication network Trivial File Transfer Protocol User Datagram Protocol unshielded twisted pair Virtual Network Systems wide area network Xerox Network System 117348 A Rev A About This Guide Ordering Bay Networks Publications To purchase additional copies of this document or other Bay Networks publications order by part number from Bay Networks Press at the following numbers e Phone U S Canada 888 422 9773 e Phone International 510 490 4752 e FAX U S Canada and International 510 498 2609 The Bay Networks Press catalog is available on the World Wide Web at support baynetworks com Library GenMisc Bay Networks publications are available on the World Wide Web at support baynetworks com Library tpubs Bay Networks Customer Service 117348 A Rev A You can purchase a support contract from your Bay Networks distributor or authorized reseller or directly from Bay Networks Services For information about or to purchase a Bay Networks service contract either call your local Bay Networks field sales office or one of the following numbers United States and 800 2LANWAN then enter Express 508 916 3514 Canada Routing Code ERC 290 when prompted to purchase or renew a service contract 508 916 8880 direct Europe 33 4 92 96 69 66 33 4 92 96 69 96 Asia Pacific 61 2 9927 8888 61 2 9927 8899 561 988 7661 561 988 7550 Information about customer service is also available on the
108. otocol Prioritization Queues The Dequeuing Process After queuing packets the router empties the priority queues by sending the traffic to the transmit queue using one of two dequeuing algorithms e Bandwidth Allocation Algorithm e Strict Dequeuing Algorithm By default protocol prioritization uses the bandwidth allocation algorithm to send traffic from the three priority queues to the transmit queue You specify the active dequeuing algorithm by setting the Prioritization Algorithm Type parameter as described in Editing Protocol Prioritization Parameters later in this chapter Figure 2 1 illustrates the dequeuing process with default configuration values High queue Normal queue Low queue 70 of bandwidth 20 of bandwidth BN 10 of bandwidth Dequeuing algorithm Default algorithm bandwidth allocation Transmit queue Default latency 250 ms Physical intertf t OEE Ol ENARE TF0001A Figure 2 1 Protocol Prioritization Dequeuing 117348 A Rev A 2 3 Configuring Traffic Filters and Protocol Prioritization 2 4 Bandwidth Allocation Algorithm The bandwidth allocation algorithm uses a configurable percentage of bandwidth for each of the three priority queues to determine how to transmit queued traffic The default configuration is as follows e High queue 70 of bandwidth e Normal queue 20 of bandwidth e Low queue 10 of bandwidth When the amount of traffic transmitted
109. ow opens Figure 7 1 7 Choose Protocols gt Edit Protocol Priority The Priority Outbound Filters window gt Priority Outbound Filters opens Figure 7 2 7 2 117348 A Rev A Applying Outbound Traffic Filters Pruliniulsas Slot F l Figure 7 1 Displaying the Priority Outbound Filters Window eea na a ET AnS Bi A E ii i I dzika aiy Template Filter Enable Pilter Nme Figure 7 2 Priority Outbound Filters Window 117348 A Rev A 1 3 Configuring Traffic Filters and Protocol Prioritization Preparing Outbound Traffic Filter Templates To add an outbound traffic filter to an interface you apply an outbound traffic filter template to the circuit However you do not always need to create a template often you can begin with an existing template This section describes how to prepare an outbound traffic filter template by e Creating a Template e Customizing Templates See Creating an Outbound Traffic Filter later in this chapter to learn how to create a traffic filter by applying saving a filter template to an interface Note Changing a traffic filter template does not affect interfaces to which the template has already been applied Creating a Template To create an outbound traffic filter template Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 1 2 Click on Template The Filter Template Mana
110. queue the algorithm returns to step 1 117348 A Rev A 117348 A Rev A Using Protocol Prioritization Queues 6 The router empties all packets from the Low queue up to the configured bandwidth percentage into the transmit queue and then transmits the packets The default bandwidth percentage for the Low queue is 10 percent If the actual bandwidth use is less than the limit the router empties the Low queue 7 The algorithm returns to step 1 Figure 2 2 illustrates the bandwidth allocation algorithm 2 5 Configuring Traffic Filters and Protocol Prioritization Scan the High queue t Transmit all packets up to the configured bandwidth percentage Are there packets in the High queue Scan the Normal queue Aa Transmit all packets up to Loan in ae the configured ormal queue bandwidth percentage Scan the Low queue Transmit all YES packets up to the configured Are there packets in the Low queue bandwidth percentage O O TF0002A Figure 2 2 Bandwidth Allocation Algorithm 2 6 117348 A Rev A 117348 A Rev A Using Protocol Prioritization Queues Strict Dequeuing Algorithm Instead of the bandwidth allocation algorithm you can configure the router to use the strict dequeuing algorithm to send traffic to the transmit queue Caution If the router uses the strict dequeuing algorithm and there is a great deal of High queue traffic on
111. queue is reached then the router transmits traffic in the next lower priority queue You configure the percentages for bandwidth allocation by setting the High Queue Normal Queue and Low Queue Percent Bandwidth parameters Accept the default of BANDWIDTH ALLOCATION or select STRICT 1 3 6 1 4 1 18 3 5 1 4 1 1 24 117348 A Rev A Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID 117348 A Rev A Site Manager Protocol Prioritization Parameters High Queue Percent Bandwidth Configuration Manager gt interface connector gt Edit Circuit gt Protocols gt Edit Protocol Priority gt Interface 70 percent O to 100 percent If you select the bandwidth allocation dequeuing algorithm this parameter specifies the percentage of the synchronous line s bandwidth allocated to traffic that has been sent to the High queue When you set this parameter to a value less than 100 each time the percentage of bandwidth used by high priority traffic reaches this limit the router transmits traffic in the Normal and Low queues up to the configured percentages for those priority queues Specify the percentage of the line s bandwidth allocated to high priority traffic The High Queue Normal Queue and Low Queue Percent Bandwidth values must total 100 1 3 6 1 4 1 18 3 5 1 4 1 1 25 Normal Queue Percent Bandwidth Configuration
112. r range Information field each criterion 2 Click on Delete The Delete Range window opens Addan 1 Choose Action gt Add gt action With the exception of the Log action each action filter has only one action ater 2 Click on Delete The Delete Action window mer opens 3 Click on Delete Delete 1 Select an action in the Filter Information field You must specify at least one action ina 3 Click on Delete Apply 1 Click on OK The Filters window opens Be sure you have specified the e Only one criterion changes pr eC AREY e Only one action e 1 100 ranges 6 14 117348 A Rev A Applying Inbound Traffic Filters Enabling or Disabling an Inbound Traffic Filter There may be times when you want to turn off a filter temporarily Instead of deleting a filter from a circuit you can disable the filter and then reenable it later To disable or reenable an inbound traffic filter Site Manager Procedure You do this System responds Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window Select the filter to disable or enable The Filter Enable and Filter Name fields show the current status of the selected filter 3 Click on Values The Values Selection window opens 4 To disable the filter select Disabled To enable the filter select Enabled 5 Click on OK The Values Selection window closes The Filter Enable field in the Filters window indicates the change 6
113. r Procedure You do this System responds 1 Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window 2 Click on Template The Filter Template Management window opens Figure 6 2 4 Click on Copy The Copy Filter Template window opens 5 Specify a name for the new template Be sure to use a name that reflects its contents 6 Click on OK The Filter Template Management window opens The new template appears in the templates list 117348 A Rev A 117348 A Rev A Applying Inbound Traffic Filters Editing a Template After you create or copy a template edit it as follows Site Manager Procedure You do this System responds 1 Select a template in the Filter Template Management window 2 Click on Edit The Edit Template window for the protocol opens Figure 6 4 3 Add or delete predefined criteria ranges and actions Table 6 1 4 Click on OK The Filter Template Management window opens Figure 6 2 5 Click on Done The Filters window opens Figure 6 1 Table 6 1 describes how to add delete or modify predefined criteria ranges and actions in the Edit Template window Figure 6 4 To add a user defined criterion see Specifying User Defined Criteria later in this chapter 6 Configuring Traffic Filters and Protocol Prioritization Figure 6 4 Edit Template Window 6 8 117348 A Rev A Applying Inbound Traffic Filters Table 6 1
114. r information or refer to the description on page A 8 in Appendix A 3 Click on Values The Values Selection window opens 7 7 Configuring Traffic Filters and Protocol Prioritization Site Manager Procedure continued You do this System responds 4 Select High Low or Normal as the queue in which a packet is placed if the length is less than or equal to the value of Packet Length For example if Packet Length is set to 1024 bytes any packet that is 1024 bytes or less is placed in the queue you selected 5 Click on OK The Values Selection window closes The Prioritization Length window now displays the new value 6 Select the Greater Than Queue field then click on Help for information or refer to the description on page A 8 in Appendix A 7 Click on Values The Values Selection window opens 8 Select High Low or Normal as the queue in which a packet is placed if the length is greater than the value of Packet Length 9 Click on OK The Values Selection window closes The Prioritization Length window now displays the new value 10 Click on OK The Create Priority Outbound Template window opens showing the newly selected criterion range and action in the Filter Information field Figure 7 4 11 Click on OK The Filter Template Management window opens Figure 7 3 7 8 117348 A Rev A Applying Outbound Traffic Filters Customizing Templates There are two ways to customize a filter
115. raffic Filter Templates 5 Inthe Filter Name field specify a name for the new filter It can be helpful to include the circuit name to differentiate the template from the filter For example specify Drop_Telnet_S42 as the name of a filter that drops inbound Telnet traffic on the synchronous circuit S42 6 Click on OK The Filters window opens 117348 A Rev A Applying Inbound Traffic Filters Figure 6 5 Create Filter Window Editing an Inbound Traffic Filter 117348 A Rev A After you apply an inbound traffic filter to an interface you can edit its criterion ranges or action If you used a template that you edited to suit your needs you may not need to make further edits When you customize a filter you have the following options e Add or delete predefined criteria e Add or delete user defined criteria e Add or delete actions e Add modify or delete ranges To add a user defined criterion see Specifying User Defined Criteria later in this chapter Configuring Traffic Filters and Protocol Prioritization To add predefined criteria ranges and actions or delete any criterion range or action Site Manager Procedure You do this System responds 1 Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window 3 Click on Edit The Edit Filters window opens Figure 6 6 4 Add or delete predefined criteria ranges and actions lable 6 2
116. re 7 5 See Specifying Prioritization For a Datalink criterion choose a Datalink Length for instructions Otherwise the action for an IP criterion choose an IP Create Priority Outbound Template window action opens showing the criteria range and action in the Filter Information field 10 Click on OK The Filter Template Management window opens The new template appears in the templates list 7 5 Configuring Traffic Filters and Protocol Prioritization Figure 7 3 Filter Template Management Window Figure 7 4 Create Priority Outbound Template Window 7 6 117348 A Rev A Applying Outbound Traffic Filters Specifying Prioritization Length 117348 A Rev A When you select the Length action in the Create Priority Outbound Template window the Prioritization Length window opens Figure 7 5 The Length action directs the router to place each packet in a priority queue based on the specified byte length of the packet Baw tl Helps Packet Length Than ar Eqiial Quiuw Oregen Tham Queue Figure 7 5 Prioritization Length Window To set the prioritization length parameters Site Manager Procedure You do this System responds Inthe Prioritization Length window specify a byte value between 0 and 4608 in the Packet Length field Click on Help for information or refer to the description on page A 7 in Appendix A 2 Select the Less Than or Equal Queue field then click on Help fo
117. response time decreases Bay Networks recommends using the default value of 250 ms 2 13 Configuring Traffic Filters and Protocol Prioritization Editing Protocol Prioritization Parameters To edit protocol prioritization parameters Site Manager Procedure System responds The Edit Protocol Priority Interface window opens You do this 1 In the Circuit Definition window choose Protocols gt Edit Protocol Priority gt Interface 2 Select the parameter you want to change To see additional parameters use the scroll bar on the right side of the window 3 Fora description of the parameter click on Help in the Site Manager window or refer to the appropriate parameter description in Appendix A Enable High Queue Size Normal Queue Size Low Queue Size Max High Queue Latency High Water Packets Clear Prioritization Algorithm Type High Queue Percent Bandwidth Normal Queue Percent Bandwidth Low Queue Percent Bandwidth Discard Eligible Bit Low Discard Eligible Bit Normal 4 Click on Values 5 Select the value you want then click on OK 6 Click on OK when you are done setting protocol prioritization parameters 2 14 The Values Selection window opens listing valid values for the parameter The Values Selection window closes The Edit Protocol Priority Interface window now displays the new value You return to the Circuit Definition window 117348 A Rev A Using Protocol Prioritization
118. ria and Actions You create inbound traffic filters using templates that consist of protocol specific filter criteria ranges and actions To define an inbound traffic filter template you need to know the specific criteria and actions that Site Manager supports for the applicable protocol This chapter lists the following for supported bridging and routing protocols e Predefined inbound traffic filter criteria and actions e Reference points for specifying user defined criteria For an overview of traffic filters templates and their criteria ranges and actions see Chapter 1 For instructions on using Site Manager to create inbound traffic filters see Chapter 6 3 1 Configuring Traffic Filters and Protocol Prioritization Transparent Bridge Criteria and Actions Transparent bridge traffic filters support several encapsulation methods and media types You filter inbound transparent bridge frames based on the contents of the header fields for one of the four supported encapsulation methods e Ethernet e IEEE 802 2 LLC e IEEE 802 2 LLC with SNAP e Novell Proprietary Figure 3 1 illustrates the header reference fields for each encapsulation method Ethernet Header MAC MAC Length Destination Source Type 48 bit MAC destination address 48 bit MAC source address 16 bit length type is TYPE gt 1518 IEEE 802 2 LLC Header MAC MAC Length 48 bit MAC destination address 48 bit MAC source address 16 bit len
119. rs 6 2 outbound traffic filters 7 2 criteria inbound traffic filter 802 2 Control 3 3 DSAP 3 3 Length 3 3 SSAP 3 3 adding 6 9 6 14 bridge transparent 802 2 3 3 Ethernet Type 3 3 MAC Destination Address 3 3 MAC Source Address 3 3 Novell 3 3 SNAP 3 3 DECnet Phase IV Destination Area 3 7 Destination Node 3 7 Source Area 3 7 Source Node 3 7 defined 1 6 deleting 6 9 6 14 DLSw Destination MAC Address 3 8 Index 1 DSAP 3 8 Source MAC Address 3 8 SSAP 3 8 IP Established TCP 3 9 IP Destination Address 3 9 IP Source Address 3 9 Protocol 3 9 TCP Destination Port 3 9 TCP Source Port 3 9 Type of Service 3 9 UDP Destination Port 3 9 UDP Source Port 3 9 IPX Destination Address 3 11 Destination Network 3 11 Destination Socket 3 11 Source Address 3 11 Source Socket 3 11 LLC2 Destination MAC Address 3 12 DSAP 3 12 Source MAC Address 3 12 SSAP 3 12 OSI Destination Area 3 13 Destination System ID 3 13 Source Area 3 13 Source System ID 3 13 SNAP Ethertype 3 3 Length 3 3 Protocol D Organization Code 3 3 source route bridging Destination MAC Address 3 5 Destination NetBIOS Name 3 5 DSAP 3 5 Next Ring 3 5 Source MAC Address 3 5 Source NetBIOS Name 3 5 SSAP 3 5 user defined 6 17 to 6 18 7 20 to 7 21 VINES Destination Address 3 14 Index 2 Protocol Type 3 14 Source Address 3 14 XNS Destination Address 3 15 Destination Network 3 15 Destinati
120. s e Tuning Concepts e Editing Protocol Prioritization Parameters e Monitoring Protocol Prioritization Statistics Tuning Concepts 2 10 How you tune protocol prioritization depends on whether you are using the bandwidth allocation algorithm or strict dequeuing algorithm See The Dequeuing Process earlier in this chapter To tune priority queuing with the bandwidth allocation algorithm consider adjusting the following configuration defaults e Percent of Bandwidth e Queue Size To tune priority queuing with the strict dequeuing algorithm consider adjusting the following configuration defaults e Queue Size e Latency Percent of Bandwidth When using the bandwidth allocation algorithm you can change the default allocation of bandwidth for each of the three priority queues Queued traffic with large packets often require more than the default bandwidth allocation For example if statistics indicate that one interface requires more than 70 percent of bandwidth to properly transmit high priority traffic you can increase the High Queue Size parameter and decrease the Normal or Low Queue Size parameter 117348 A Rev A 117348 A Rev A Using Protocol Prioritization Queues Note If statistics indicate that the High queue does not have enough buffers consider reducing the amount of high priority traffic You should be selective in assigning high priority status Too many traffic types with high priority status can d
121. s Queue Size 30 Clipped Packets Count 0 High Water Packets Mark 20 k Queue Size 20 Clipped Packets Count 0 High Water Packets Mark 10 n 20 Queue Size 10 Clipped Packets Count 0 High Water Packets Mark 06 10 10 i j High Normal Low TF0005A Figure 2 5 Reconfigured Priority Queue Statistics for the Queue Size Examples To see whether this reallocation solves the problem reset the Clipped Packets Count and High Water Packets Mark counters using the Statistics Manager and check them again later Latency Line delay or latency indicates how many bits of normal or low priority traffic the router can allocate to the transmit queue at any one time The latency value is the greatest time delay that a high priority packet can experience Latency is based on the line speed of the attached media The following formula illustrates how the line speed bits queued and latency value are related Latency Bits Queued Line Speed b s The default value for latency is 250 milliseconds ms This value generally ensures good throughput and maintains rapid terminal response rapid echoing of keystrokes and timely response to commands over most media You can change the default latency value by setting the Max High Queue Latency parameter Keep in mind however that if you specify a higher latency value thus allowing more room on the transmit queue throughput increases but terminal
122. s LLC2 DESTMAC o Ss_ 48 DSAP LLC2 DSAP OO SSAP LLC2 SSAP Bo Source MAG Address LLC2_SOURCE_MAC User Defined LLC2 Criteria In addition to the predefined LLC2 criteria you can create traffic filters with user defined criteria by specifying an offset and length to these reference fields in the LLC2 header LLC2 DEST MAC Points to the first byte of the Destination MAC Address LLC2 DSAP Points to the first byte of the Destination SAP DSAP LLC2 Actions The LLC2 filtering actions are Accept Drop and Log 117348 A Rev A Inbound Traffic Filter Criteria and Actions OSI Criteria and Actions You can configure OSI inbound traffic filters based on specified bit patterns in the Connectionless Network Protocol CLNP header Predefined OSI Criteria Table 3 9 lists the predefined criteria for OSI inbound traffic filters and the reference field offset and length for each criterion Table 3 9 Predefined Criteria for OSI Inbound Traffic Filters Destination System ID OSI_DEST User Defined OSI Criteria In addition to the predefined OSI filter criteria you can create traffic filters with user defined criteria by specifying an offset and length to these reference fields in the CLNP header OS _ BASE Points to the first byte of the CLNP header OSI DEST Points to the last two bytes of the OSIL_DEST reference field OSI SRC Points to the last two bytes of the OSI_SRC reference field OSI Actions
123. te often you can begin with an existing template This section describes how to prepare an inbound traffic filter template by e Creating a Template e Customizing Templates See Creating an Inbound Traffic Filter later in this chapter to learn how to create the filter by applying saving a filter template to an interface 117348 A Rev A os Configuring Traffic Filters and Protocol Prioritization Creating a Template To create an inbound traffic filter template Site Manager Procedure You do this System responds 1 Display the Filters window Figure 6 1 See Displaying the Inbound Traffic Filters Window 2 Click on Template The Filter Template Management window opens Figure 6 2 3 Click on Create The Create Template window for the protocol opens Figure 6 3 4 Specify a name for the new template in the Filter Name field Use a descriptive name For example the name Drop_ Telnet suggests the criterion and action to drop Telnet session requests from remote nodes 5 Choose Criteria gt Add gt criterion The Add Range window opens See Chapter 3 for information about the criteria for your protocol Each filter template can use only one criterion 6 Specify a range for the selected criterion To specify a hexadecimal number use the prefix Ox You must specify at least one range If the range consists of just one value specify that value in the Minimum value field See Chapter 5 for informatio
124. ted is highlighted 4 Choose Protocols gt Edit protocol gt Traffic The Filters window for the selected Filters protocol opens It lists any inbound traffic filters already applied to the circuit The menu path to the Filters window is protocol specific 5 Click on Template The Filter Template Management window opens It lists any inbound traffic filter templates already configured for the selected protocol 6 Click on Create The Create Filter Template window for the selected protocol opens 7 Specify a descriptive name in the Filter Name field 117348 A Rev A B 3 Configuring Traffic Filters and Protocol Prioritization Site Manager Procedure continued You do this System responds 8 Choose Criteria gt Add gt criterion The Add Range window opens If you selected the User Defined See Table B 1 or Table B 2 for specific criterion the Add User Defined Field examples window opens first 9 Type a minimum and maximum value to The Add Range window closes The new specify the range then click on OK criterion and ranges now appear in the Filter Information field of the Create Filter See Table B 1 or Table B 2 for specific Template window examples To specify additional ranges choose Range gt Add 10 Choose Action gt Add gt action The action appears in the Filter Information field See Table B 1 or Table B 2 for specific examples 11 Click on OK The Filter Template Management window opens
125. template e Copy an existing template rename it and then edit it This preserves the original template and creates an entirely new template with the same criteria and actions You can then modify the new template to suit your needs e Edit an existing template If you do not need to preserve the original template you can edit it without first copying and renaming it Changing a template does not affect interfaces to which the template has already been applied Note You can also edit or copy a template using a text editor The Configuration Manager stores all templates in the file template fit Copying a Template To duplicate an existing template Site Manager Procedure You do this System responds 1 Display the Priority Outbound Filters window Figure 7 2 2 Click on Template The Filter Template Management window opens Figure 7 3 4 Click on Copy The Copy Filter Template window opens 5 Specify a name for the new template Be sure to use a name that reflects its contents 6 Click on OK The Filter Template Management window opens The new template appears in the templates list 117348 A Rev A 7 9 Configuring Traffic Filters and Protocol Prioritization Editing a Template After you create or copy a template edit it as follows Site Manager Procedure You do this System responds 1 Select a template in the Filter Template Management window 2 Click on Edit The Edit Priority Outbound Template
126. ter template to a particular router interface Table 1 5 at the end of this chapter summarizes the inbound and outbound traffic filter criteria and actions supported on specific interfaces A filter criterion is the portion of a packet frame or datagram header to be examined You can break down any packet into at least three components The DLC or data link header Examples of data link header types include Token ring 802 5 Ethernet V 2 and IEEE 802 3 FDDI PPP and Bay Networks Standard Frame Relay The upper level protocol header Examples of protocol header types include IP and TCP Source route bridging SRB DLSw User data 117348 A Rev A Using Traffic Filters A traffic filter criterion is defined by a byte length and an offset from common bit patterns reference points in the data link or protocol header The criterion includes the length of the filtered pattern and an offset from the known reference point The traffic filter uses this information to locate which portion of a packet to examine For bridged traffic predefined criteria are part of the data link header For routed traffic a predefined criterion can be part of the data link header or an upper level protocol header Inbound traffic filter criteria use reference points in the upper level protocol header You select inbound criteria based on the protocol of the incoming traffic Outbound traffic filters use reference points in o
127. that any documentation advertising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties ji 117348 A Rev A Bay Networks Software License Note This is Bay Networks basic license document In the absence of a software license agreement specifying varying terms this license or the license included with the particular product shall govern licensee s use of Bay Networks software This Software License shall govern the licensing of all software provided to licensee by Bay Networks Software Bay Networks will provide licensee with Software in machine readable form and related documentation Documentation The Software provided under this license is proprietary to Bay Networks and to third
128. the network Normal and Low queue traffic may never be transmitted The strict dequeuing algorithm works as follows 1 The transmit queue scans the High queue If there is no traffic in the High queue the algorithm proceeds to step 4 2 The router empties all packets from the High queue into the transmit queue up to the latency value or the maximum transmit queue size and then transmits the packets The transmit queue size is the maximum number of packets in the transmit queue at one time You cannot configure this number using Site Manager 3 Ifthe latency value is reached the transmit queue returns to step 1 scanning and emptying traffic from the High queue If neither the latency value nor the maximum transmit queue size is reached the algorithm proceeds to step 4 4 The transmit queue scans the Normal queue If there is no traffic in the Normal queue the algorithm proceeds to step 7 5 The router empties all packets from the Normal queue up to the latency value into the transmit queue and then transmits the packets 6 Ifthe latency value is reached the transmit queue returns to step 1 scanning and emptying traffic from the High queue If the latency value is not reached the algorithm proceeds to step 7 7 The transmit queue scans the Low queue If there is no traffic in the Low queue the algorithm returns to step 1 8 The router empties all packets from the Low queue up to the latency value into the transm
129. tion Length LOW HIGH LOW NORMAL Specifies the queue in which a packet is placed if its length is greater than the value of the Packet Length parameter For example if Packet Length is set to 1024 bytes any packet that is 1025 bytes or larger is placed in the queue you specify for this parameter Accept the default LOW or select NORMAL or HIGH 1 3 6 1 4 1 18 3 5 1 4 4 1 9 117348 A Rev A Appendix B Examples and Implementation Notes This appendix contains examples hints reminders and important notes you may find useful Topic Traffic Filter Example for Basic IP Network Security Inbound Traffic Filter Examples Protocol Prioritization Examples Implementation Notes e Filtering Outbound Frame Relay Traffic e Filtering over a Dial Backup Line e Using a Drop All Filter as a Firewall e Using Outbound Traffic Filters for LAN Protocols Traffic Filter Example for Basic IP Network Security 117348 A Rev A In a network configuration with a single leased or dial up connection to the Internet one common use for traffic filters is to restrict external access to the network without restricting outbound service for users This section provides a step by step example for creating an inbound IP traffic filter to prevent access to a network through the well known TCP and UDP ports The procedure assumes that you are working at a station that is running Site Manager To further restrict access you can create additional in
130. u can build user defined criterion Table 4 3 Data Link Reference Points Points to the high order byte of the destination address DATA_LINK Points to the first byte following the length type criteria DL_HEADER_START Points to the beginning of the header beginning of the packet for PPP and Frame Relay packets DL_HEADER_END Points to the first byte following the DLCI in a Frame Relay packet and the first byte following the protocol ID in a PPP packet DL_FR_MPE Points to the NLPID Frame Relay packets only DL_SR_START Points to the beginning of the SRB packet which is the high order byte of the destination address DL_SR_DATA_LINK Points to the first byte following the RIF Figures 4 3 and 4 4 show examples of where these reference points are located in a packet 117348 A Rev A Outbound Traffic Filter Criteria and Actions DL_ HEADER_START MAC DATA_LINK HEADER_END DL_FR_MPE DLCI OX03 vo 00 80 00 80 C2 00 07 pafsafenors DSAP SSAP DL SR_START DL_SR_DATA_LINK TF0008A Figure 4 3 Data Link Reference Points in an SRB Packet Bridged over Bay Networks Proprietary Frame Relay MAC DATA_LINK MAC DA MAC SA LENGTH DSAP SSAP ICONTROL TYPE TF0009A Figure 4 4 Data Link Reference Points in an IEEE 802 2 LLC Header 117348 A Rev A 4 7 Configuring Traffic Filters and Protocol Prioritization IP Reference Points Table 4 4 defines the reference points in the IP header from which you c
131. ulting software which incorporate Software are subject to the restrictions of this license Licensee shall not make the resulting software available for use by any third party Neither title nor ownership to Software passes to licensee Licensee shall not provide or otherwise make available any Software in whole or in part in any form to any third party Third parties do not include consultants subcontractors or agents of licensee who have licensee s permission to use the Software at licensee s facility and who have agreed in writing to use the Software only in accordance with the restrictions of this license Third party owners from whom Bay Networks has acquired license rights to software that is incorporated into Bay Networks products shall have the right to enforce the provisions of this license against licensee Licensee shall not remove or obscure any copyright patent trademark trade secret or similar intellectual property or restricted rights notice within or affixed to any Software and shall reproduce and affix such notice on any backup copy of Software or copies of software resulting from modification or combination performed by licensee as permitted by this license 117348 A Rev A jii Bay Networks Software License continued 10 11 2 Licensee shall not reverse assemble reverse compile or in any way reverse engineer the Software Note For licensees in the European Community the Software Directive d
132. umber is either one AFTER then type a filter rule number in higher if you chose INSERT BEFORE the Precedence Number field or one lower if you chose INSERT AFTER than the number you specified For example in Figure 6 8 to place the selected filter 3 before filter 1 click on INSERT BEFORE and type 1 in the Precedence Number field 5 Click on OK The Filters window opens The filters appear in the new order of precedence Figure 6 10 117348 A Rev A ol Configuring Traffic Filters and Protocol Prioritization Ihr l forwardcoted A a2 bridge droll tos a Roly aJ briis drigi_al Template Crmate EME Prarie Lia tae Li i i Pek Le oe Falter Enable FEI Filter Maan FOr regnr Figure 6 10 Filters Window Showing New Order of Precedence 6 20 117348 A Rev A 117348 A Rev A Chapter 7 Applying Outbound Traffic Filters This chapter describes how to use the Configuration Manager to configure outbound traffic filters To complete the procedures in this chapter you must be familiar with outbound traffic filter criteria and actions See Chapter 4 for this information You implement protocol prioritization by applying an outbound traffic filter that includes a prioritizing priority queue action This type of outbound traffic filter is called a priority filter For instructions on how to edit protocol prioritization parameters that affect the way priority filters work see
133. utbound Template window opens 7 Specify a descriptive name in the Filter Name field 8 Choose Criteria gt Add gt Datalink IP gt The Add Range window opens criterion If you chose the User Defined criterion the Add User Defined Field window See Table B 3 for specific examples opens first 117348 A Rev A a Configuring Traffic Filters and Protocol Prioritization B 8 Site Manager Procedure continued You do this System responds 9 Type a minimum and maximum value to The Add Range window closes The new specify the range then click on OK criterion and ranges now appear in the Filter Information field of the Create See Table B 3 for specific examples To Priority Outbound Template window specify additional ranges choose Range gt Add 10 Choose Action gt Add gt action See Table B 3 for specific examples 11 Click on OK The Filter Template Management window opens The new template appears in the templates list 12 Click on Done The Priority Outbound Filters window opens 13 Click on Create The Create Filter window opens 14 Selecta circuit inthe Interfaces field 15 Select a template inthe Templates fied 16 Specify a descriptive name in the Filter Name field 17 Click on OK The Priority Outbound Filters window opens 18 Click on Apply The filter is applied to the circuit 117348 A Rev A Examples and Implementation Notes Table B 3 provides some ex
134. yte of 40 as 0x400031740001 If the RIF bit is set the hexadecimal value of the packet is OxC00031740001 117348 A Rev A Specifying Common Criterion Ranges SRB Functional MAC Addresses Functional MAC addresses are destination MAC addresses that always conform to the following rules e Byte 0 0xC0 e Byte 1 0x00 e The first half of byte 2 0x0 to 0x7 Table 5 2 lists some common functional MAC addresses Table 5 2 Functional MAC Addresses Function Name MAC Address MSB Identifying Bit Ethernet Address Active Monitor OxC000 0000 0001 Byte 5 bit 7 0x030000000080 Ring Parameter 0xC000 0000 0002 Byte 5 bit 6 0x030000000040 Server Ring Error OxC000 0000 0008 Byte 5 bit 4 0x030000000010 Monitor Configuration 0xC000 0000 0010 Byte 5 bit 3 0x030000000008 Report Server NetBIOS OxC000 0000 0080 Byte 5 bit 0 0x030000000001 Bridge OxC000 0000 0100 Byte 4 bit 7 0x030000008000 LAN Manager OxC000 0000 2000 Byte 4 bit 2 0x030000000400 User defined OxC000 0008 0000 to Byte 3 bits 0 4 0x030000100000 to 0xC000 4000 0000 Byte 2 bits 1 7 0x030002000000 Specifying VINES Address Ranges 117348 A Rev A You specify VINES server address ranges in hexadecimal format For example if the address of a VINES server is a2482c 0001 convert the value to hexadecimal and specify the filter criteria range as 0xa2482c0001 You can obtain a VINES server address as follows e From a sniffer trace e By using the Technician
Download Pdf Manuals
Related Search