ebook img

Title 3 ACL-based Feature support PDF

24 Pages·2013·1.49 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Title 3 ACL-based Feature support

ACL Contents Title 1 Key points of the ACL in S9700 Title 2 ACLs implements Title 3 ACL-based Feature support Title 4 Summary: TOP 3 to known about ACL 1 Key points of ACL @ S9700 Selective hardware ACL programming for better  scalability and resource utilization Support for time-range  ACL-based features: VLAN Translate, PBR, CAR, Mirror …  ACLs matching: L2, L3, and L4 header fields( using IPv4,  IPv6, ARP, MAC access lists) 2 ACL action point @ S9700 Ingress linecard Egress linecard Ingress PP Egress PP L2/L3/ACL Fabric ACL Table Table HiGig HiGig Parse Memory Parse Memory Packet Packet Lookup Management Lookup Management Modification Modification ACL … Unit ACL … Unit Ingress Ingress Egress Module’s Egress Module’s Module’s Module’s Egress Ingress pipeline Egress pipeline Ingress pipeline pipeline Ingress ACL Egress ACL Port ACL, VLAN_ACL, CAR, VLAN-Assignment statistics, remark, copy, … Match content (port / subnet / mac …) Lookup & Modify the VLAN ID and 802.1P of packet. Find VRF/VSI … PBR, Port ACL, VLAN_ACL, CAR, statistics, remark, mirror, copy, … 3 ACL Engine brief: Action (Ingress & Egress ACL) Changes TOS precedence or 802.1p priority  IPv4 and IPv6 DSCP/ToS remarking in the packet header  Support for event notification to CPU, upon filter match  Support for MAC destination address replacement  Support for ingress/egress port based filtering  Send a copy of packet to CPU (mirror to CPU)  Redirect packet to CPU (Like protocol capture)  Redirect a packet  Drop a packet  Replace VLAN ID  Change CoS queue based on 802.1p field (Only Ingress Module)  Send a copy of packet to the mirror port  Do CAR for matched flows  4 Contents Title 1 Key points of the ACL in S9700 Title 2 ACLs implements Title 3 ACL-based Feature support Title 4 Summary: TOP 3 to known about ACL 5 ACL capability S9700 support 4 types ACL:  Basic ACL: based on SIP, Fragment label, time-range  Advanced ACL: based on SIP, DIP, source port number,  destination port number, protocol type(TCP/UDP/ICMP/GRE/OSPF …), precedence, and effective time range. L2 ACL: SMAC, DMAC, protocol type, VLAN-ID, 802.1p, time-  range … User defined ACL: User select match field & offset.  The user-defined ACL is applicable to only incoming traffic.  For IPv6  S9700 support basic ACL and advanced ACL  6 ACL Whole Process ACL Classifier Behavior Policy Policy Parse Download Download Deal in Card to TCAM 7 ACL Perform in line card (LPU) ACL configuration is download from SRU & handle by LC  CPU. Before download ACL’s config to line card, It is parsed by  SRU CPU, if it is verify success, then the rules and action will be download to LC CPU. The ACL configuration is SYNCed globally.  The LC CPU decide if the ACL is local related. It only  install those ACLs to PP when it is needed. The ACL TCAM occupy is asymmetric, so the TCAM  resource utilization is improved. 8 ACL Perform in SRU (Supervisor) ACL in SRU (Supervisor) is handled by CPU, to realize the  access control of host, such as Telnet, FTP ... For inline traffic to CPU, we have CP-CAR(cpu-defend) to rate  limit. 9

Description:
ACLs matching: L2, L3, and L4 header fields( using IPv4, IPv4 and IPv6 DSCP/ToS remarking in the packet header .. reset traffic policy statistics { global | interface interface-type document may contain predictive statements including, without limitation, statements regarding the future financial
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.