Nortel 4134 Guia Do Utilizador
Troubleshooting
41
Ethernet module interfaces can have a maximum of 896 rules (shared with
QOS) corresponding to 896 entries in the TCAM. Some complex rules
consume more than one TCAM entry.
QOS) corresponding to 896 entries in the TCAM. Some complex rules
consume more than one TCAM entry.
Configuration considerations
When configuring packet filters, be aware of the following configuration
considerations:
considerations:
•
At the end of every rule list is an implied "deny all traffic" statement.
Therefore, all packets not explicitly permitted by filtering rules are
denied. An empty packet filter list drops all packets. A packet that does
not match any rule in a packet filter list is dropped. Therefore, it is
important that each filter list contain at least one "permit" statement.
Therefore, all packets not explicitly permitted by filtering rules are
denied. An empty packet filter list drops all packets. A packet that does
not match any rule in a packet filter list is dropped. Therefore, it is
important that each filter list contain at least one "permit" statement.
•
The order in which you enter the filtering rules is important. As the
Secure Router 4134 is evaluating each packet, the OS tests the packet
against each rule statement sequentially. After a match is found, no
more rule statements are checked. For example, if the first rule you
create is a statement that explicitly permits all traffic, all traffic is passed
since no further rules are checked.
Secure Router 4134 is evaluating each packet, the OS tests the packet
against each rule statement sequentially. After a match is found, no
more rule statements are checked. For example, if the first rule you
create is a statement that explicitly permits all traffic, all traffic is passed
since no further rules are checked.
•
The SR4134 supports re-ordering of filter commands through insert
and delete commands.
and delete commands.
•
You can configure rules with expire options. In this case, the rule expires
after the specified number of seconds. The timer starts when the rule
is attached to an interface.
after the specified number of seconds. The timer starts when the rule
is attached to an interface.
•
Packet Filter lists can be applied to more than one interface. Start with a
separate packet filter list per interface, until the list is proven
separate packet filter list per interface, until the list is proven
•
Start with a minimum rule list and add to it as necessary
Troubleshooting
•
Error “Failed to register packet filter module” usually occurs when an
IP/IPv6 address has not been configured on the interface.
IP/IPv6 address has not been configured on the interface.
•
‘Expire’ rules start to expire as soon as the Packet Filter is associated
with an interface. The expiring rule is deleted from the packet filter list
when time runs out.
with an interface. The expiring rule is deleted from the packet filter list
when time runs out.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.