Enterasys csx5500 用户指南
Central Site Remote Access Switch 303
C
ONFIGURING
A
DVANCED
IP R
OUTING
IP Filters
attached network.
•
through the Output Network Interface: applies the filter only to packets which are transmitted
on a specific attached network (i.e. after the Routing process has determined the next-hop net-
work for the datagram).
on a specific attached network (i.e. after the Routing process has determined the next-hop net-
work for the datagram).
•
on a per-Device basis: applies a device-specific filter in addition to any Input or Output filters.
This type of filtering is applicable only to WAN Network Interfaces.
This type of filtering is applicable only to WAN Network Interfaces.
Refer to the
for more information on these filtering mechanisms.
Connection Filters
The Connection Filter, when enabled, is only applied when an IP datagram attempts to trigger a
call on a WAN Output Interface. The initial default is that all such datagrams yield a FORWARD
action, so the administrator must explicitly configure any desired connection restrictions. Note that
the control offered by the IP Connection Filter is distinct from the “IP Callable” attribute of the
Device Table. The IP Connection Filter permits connection control based on packet content, while
the IP Callable feature applies such control based on the selected next hop.
call on a WAN Output Interface. The initial default is that all such datagrams yield a FORWARD
action, so the administrator must explicitly configure any desired connection restrictions. Note that
the control offered by the IP Connection Filter is distinct from the “IP Callable” attribute of the
Device Table. The IP Connection Filter permits connection control based on packet content, while
the IP Callable feature applies such control based on the selected next hop.
Exception Filters
At certain times, you may want to allow specific IP packets to temporarily override the Forwarding
Filters which have been applied. For example, you may want to allow temporary access to an
authorized technical person via a path which is otherwise blocked via filters. One way to do this
would be to simply make a temporary modification to the applicable filter or filters. However, the
special concept of an Exception Filter is also expressly supported for this purpose.
Filters which have been applied. For example, you may want to allow temporary access to an
authorized technical person via a path which is otherwise blocked via filters. One way to do this
would be to simply make a temporary modification to the applicable filter or filters. However, the
special concept of an Exception Filter is also expressly supported for this purpose.
The Exception Filter is a built-in filter which is selectively enabled and disabled. When enabled, it
is logically appended before each Forwarding Filter which an IP packet encounters. The makeup of
the Exception Filter is identical to any other filter. Should a match occur, the specified action will
be taken, effectively overriding the original filter. If no match occurs, the Exception Filter’s Final
action dictates the next processing step. When the Final action is FORWARD, filter execution flows
into the original filter, thereby creating one logical filter. This is the default operation of the
Exception Filter. The alternative for the no-match situation is a Final action of DISCARD, in which
case the datagram is discarded.
is logically appended before each Forwarding Filter which an IP packet encounters. The makeup of
the Exception Filter is identical to any other filter. Should a match occur, the specified action will
be taken, effectively overriding the original filter. If no match occurs, the Exception Filter’s Final
action dictates the next processing step. When the Final action is FORWARD, filter execution flows
into the original filter, thereby creating one logical filter. This is the default operation of the
Exception Filter. The alternative for the no-match situation is a Final action of DISCARD, in which
case the datagram is discarded.
Note:
A final action of DISCARD in the Exception Filter will DISCARD all packets not matching
the initial condition.
the initial condition.
R
OLE
OF
F
ILTERS
IN
THE
IP P
ROCESSING
F
LOW
Refer to the following figure. It illustrates the exact order in which the filter application points are
executed. Before reaching the IP routing process, incoming datagrams will first be subject to any
User-specific filter (if arriving on a WAN interface) and secondly to any Input filter for the
delivering Network Interface. Once a datagram has reached the IP routing process (either an
incoming datagram or a datagram generated within the NE system), the Global filter, if enabled, is
applied. When the routing process determines that a datagram is to be transmitted, that datagram
is subject first to any Output filter of the selected to Network Interface. If the output interface is a
WAN and it is necessary to first establish a connection, the Connection Filter, if enabled, is applied.
Finally, any User-specific filter is applied (again, only if the datagram is being transmitted on WAN
interface).
executed. Before reaching the IP routing process, incoming datagrams will first be subject to any
User-specific filter (if arriving on a WAN interface) and secondly to any Input filter for the
delivering Network Interface. Once a datagram has reached the IP routing process (either an
incoming datagram or a datagram generated within the NE system), the Global filter, if enabled, is
applied. When the routing process determines that a datagram is to be transmitted, that datagram
is subject first to any Output filter of the selected to Network Interface. If the output interface is a
WAN and it is necessary to first establish a connection, the Connection Filter, if enabled, is applied.
Finally, any User-specific filter is applied (again, only if the datagram is being transmitted on WAN
interface).