Nortel 4134 用户指南
40
Packet filter fundamentals
keywords but they should be specified with a comma (,) in between and
with no space. For example, if “flags syn” is specified, only TCP packets
with SYN flag alone are matched; a TCP packet with both SYN and
ACK flag set would not be matched.
with no space. For example, if “flags syn” is specified, only TCP packets
with SYN flag alone are matched; a TCP packet with both SYN and
ACK flag set would not be matched.
•
DSCP value: Matches a differentiated services code point value against
the traffic class value in the Traffic Class field of each IPv6 packet
header. The acceptable range is from 0 to 63.
the traffic class value in the Traffic Class field of each IPv6 packet
header. The acceptable range is from 0 to 63.
•
Flow-label: filters can restrict traffic that matches a flow label value in
the Flow Label field of each IPv6 packet header. The acceptable range
is from 0 to 1048575.
the Flow Label field of each IPv6 packet header. The acceptable range
is from 0 to 1048575.
•
Routing - filters can restrict source-routed packets that match the routing
extension header within each IPv6 packet header.
extension header within each IPv6 packet header.
MAC packet filters
The MAC packet filter performs filtering based on MAC header information.
The basic MAC filtering function is to filter based on source MAC address
and destination MAC address with mask. In addition to MAC address
information, MAC packet filter can filter based on Ethernet type, VLAN ID,
and COS. Typically, the main object of MAC packet filters is to filter non-IP
packets within a LAN area. However, MAC packet filters can also filter MAC
information of IP packets to support VLAN.
The basic MAC filtering function is to filter based on source MAC address
and destination MAC address with mask. In addition to MAC address
information, MAC packet filter can filter based on Ethernet type, VLAN ID,
and COS. Typically, the main object of MAC packet filters is to filter non-IP
packets within a LAN area. However, MAC packet filters can also filter MAC
information of IP packets to support VLAN.
The MAC packet filter can only be applied to Module Ethernet interfaces in
the ingress direction.
the ingress direction.
Logging
Logging is available for the IPv4 and IPv6 packet filters on WAN and chassis
Ethernet interfaces. However, logging is not supported on the Ethernet
module interfaces.
Ethernet interfaces. However, logging is not supported on the Ethernet
module interfaces.
Scalability
Up to 50 packet filter list names are supported.
Each packet filter list name can have three types of lists (IPv4, IPv6, and
MAC) that can be configured.
MAC) that can be configured.
Each packet filter list can have up to 2000 rules attached to it.
Ethernet module limits
Ethernet module interfaces can only bind packet filters to the inbound
direction.
direction.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.