Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual

Also see for CyberSWITCH 5500: Quick start Manual

Contents

Central Site Remote Access Switch 303CONFIGURING A DVANCED IP ROUTINGIP Filtersattached network.• through the Output Network Interface: applies the filter only to packets which are transmittedon a specific attached network (i.e. after the Routing process has determined the next-hop net-work for the datagram).• on a per-Device basis: applies a device-specific filter in addition to any Input or Output filters.This type of filtering is applicable only to WAN Network Interfaces.Refer to the Role of Filters for more information on these filtering mechanisms.Connection FiltersThe Connection Filter, when enabled, is only applied when an IP datagram attempts to trigger acall on a WAN Output Interface. The initial default is that all such datagrams yield a FORWARDaction, so the administrator must explicitly configure any desired connection restrictions. Note thatthe control offered by the IP Connection Filter is distinct from the “IP Callable” attribute of theDevice Table. The IP Connection Filter permits connection control based on packet content, whilethe IP Callable feature applies such control based on the selected next hop.Exception FiltersAt certain times, you may want to allow specific IP packets to temporarily override the ForwardingFilters which have been applied. For example, you may want to allow temporary access to anauthorized technical person via a path which is otherwise blocked via filters. One way to do thiswould be to simply make a temporary modification to the applicable filter or filters. However, thespecial concept of an Exception Filter is also expressly supported for this purpose.The Exception Filter is a built-in filter which is selectively enabled and disabled. When enabled, itis logically appended before each Forwarding Filter which an IP packet encounters. The makeup ofthe Exception Filter is identical to any other filter. Should a match occur, the specified action willbe taken, effectively overriding the original filter. If no match occurs, the Exception Filter’s Finalaction dictates the next processing step. When the Final action is FORWARD, filter execution flowsinto the original filter, thereby creating one logical filter. This is the default operation of theException Filter. The alternative for the no-match situation is a Final action of DISCARD, in whichcase the datagram is discarded.Note: A final action of DISCARD in the Exception Filter will DISCARD all packets not matchingthe initial condition.R OLE OF FILTERS IN THE IP P ROCESSING FLOWRefer to the following figure. It illustrates the exact order in which the filter application points areexecuted. Before reaching the IP routing process, incoming datagrams will first be subject to anyUser-specific filter (if arriving on a WAN interface) and secondly to any Input filter for thedelivering Network Interface. Once a datagram has reached the IP routing process (either anincoming datagram or a datagram generated within the NE system), the Global filter, if enabled, isapplied. When the routing process determines that a datagram is to be transmitted, that datagramis subject first to any Output filter of the selected to Network Interface. If the output interface is aWAN and it is necessary to first establish a connection, the Connection Filter, if enabled, is applied.Finally, any User-specific filter is applied (again, only if the datagram is being transmitted on WANinterface).