Command Reference Guide

Administering Packet Filters

This chapter provides guidelines and other key information about how to administer bridge packet filters in your system, including the following tasks:

Listing and displaying packet filters
Creating, deleting, editing, and loading packet filters
Assigning and unassigning packet filters
Managing port groups

Independently configurable packet filtering is provided for the packet processing paths on each bridge port of the system. After you create a packet filter, you can assign the filter to the transmit or the receive paths of any bridge port or group of bridge ports.

The filter executes a series of test operations on the packet's contents and, if the result is positive it stops (filters) the packet. If the end result is negative, the filter lets the packet pass.

For more information about implementing packet filters on your network, see the Implementation Guide for your system.

For the CoreBuilder 9000 platform, the commands in this chapter apply to Layer 3 switching modules only.

Menu Structure

The commands that you can use depend on the system that you have, your level of access, and the types of modules and other hardware options that are configured for your system. The following diagram shows the complete list of commands for all systems. See the checklist at the beginning of each command description in this chapter for whether your system supports the command.

bridge packetFilter list

Prompt	Description	Possible Values	[Default]
Filter	Identifier (id number) of the filter that you want to display	1 - nn ? (for a list of all filters)	Current filter id

Sample Bridge Packet Filter Display (3500)

: Select menu option (bridge/packetFilter): display
: Select filter {1|?} [1]:

: Packet Filter 1 - rejdiffportgrp
: name "rejdiffportgrp"
: pushDPGM
: pushSPGM
: and
: pushLiteral.l 0x00000000
: ne
bridge packetFilter create

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Creates a port group filter or a custom packet filter.

Valid Minimum Abbreviation

: b pa c

Important Considerations

The system only creates the packet filter definitions. You must still assign ports and masks to port groups, as described for the "bridge packetFilter portGroup create" command, and assign the standard filter to ports and filtering paths, as described for the "bridge packetFilter assign" command.
The portGroup packet filter rejects a frame if the destination and source paths are not in the same group.
In addition to the port group filter, you can create custom filters to add filtering logic based on the content of the packet.
For the CoreBuilder 9000 platform, custom filters are not implemented.

Options

Prompt

Description

Possible Values

[Default]

Menu option

Whether to create a standard port group filter or a custom filter

portGroup
custom

-

Prompt	Description	Possible Values	[Default]
Menu option	Whether to create a standard port group filter or a custom filter	portGroup custom	-

Bridge Packet Filter Create Example (3500)

The system presents menu options for portGroup and custom:

Create Custom Bridge Packet Filter Example (3500)

The system displays the editor commands that create the custom packet filters, as shown here.

You now enter packet filter language statements that define the packet filter algorithm. See the Implementation Guide for your system for information about developing the packet filters.

bridge packetFilter delete

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Deletes the selected packet filter.

Valid Minimum Abbreviation

: b pa de

Important Considerations

You cannot delete a filter if it is assigned. Before you can delete the filter, you must unassign the filter from the assigned ports.
Possible values for filters (nn) depend on the number of created or loaded filters on the system.
To find the id of the filter, list the filters using the bridge packetFilter list command.

Options

Prompt

Description

Possible Values

[Default]

Filter

Identifier (id number) of the filter that you want to delete

1 - nn
? (for a list of all identifiers)

Highest filter number

Delete packet filter?

Whether you want to delete the selected packet filter

n (no)
y (yes)

y

Prompt	Description	Possible Values	[Default]
Filter	Identifier (id number) of the filter that you want to delete	1 - nn ? (for a list of all identifiers)	Highest filter number
Delete packet filter?	Whether you want to delete the selected packet filter	n (no) y (yes)	y

Bridge Packet Filter Delete Examples (3500)

: Select menu option (bridge/packetFilter): delete
: Select filter {1|?} [1]: 1
: Delete packet filter (n,y) [y]: y
: Packet filter 1 has been deleted.

If the filter is assigned, it cannot be deleted. The system responds as follows to the delete command:

: Select menu option (bridge/packetFilter): delete
: Select filter {1|?} [1]: 1
: The selected filter is assigned
: This problem prevents the deletion of this filter.
bridge packetFilter edit

Modifies the selected packet filter.

Valid Minimum Abbreviation

: b pa e

Important Consideration

Possible values for filters (nn) depend on the number of created or loaded filters on the system.

Options

Prompt

Description

Possible Values

[Default]

Filter

Identifier (id) number of the filter that you want to edit

1 - nn
? (for a list of all identifiers)

Most recent filter edited

Replace existing filter?

Whether to replace the selected filter

n (no)
y (yes)

y

Store as new filter?

Whether to create a new filter

n (no)
y (yes)

y

Prompt	Description	Possible Values	[Default]
Filter	Identifier (id) number of the filter that you want to edit	1 - nn ? (for a list of all identifiers)	Most recent filter edited
Replace existing filter?	Whether to replace the selected filter	n (no) y (yes)	y
Store as new filter?	Whether to create a new filter	n (no) y (yes)	y

Bridge Packet Filter Edit Examples

The system displays the editor commands that you use to edit the packet filters. You can edit packet filter language statements that define the packet filter algorithm. See the Implementation Guide for your system for information about developing the packet filters. After you modify the packet filter, you can save the filter file using the editor command Ctrl+w.

To complete the editing process, press the Esc key. The system replaces the filter or creates a new filter, depending on your response to the prompts.

Two examples of the editing process follow.

Replace Existing Filter Example

Store as New Filter Example

bridge packetFilter load

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Transfers a packet filter file from another host machine to the switch to which you are currently connected.

Valid Minimum Abbreviation

: b pa lo

Important Considerations

Before you use the packetFilter load command, select the required file transfer protocol (tftp or ftp) using the system fileTransfer command
Tftp or ftp hosts may place restrictions on which files and pathnames are valid. See your host administrator or host documentation for tftp and ftp information.

Options

Prompt

Description

Possible Values

[Default]

Host IP address

IP address of the machine from which you want to transfer the filter

Any valid IP address

-

File pathname

Path and file name of the filter to transfer

? (for a list of criteria for entering the pathname)
Up to 128 characters

-

Prompt	Description	Possible Values	[Default]
Host IP address	IP address of the machine from which you want to transfer the filter	Any valid IP address	-
File pathname	Path and file name of the filter to transfer	? (for a list of criteria for entering the pathname) Up to 128 characters	-

Bridge Packet Filter Load Example (3500)

The system transfers the specified filter and displays a confirmation message:

: Select menu option (bridge/packetFilter): load
: Host IP address: 158.101.112.191
: File pathname {?}: /tftpboot/srackley/joe.fil
: Packet filter 2 stored.
: bridge packetFilter assign

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Assigns a selected packet filter to a port or set of ports (port group).

Valid Minimum Abbreviation

: b pa a

Important Considerations

When you assign a packet filter to one or more ports, you must assign a processing path. The path (transmit all, transmit multicast, receive all, or receive multicast) of a port can have only one packet filter assigned to it; however, you can assign a single packet filter to multiple paths and ports.
After you assign the filter, ports and paths are removed from the list of possible values (listed in the Options table).
Possible values for filters (nn) depend on the number of created or loaded filters on the system.
Possible values for bridge ports (nn) depend on the number of existing bridge ports on the system.

Options

Prompt

Description

Possible Values

[Default]

Filter

Identifier (id number) of the filter that you want to assign

1 - nn
? (for a list of valid filter identifiers)

Current valid selected filter

Bridge ports

Number of the bridge port to which you want to assign the selected filter

1 - nn
? (for a list of valid ports)

Current valid selected bridge port

Paths

Identifier of the path to which you want to assign the selected filter

txA
txM
rxA
rxM
all
? (for a list of valid paths)

Current valid selected path

Prompt	Description	Possible Values	[Default]
Filter	Identifier (id number) of the filter that you want to assign	1 - nn ? (for a list of valid filter identifiers)	Current valid selected filter
Bridge ports	Number of the bridge port to which you want to assign the selected filter	1 - nn ? (for a list of valid ports)	Current valid selected bridge port
Paths	Identifier of the path to which you want to assign the selected filter	txA txM rxA rxM all ? (for a list of valid paths)	Current valid selected path

Bridge Packet Filter Assign Examples (3500)

: Select menu option (bridge/packetFilter): assign
: Select filter {1|?} [1]:
: Select bridge port(s) (1-12|all|?) [4-6]: all
: Select path(s) (txA,txM,rxA,rxM|all|?): txA

To specify multiple ports and paths at the same time that you assign packet filters, enter all when you specify the ports or paths.

: Select menu option (bridge/packetFilter): assign
: Select filter {1|?} [1]:
: Select bridge port(s) (1-6|all|?): 1-3
: Select path(s) (txA,txM,rxA,rxM|all|?): all
bridge packetFilter unassign

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Unassigns selected packet filter from one or more ports.

Valid Minimum Abbreviation

: b pa u

Important Considerations

The packet filter that you want to unassign must have been assigned to at least one port.
Possible values for filters (nn) depend on the number of created or loaded filters on the system.
Possible values for bridge ports (nn) depend on the number of existing bridge ports on the system.
After you unassign the filter, ports and paths are added to the list of possible values (listed in the Options table).

Options

Prompt

Description

Possible Values

[Default]

Filter

Identifier (id number) of the filter that you want to unassign

1 - nn
? (for a list of valid filter identifiers)

Current valid selected filter

Bridge ports

Numbers of one or more bridge ports from which you want to unassign the selected filter

1 - nn
? (for a list of valid ports)

Current valid selected bridge port

Paths

Identifiers of one or more paths from which you want to unassign the selected filter

txA
txM
rxA
rxM
all
? (for a list of valid paths)

Assigned paths

Prompt	Description	Possible Values	[Default]
Filter	Identifier (id number) of the filter that you want to unassign	1 - nn ? (for a list of valid filter identifiers)	Current valid selected filter
Bridge ports	Numbers of one or more bridge ports from which you want to unassign the selected filter	1 - nn ? (for a list of valid ports)	Current valid selected bridge port
Paths	Identifiers of one or more paths from which you want to unassign the selected filter	txA txM rxA rxM all ? (for a list of valid paths)	Assigned paths

Bridge Packet Filter Unassign Examples (3500)

The unassignment is from the transmit all (txA) paths on port 1.

: Select menu option (bridge/packetFilter): unassign
: Select filter {1|?} [1]: 1
: Select bridge port [1]: 1
: Select path(s) (txA,rxA|all|?) [txA,rxA]: txA

To specify multiple ports and paths at the same time when you assign (or unassign) packet filters, specify all when you specify the ports or paths.

: Select menu option (bridge/packetFilter): unassign
: Select filter {1|?} [1]:
: Select bridge port(s) (1-3|all|?) [1-3]:
: Select path(s) (txA,rxA|all|?) [txA,rxA]: all

If the filter that you attempt to unassign is not assigned, one or more of the unassignments may fail.

bridge packetFilter portGroup list

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Displays a list of currently defined port groups.

Valid Minimum Abbreviation

: b pa p l

Bridge Packet Filter Port Group List Example

In the example, the system has two port groups defined: Marketing and Sales. The display shows the group id, group name (if any), and group mask.

bridge packetFilter portGroup display

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Displays a port group.

Valid Minimum Abbreviation

: b pa p di

Important Consideration

Possible values for port groups (nn) depend on the number of user-defined port groups on the system.

Options

Prompt

Description

Possible Values

[Default]

Port group

Number of the port group to display

1 - nn
? (for a list of valid port groups)

Current port group

Prompt	Description	Possible Values	[Default]
Port group	Number of the port group to display	1 - nn ? (for a list of valid port groups)	Current port group

Sample Bridge Packet Filter Port Group Display (3500)

bridge packetFilter portGroup create

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Creates a port group.

Valid Minimum Abbreviation

: b pa p c

Important Considerations

You can create up to 32 port groups, one for each bit in the 32-bit port group mask. Port group membership is limited to the number of ports on the system.
The portGroup create command only creates port group associations. You must create and assign a filter to a port group to affect filtering. See the "bridge packetFilter create" and "bridge packetFilter assign" commands earlier in this chapter.
Possible values for bridge ports (nn) depend on the number of bridge ports on the system.

Options

Prompt

Description

Possible Values

[Default]

Port group mask

Mask that you want to assign to the port group

1 - 32
? (for a list of masks)

-

Port group name

Name of the port group that you want to create

Up to 32 characters

-

Bridge port

Number of the bridge port that you want to add to the new group

1 - nn
? (for a list of valid ports)

-

Prompt	Description	Possible Values	[Default]
Port group mask	Mask that you want to assign to the port group	1 - 32 ? (for a list of masks)	-
Port group name	Name of the port group that you want to create	Up to 32 characters	-
Bridge port	Number of the bridge port that you want to add to the new group	1 - nn ? (for a list of valid ports)	-

Bridge Packet Filter Port Group Create Example (3500)

bridge packetFilter portGroup delete

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Deletes a selected port group.

Valid Minimum Abbreviation

: b pa p de

Important Considerations

When you delete port groups from the system, those groups are no longer available for use in packet filters.
When you delete a port group, the remaining port group IDs are automatically renumbered to maintain consecutive numbering.
Possible values for port groups (nn) depend on the number of user defined port groups on the system.

Options

Prompt

Description

Possible Values

[Default]

Port group

Number of the port group to delete

1 - nn
? (for a list of groups)

Current port group

Delete port group?

Whether to delete the selected port group

n (no)
y (yes)

y

Prompt	Description	Possible Values	[Default]
Port group	Number of the port group to delete	1 - nn ? (for a list of groups)	Current port group
Delete port group?	Whether to delete the selected port group	n (no) y (yes)	y

Bridge Packet Filter Port Group Delete Example

: Select menu option (bridge/packetFilter/portGroup): delete
: Select port group {1-2|?} [2]: 1
: Delete port group (n,y) [y]: y
: Port Group 1 - Marketing - has been deleted.
bridge packetFilter portGroup addPort

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Adds ports to an existing port group.

Valid Minimum Abbreviation

: b pa p a

Important Considerations

You add ports to an existing group by entering port identifiers at the prompts. At least one port group must exist before you can add ports.
The maximum number of ports that a port group can contain is 24, which is the maximum number of ports on a switching system.
Possible values for port groups (nn) depend on the number of user defined port groups on the system.
Possible values for bridge ports (nn) depend on the number of existing bridge ports on the system.

Options

Prompt

Description

Possible Values

[Default]

Port group

Number of the port group to which you want to add a bridge port

1 - nn
? (for a list of groups)

Current port group

Bridge port

Number of the bridge port that you want to add to the selected port group

1 - nn
all
? (for a list of groups)

-

Prompt	Description	Possible Values	[Default]
Port group	Number of the port group to which you want to add a bridge port	1 - nn ? (for a list of groups)	Current port group
Bridge port	Number of the bridge port that you want to add to the selected port group	1 - nn all ? (for a list of groups)	-

Bridge Packet Filter Port Group Add Port Examples

When you display port group 2, the display shows that port 2 is added:

bridge packetFilter portGroup removePort

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Removes ports from a port group.

Valid Minimum Abbreviation

: b pa p r

Important Considerations

At least one group must exist before you can remove a port from a port group.
Possible values for port groups (nn) depend on the number of user defined port groups on the system.
Possible values for bridge ports (nn) depend on the number of existing bridge ports on the system.

Options

Prompt

Description

Possible Values

[Default]

Port group

Number of the port group from which you want to remove a bridge port

1 - nn
? (for a list of groups)

Current port group

Bridge port

Number of the bridge port that you want to remove from the selected port group

1 - nn
all
? (for a list of groups)

-

Prompt	Description	Possible Values	[Default]
Port group	Number of the port group from which you want to remove a bridge port	1 - nn ? (for a list of groups)	Current port group
Bridge port	Number of the bridge port that you want to remove from the selected port group	1 - nn all ? (for a list of groups)	-

Bridge Packet Filter Port Group Remove Port Examples

: Select menu option (bridge/packetFilter/portGroup): remove
: Select port group {1-2|?} [2]: 2
: Select bridge port(s) (1-6|all|?): 6

Displaying port group 2 shows that port 6 is removed:

Administering Packet Filters

Bridge Packet Filter List Example (3500)

Important Considerations

Options

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Important Considerations

Options

Important Considerations

Options

Important Consideration

Options

Important Considerations

Options

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Important Considerations

Options

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Important Considerations

Options

Bridge Packet Filter Port Group List Example

Important Consideration

Options

Important Considerations

Options

Important Considerations

Options

For CoreBuilder 9000: Applies to Layer 3 switching modules only.

Important Considerations

Options

Important Considerations

Options