Re: (ASCEND) More questions about Filters...

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) More questions about Filters...
From: "John K. Chester" <jkc@sufficiently.com>
Date: Mon, 12 May 1997 22:32:51 -0400
References: <3.0.1.32.19970512225641.00a64700@iprolink.ch>
Reply-To: jkc@sufficiently.com
Sender: owner-ascend-users@max.bungi.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm interested in any info anyone can provide regarding filter
construction
and usage in Pipeline routers.

Here are my comments on one posting:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Erik Bussink wrote:
> 
> I've got some more questions about filters. Some people have
> mentioned installing filters on my P50 to stop NetBIOS port
> 137 & 139 packets.
> 
> 1)
> Now I've re-read the chapter in the Ascend manual a couple of times
> and I'm a bit confused about the Input Filter and the Output Filter.

I've been a bit confused about filters, and although I generally think
P50 
docs are pretty good, they sure don't help much here....

> Ascend P50 User Guide 10-7 "If the filter is applied as a data filter
> on Ethernet, it affects packets from the Ethernet INTO the pipeline or
> from the Pipeline OUT to the Ethernet."
> 
> So my NetBIOS filters should be in the Input Filter, right ?

Yes, assuming that the Pipeline itself never needs to see any of the
packets you filter out.

> 2)
> Below on the Right is the filter as described on Ascend's Web site, but if
> I enter the information on my P50 I get the filter on the Left. Is it normal
> I have some 0000 on the Mask and Value or do I need to get a full line of FF.

I wondered about this one myself...... but assumed that it did not make
any difference.

> [Filter to stop RIP, ARP and Netbios messages]
> Out Filter 01                           Out Filter 01
>  Generic                                 Generic
>   Forward=No                              Forward=No
>   Offset=0                                Offset=0
>   Length=6                                Length=6
>   Mask=ffffffffffff0000                   Mask=ffffffffffff
>   Value=ffffffffffff0000                  Value=ffffffffffff
>   Compare=Equals                          Compare=Equals
>   More=No                                 More=No
> 
> 3)
> Now do I need to put this filter in the Call Filter or the Data
> filter ? Or can I put them in both ?

Well.....
  1) If it's on the Ethernet, there only _is_ a Data filter.
  2) The filter shown above removes Ethernet packets with a broadcast
MAC address, which
     it seems to me will include ARP requests... the Pipeline will need
to see those.
  3) Are you running only IP? Or are you bridging?  The filter shown
above won't remove
     RIP packets from an IP-only WAN link, since a P50 with RIP turned
on in a connection
     profile will send RIP packets with an explicit destination address
(namely, the
     gateway on the other end of the link).
  4) A Data filter specified in a connection profile will actually
prevent packets 
     from being transmitted over that link; a Call filter will allow the
packets to be
     transmitted if the link is up, but a packet presented for transport
when the link 
     is down will not cause dialing if the packet is blocked by the
filter, and packets 
     blocked by the filter will not reset the idle timer, i.e. they will
not keep a call up.

> 4)
> The filters as described on Ascend's web page
> http://www.ascend.com/service/technotes/filter_nt.html
> for eliminating the NetBIOS/NetBEUI master browser broadcast
> is the same as the one they describe for stopping
> DEC MOP_RC broadcast ?

Yeah, it eliminates _all_ Ethernet broadcast packets.

Since I'm only using IP on my WAN links, I find it much easier to
specify filters as IP
rather than generic.  For example, this filter will block RIP packets:
   Forward=No
   Protocol=17               ;UDP
   Src Port Cmp=Eql
   Src Port #=520            ;RIP

I use this as a Call filter on links where I have RIP turned on, so the
RIP
traffic won't keep the call up.  If you can identify the protocols and
port #'s
for the traffic you want to block, constructing IP filters doesn't seem
to be 
too difficult.

However, I have run into one problem:

I have one P50 where I changed many filter sections from the default
filters 
(all Generic) to IP.  As I changed each section, I was asked to save
changes,
and got a success message.  When I exited from the 20-402 menu (for the 
specific filter I was changing) to the 20-400 menu I was asked again to
save
changes, and when I said yes, was informed that there was no more space
in
nvram to save my changes.  ?? 

Does anyone know what this is all about, and what I have to do to fix
it?  
If the answer is that I have to clear the nvram and reload config, I'll
be very
unhappy, since the unit in question is at an unattended site, with my
only
network access going through the router which is misbehaving. 

------------------------------------------------------------------
John K. Chester            jkc@sufficiently.com
908-638-5487               fax & voicemail 212-253-4290
------------------------------------------------------------------
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.shore.net/~dreaming/ascend-faq>
or		<ftp://ftp.shore.net/members/dreaming/ascend-faq.txt>

References:

(ASCEND) More questions about Filters...

From: Erik Bussink <erik@bussink.ch>

Prev by Date: (ASCEND) Bridging
Next by Date: Re: (ASCEND) Disabling internal-NT1 on Ascend P50 UBRI
Prev by thread: (ASCEND) More questions about Filters...
Next by thread: (ASCEND) Ascend not 8bit transparent..
Index(es):
- Main
- Thread