Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/80
41424344454647484950
ServerIron Switching and Routing Guide
2 - 34 © 2012 Brocade Communications Systems, Inc. May 2012
NOTE: To filter on Layer 2 traffic, you can configure Layer 2 MAC filters. See “MAC Filters” on page 2-14.
To set up IP filters to explicitly permit or deny access to specific TCP/UDP ports, use the ip filter command. When
you configure this type of filter, you specify the virtual IP address (VIP) as the destination address for the filter, not
the real server’s IP address.
Syntax: [no] ip filter <filter-id> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask>
| any <protocol> [<established> <operator> <port range>]
The items in brackets apply to TCP only.
SLB Example
Figure 2.3 shows an example of how you can use an IP filter in SLB. In this example, the administrator wants to
block a specific client’s access to the FTP service on a VIP but permit access to the other services.
Figure 2.3 IP filter used to block client access to a TCP/UDP port
To configure an IP filter to block 209.157.22.26 from accessing FTP on 192.101.10.1:
ServerIron(config)#ip filter 1 deny 209.157.22.26 255.255.255.0 192.101.10.1
255.255.255.0 tcp eq ftp
You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access policies.
TCS Uses of Filters
You can use filters in TCS to control the following:
Whether a specific request is sent to a cache server or forwarded to the Internet
Whether content from specific sites is cached. You can even use policy-based cache switching to determine
which cache servers receive content from specific sites.
NOTE: TCS filters never drop packets. Accept filters send packets to a cache server. Deny filters send packets
to the Internet.
If you do not define any filters, the default action is permit. For TCS, the default action redirects all traffic to cache
servers. However, when you define a filter, the ServerIron changes the default action to deny to ensure tighter
control. If you still want the default action to be permit, you can define the last filter (1024) to permit all traffic.
An IP filter blocks
Client A from accessing
FTP on the real servers,
but allows Client A to
access other services.
The filter is applied to
the VIP, 192.101.10.1.
The filter is not applied
to the real server’s
IP address.
Border Access
Router (BAR)
Local Real Web Server 2,
IP address 10.2.2.200
HTTP, Telnet, and FTP services
Client A
209.157.22.26
Internet
Local Real Web Server 1,
IP address 10.2.1.5
HTTP, Telnet, and FTP services
Remote Access
Serv
er (RAS)
SI