- To: Brett Wilson <bwilson@tislabs.com>
- Subject: Re: 1)Accelar mirroring 2)JFWD
- From: Rob Jaeger <rfj@cs.umd.edu>
- Date: Wed, 6 Sep 2000 09:12:23 -0400 (EDT)
- cc: "Wang, Phil " <pywang@americasm01.nt.com>
- Content-Type: TEXT/PLAIN; charset=US-ASCII
- In-Reply-To: <XFMail.20000831123359.bwilson@tislabs.com>
brett,
On Thu, 31 Aug 2000, Brett Wilson wrote:
>
> A question about the Accelar filters packet mirroring.
>
> 1) The image that came with the box only does src/dst filters. Correct?
no. it can do filters based on any 5 tuple value ... src just means it
MUST have a src specified and it checks that first ... dst just means it
MUST have dst ip and therefore checks for it matching first.
> 2) The JVM image only does global filters. Correct? >
no. it should do all of them ... did you have a problem? can you explain.
> 3) Have you guys had problems with using the Management tool for adding
> and removing filters.
are you talking about the GUI? or the cli? I dont recall problems
specifically related to that ... however, i did have some problems that i
thought were gui related ... they turned out to be config problems
(e.g. the link between two routers was half duplex which seemed to make
high and default priority packet throughput have unexpected values
> Not just some of the little catches like making
> sure you refresh the port filter screen after turning a filter off and
> applying a change to the default before you turn it back on, but rather
> filters not always doing what they should. Sometimes is seems like the
> changes I tried to apply haven't actually been applied to the hardware.
> Usually rebooting the system clears the problem. The problem seemed
> more likely using the JVM image. I can't give exact details as I've
> been gone for a few weeks but I will if it happens again.
if you use the cli, you should always type save afterwards to ensure they
are in the memory. i have had similar problems through the applications
i wrote but when i got the half/full duplex thing fixed, they appeared to
go away.
>
> 4) Using 3 computers and 3 separate physical ports, I tried the following:
>
> Computer A (Port 1)
> Computer B (Port 2)
> Computer X (Port 3)
>
> Set filter on Port 2 to match all ICMP traffic destined for Computer A.
> (OR all ICMP traffic from Computer B)
> Set the port mirror flag on the filter and set filter to deny.
> RCMirrorPort is set to Port 3.
>
> Computer B sends an Echo Request to Computer A.
> The Router deny's the packet but mirrors it to port 3.
> Computer X picks up the packet, decides its ok and resends it.
this is expected, right? so far so good.
> Computer A recives the request and replies to B, BUT at the
> same time, the router re-mirrors the resent packet back to
> port 3 and does a ttl--.
hmmm ... is there a filter on port 3?
>
> As you can see, a nasty loop is created that only stops once
> the ttl of the packet drops to zero. Another thing I noted
> was that in both the source and destination filters, the packet
> that is mirrored to Port 3 has the ethernet header for:
> Port1->ComputerA
> not
> ComputerB->Port2
> which is where I would think it would be considering the packet
> filter is supposedly set to Port 2.
I am confused. The header is ComputerB (src eth) to ComputerA (dst
eth) when it leaves computer B. I think the computer on port 3 must be in
promiscuous mode to receive the mirrored packets
>
> Not a big deal, just trying to do some rate limiting with an
> external box as the 1100 does have it built in. (Note, this was
> done with the original image)
>
> 5) Are the JFWD/JCapture packages almost completed for the 1100?
> The preference would be to try and rate limit in the router itself
> (though this relies on the CPU now) but I will need the JFWD and
> JCapture stuff to do that.
I'll need to check with Rob in santa clara.
More later. Sorry for the day in responding.
Rob