25
1.1.35. Management and Control Plane ACLs
This feature provides hardware-based filtering of traffic to the CPU. An optional 'management' feature is
available to apply the ACL on the CPU port. Currently, control packets like BPDU are dropped because of
the implicit 'deny all' rule added at the end of the list. To overcome this rule, you must add rules that allow
the control packets.
Support for user-defined simple rate limiting rule attributes for inbound as well as outbound traffic is also
available. This attribute is supported on all QoS capable interfaces - physical, Port-channel, and control-
plane. Outbound direction is only supported on platforms with an Egress Field Processor (EFP).
1.1.36. Remote Switched Port Analyzer (RSPAN)
Along with the physical source ports, the network traffic received/transmitted on a VLAN can be monitored.
A port mirroring session is operationally active if and only if both a destination (probe) port and at least one
source port or VLAN is configured. If neither is true, the session is inactive. QNOS supports remote port
mirroring. QNOS also supports VLAN mirroring. Traffic from/to all the physical ports which are members of
that particular VLAN is mirrored.
Note: The source for a port mirroring session can be either physical ports or VLAN.
For Flow-based mirroring, ACLs are attached to the mirroring session. The network traffic that matches the
ACL is only sent to the destination port. This feature is supported for remote monitoring also. IP/MAC access-
list can be attached to the mirroring session.
Note: Flow-based mirroring is supported only if QoS feature exists in the package.
Up to four RSPAN sessions can be configured on the switch and up to four RSPAN VLANs are supported. An
RSPAN VLAN cannot be configured as a source for more than one session at the same time. To configure four
RSPAN mirroring sessions, it is required to configure 4 RSPAN VLANs.
1.1.37. Link Dependency
The QNOS Link Dependency feature supports enabling/disabling ports based on the link state of other ports
(i.e., making the link state of some ports dependent on the link state of others). In the simplest form, if port
A is dependent on port B and switch detects link loss on B, the switch automatically brings down link on
port A. When the link is restored to port B, the switch automatically restores link to port A. The link action
command option determines whether link A will come up/go down, depending upon the state of link B.
1.1.38. IPv6 Router Advertisement Guard
QNOS switches support IPv6 Router Advertisement Guard (RA-Guard) to protect against attacks via rogue
Router Advertisements in accordance with RFC 6105. QNOS RA Guard supports Stateless RA-Guard, where
the administrator can configure the interface to allow received router advertisements and router redirect
message to be processed/forwarded or dropped.
By default, RA-Guard is not enabled on any interfaces. RA-Guard is enabled/disabled on physical interfaces
or Port-channels. RA-Guard does not require IPv6 routing to be enabled.
To Next Page
Loading...
Need help?
General