Alteon Application Switch Operating System Application Guide
Filtering and Traffic Manipulation
Document ID: RDWR-ALOS-V2900_AG1302 357
In addition, Alteon supports advanced filtering options, such as TCP flags (Matching TCP Flags,
page 391) ICMP message types (Matching ICMP Message Types, page 395), and Layer 7 inversion
(Layer 7 Invert Filter, page 363
).
Using these filter criteria, you can create a single filter that can potentially perform a very wide
variety of actions. Examples of such filters are:
• Block external Telnet traffic to your main server except from a trusted IP address.
• Warn you if FTP access is attempted from a specific IP address.
• Redirect all incoming e-mail traffic to a server where it can be analyzed for spam.
Filtering Actions
A filtering action (/cfg/slb/filt/action) instructs the filter what to do when the filtering
criteria are matched.
Alteon supports the following filtering actions:
• allow—Allows the frame to pass (by default). This filtering action can be used to redirect the
returning traffic to the service farm if the reverse session is enabled. For more information, see
Reverse Session, page 363
.
• deny—Discards frames that fit the filter profile. This can be used for building basic security
profiles.
• redir—Redirects frames that fit the filter profile, such as for Web cache redirection. In addition,
Layer 4 processing must be activated using the
/cfg/slb/on command.
• nat—Performs generic Network Address Translation (NAT). This can be used to map the source
or destination IP address and port information of a private network scheme to and from the
advertised network IP address and ports. This is used in conjunction with the nat option and can
also be combined with proxies.
• goto—Allows the user to specify a target filter ID that the filter search should jump to when a
match occurs. The “goto” action causes filter processing to jump to a designated filter,
effectively skipping over a block of filter IDs. Filter searching then continues from the designated
filter ID. To specify the new filter to goto, use the
/cfg/slb/filt/adv/goto command.
dip Destination IP address or range (dip and dmask)
proto Protocol number or name
sport TCP/UDP application or source port or source port range (such as 31000
through 33000)
Note: The service number specified on Alteon must match the service
specified on the server.
dport TCP/UDP application or destination port or destination port range (such
as 31000 through 33000)
nat Addresses that are network address translated
vlan VLAN ID
invert Reverses the filter logic at layer 4 to activate the filter whenever the
specified conditions are not met.
Note: Starting with version 28.1.50, it is possible to reverse the filter
logic at layer 7 using an advanced filter option. For more information,
see Layer 7 Invert Filter, page 363
.
Table 29: Filter Options (cont.)
Filter Option Description
To Next Page
Loading...
Need help?
General