Implementing Protocol Filtering in ExtremeXOS
In
ExtremeXOS, the protocol filtering data-plane is implemented partially in
hardware and partially in software. Filtering is performed only on the ingress. When a
protocol filter is attached to a port, the following
ACL rules
are configured:
- For each protocol in the protocol filter:
If the protocol does not define a user-defined field, and the protocol identifier is
EtherType, or does not have a protocol identifier:
- An ACL rule is added to drop all
packets on the port that match the destination address of the packet. The rule is also
qualified with the EtherType of the protocol if it defines one.
Else:
- An ACL rule is added to copy and drop
all packets on the port that match the destination address of the packet. The rule is
also qualified with the EtherType of the protocol if it defines one.
The protocol filtering data-plane inspects all packets received from ports that have protocol
filters attached, and drops any packet that matches any of the protocols configured in the
protocol filter.
Protocol filtering is also supported for VXLAN tenant VLANs. However, filtering has to be
configured on access ports only, and is not supported on RTEPs. This aligns with the existing
behavior where filtering cannot be supported on pseudo wires.
