How to use user-defined ACL to match the inner IP information

57 0 0 0

Problem 

     PE1 ---- P ---- PE2

                   |

             CE8850

In the above topology, an MPLS tunnel is set up between PE1, P, and PE2. P is an MPLS transit node. Port mirroring is performed on the P node. All incoming and outgoing traffic on P is mirrored to CE8850. In this way, the packets mirrored to CE8850 are IP packets with MPLS labels. The customer wants to filter the inner IP information of these MPLS packets, such as the source IP address, destination IP address, protocol number, Layer 4 source port number, and Layer 4 destination port number, for traffic statistics and monitoring.

Solution

Resolution Summary

The CE8850 can filter the inner IP information of MPLS packets based on the ipv4-head field of the user-defined ACL (which ACL number is 5000-5999).

Resolution Details

1. The user-defined ACL range is 5000-5999. You can extract a piece of content from the packet based on the offset position and offset. Note that the offset must be a multiple of 4. There are three modes:

(1) l2-head: Offset ranges from 2 to 114. For common IP packets, the outer Ethernet header can be offset. MPLS packets can only be offset to Ethernet Header.

(2) ipv4-head: Offset ranges from 0 to 96. For common IP packets, the IPv4 header can be offset. For MPLS packets, it can only be offset to the MPLS label position.

(3) l4-head: Offset ranges from 0 to 96. For common IP packets, the UDP header can be offset. For MPLS packets, it can only be offset to the MPLS label position.

2. The structure of the MPLS packet is as follows: Ethernet Header + MPLS label + IPv4 Header. Therefore, if the ipv4-head mode is selected, the MPLS packet can only be offset to the MPLS label position. To match the inner IPv4 Header, the offset value must firstly be added with the bytes of the MPLS label (each layer of MPLS label is 4 bytes). For packets with MPLS labels of N layer, the offset value to IPv4 Header is 4*N.

imgDownload?uuid=3d4eaa77eb6746a3ae744c0

3. The structure of IPv4 Header is as follows: The source IP address needs to offset 12 bytes, the destination IP address needs to offset 16 bytes, the protocol number needs to offset 9 bytes, the Layer 4 source port number needs to offset 20 bytes, and the Layer 4 destination port number needs to offset 22 bytes.

imgDownload?uuid=49c224c9448e42ff900bbf0

4. Therefore, for a packet with N layer MPLS labels, the inner IP information may be matched according to the following offset:

(1) Match the inner source IP
     acl 5000
      rule permit ipv4-head 0x01010101 0xffffffff 4*N+12
     (a) 0x01010101 is the inner source IP address.
     (b) "0xffffffff" indicates the mask. "f" indicates that the corresponding bit must be strictly matched. "0" indicates that the corresponding bit does not need to be   matched.
     (c) 4*N+12 is the offset, indicating that the 4*N+12 bytes is offset from the header of the MPLS packet, which is the source IP address of the inner packet.
     (d) The meaning of this rule is to offset the 4*N+12 bytes from the header of the MPLS packet and strictly match the source IP 01010101.

(2) Match the inner destination IP address.
     acl 5000
      rule permit ipv4-head 0x02020202 0xffffffff 4*N+16
     (a) 0x02020202 is the inner destination IP address.
     (b) The meaning of this rule is to offset the 4*N+16 bytes from the header of the MPLS packet and strictly match the destination IP 02020202.

(3) Match the inner TCP protocol number.
     acl 5000
      rule permit ipv4-head 0x00060000 0x00ff0000 4*N+8
     (a) The offset of the 4*N+8 byte from the header of the MPLS packet is the TTL, and the next byte is the TCP protocol number. However, because the offset can only be a multiple of 4, only the 4*N+8 byte can be offset.

    (b) It can use the mask to ignore the TTL value and only match the TCP protocol number. That is, the mask value of the byte of the TCP protocol number is "ff", and the mask of other bytes are set to "00".

    (c) The meaning of this rule is that the 4*N+8 bytes are offset from the header of the MPLS packet, the first byte is ignored, and the value 6 of the second byte is strictly matched, which is the TCP protocol number.

(4) Match the inner TCP source port number.
     acl 5000
      rule permit  ipv4-head 0x12340000 0xffff0000 4*N+20
    The meaning of this rule is that the 4*N+20 bytes are offset from the header of the MPLS packet, and the last two bytes are strictly matched, that is, the inner source port number.

(5) Match the inner TCP destination port number

     acl 5000
      rule permit  ipv4-head 0x00005678 0x0000ffff 4*N+20
     The meaning of this rule is that the 4*N+20 bytes are offset from the header of the MPLS packet, the first two bytes are ignored, and the last two bytes are strictly matched, which is the inner destination port number.

(6) Match the inner TCP source and destination port numbers.
     acl 5000
      rule permit  ipv4-head 0x12345678 0xffffffff 4*N+20

5. Note:
(1) The offset must be a multiple of 4, and the maximum offset values supported by different modes of the usr-defined rule are different (listed above).

(2) When using this method, you must know the structure of the packet, know the location of the packet need to be matched, and use the correct offset to match the packet information.

(3) This method requires ACL resources. Before using this method, check whether ACL resources are sufficient.


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login