Filter
Top Products
Director
33
Understand lter interactions
It is important to understand that Director uses Content Addressable Memory (CAM) technology to implement lters.
As each lter is dened, it is stored in the next available entry in the CAM. Each packet header is compared in the
CAM, and the CAM returns the index of the rst lter that the packet header matched. That lter, and only that lter,
controls which monitoring ports receive a copy of the packet. Other lters are not executed for that packet. Therefore,
lters are not completely independent; one lter can affect the operation of another.
Let's walk through an example of a lter interaction that may be unexpected.
First, we will set up a lter for an IP address:
lteraddin_ports=n1.5ip_src=192.186.10.0action=redirredir_ports=m.1
ltercommit
Network Port 5 Monitor Port 1
Source IP =
192.168.10.0 -
192.168.10.15
lter add in_ports=n1.5 ip_src=192.168.10.0 ip_src_mask=255.255.255.240 action=redir redir_ports=m.1
CAM
Address Filter
1 n1.5 ip_src=192.186.10.0 m.1
A simple IP address lter, shown with CAMFigure 34:
All trafc from Network Port 5 that comes from IP address 192.186.10.0 matches the rst CAM entry and therefore is
copied to Monitor Port 1.
Next, suppose we want another monitoring tool to see all the TCP trafc from Network Port 5, so we set up this lter:
lteraddin_ports=n1.5ip_proto=6action=redirredir_ports=m.2
ltercommit
Monitor Port 2
Protocol =
TCP
Network Port 5
Monitor Port 1
Source IP =
192.186.10.0
lter add in_ports=n1.5 ip_src=192.186.10.0 action=redir redir_ports=m.1
lter add in_ports=n1.5 ip_proto=6 action=redir redir_ports=m.2
Filter interactions
are not shown!
CAM
Address Filter
1 n1.5 ip_src=192.186.10.0 m.1
2 n1.5 ip_proto=TCP m.2
Incorrect ow diagram of two lters; lter interaction in CAM is neglectedFigure 35: