The profile (mask) – Allied Telesis x908 User Manual

Page 19 | AlliedWare Plus™ OS How To Note

How many filters can you create?

2. The profile (mask)

The other item is called the profile. Conceptually, this is a 16-byte mask that decides which
set of bytes should be extracted from a packet as it enters the filtering process, to be
compared against all the interface ACLs and the QoS class-maps. All filters share a single
mask.

In effect, the mask is the sum of all the individual bytes required for each individual ACL or
QoS match command. The number of bytes required by each ACL or match command
depends on what fields it maps on. For example:

source MAC address—6 bytes

destination MAC address—6 bytes

Protocol type—2 bytes

Ethernet format—2 bytes

VLAN ID—2 bytes

IP protocol type (TCP, UDP, etc)—1 byte

source IP address—4 bytes

destination IP address—4 bytes

TCP port number—2 bytes

UDP port number—2 bytes

DSCP—1 byte

For example, if you make an ACL that matches on destination IP address and source TCP
port, this adds 7 bytes to the mask:
1 byte for the IP protocol field (to indicate TCP)
4 bytes for the destination IP address
2 bytes for the source TCP port number.

If you next make an ACL that matches on source MAC address, this adds 6 more bytes to the
mask.

If you next make a QoS class-map that matches on destination IP address (4 bytes) and DSCP
(1 byte), this adds 1 more byte to the mask, for the DSCP. It does not add 4 more bytes for
the destination IP address because the switch already matches on that field.

If you next make an ACL that matches on source IP address and source TCP port, then that
does not change the mask, because the switch already matches on those fields.

If you next make an ACL that matches on source UDP port, this also does not add any length
to the mask, because it shares the same 2 bytes as the source TCP port. However, if you next
make an ACL that matches on destination TCP or UDP port, that uses another 2 bytes.