Cabletron Systems SMARTSWITCH ROUTER 9032578-05 User Manual
Page 310
Chapter 20: Security Configuration Guide
284
SmartSwitch Router User Reference Manual
Destination filter:
No one from the engineering group (port et.1.1) should be allowed to
access the finance server. All traffic destined to the finance server's MAC will be dropped.
Flow filter:
Only the consultant is restricted access to one of the finance file servers. Note
that port et.1.1 should be operating in flow-bridging mode for this filter to work.
Static Entries Example
Source static entry:
The consultant is only allowed to access the engineering file servers
on port et.1.2.
Destination static entry:
Restrict "login multicasts" originating from the engineering
segment (port et.1.1) from reaching the finance servers.
or
Flow static entry:
Restrict "login multicasts" originating from the consultant from
reaching the finance servers.
Port-to-Address Lock Examples
You have configured some filters for the consultant on port et.1.1 If the consultant plugs
his laptop into a different port, he will bypass the filters. To lock him to port et.1.1, use the
following command:
filters add address-filter name finance dest-mac AABBCC:DDEEFF vlan 1
in-port-list et.1.1
filters add address-filter name consult-to-finance source-mac
001122:334455 dest-mac AABBCC:DDEEFF vlan 1 in-port-list et.1.1
filters add static-entry name consultant source-mac 001122:334455 vlan 1
in-port-list et.1.1 out-port-list et.1.2 restriction allow
filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1
in-port-list et.1.1 out-port-list et.1.3 restriction disallow
filters add static-entry name login-mcasts dest-mac 010000:334455 vlan 1
in-port-list et.1.1 out-port-list et.1.2 restriction allow
filters add static-entry name consult-to-mcasts source-mac
001122:334455 dest-mac 010000:334455 vlan 1 in-port-list et.1.1
out-port-list et.1.3 restriction disallow
filters add port-address-lock name consultant source-mac 001122:334455
vlan 1 in-port-list et.1.1