Enterasys Networks Fast Network 10 User Manual

Chapter 5: FN10 Filters

Page 5-12

Fast Network 10 User Guide

The company wants to allow Engineering and Accounting workstations to
access resources on the Manufacturing subnet (LAN 1), but wants to
prevent users on the Engineering subnet (LAN 2) from accessing
resources on the Accounting subnet (LAN 3). Therefore, the objective is
to set up a filter that will block all traffic between LANs 2 and 3, while
allowing users on both LANs 2 and 3 to access LAN 1.

For this example, assume that LAN 2 and LAN 3 are connected to ports 2
and 3 on the FN10, respectively. LAN 1 is connected to the ports 1 and 4
on the FN10.

Two Port filters are used to discard any packets from the Engineering
subnet destined for the Accounting subnet (LAN 2 to LAN 3), and any
packets from the Accounting subnet destined for the Engineering subnet
(LAN 3 to LAN 2). Each filter includes:

•

The source LAN or port number

•

The destination port

•

Match flags

The filters are constructed as follows:

•

Filter 1: Identifier is port 3 as a destination (i.e., exit)
Fields are source LAN = 2, Match

•

Filter 2: Identifier is port 2 as a destination (i.e., exit)
Fields are source LAN = 3, Match

Any packet whose source is LAN 3 and destination is port 2 will be
filtered. Likewise, any packet whose source is LAN 2 and destination is
port 3 will be filtered. However, the filters will not affect user access to
the Manufacturing subnet (LAN 1). Therefore, the objective has been
accomplished: Users on LANs 2 and 3 (Engineering and Accounting)
cannot communicate, but users on either LAN can access LAN 1
(Manufacturing).

This is an example of logical segmenting. In this case, LANs 2 and 3 are
distinct physical segments. However, before the filters were implemented,
they were able to freely communicate. The filters were used to logically
segment the network in such a way that LANs 2 and 3 cannot
communicate.