Using atx port filtering, Chapter 4 – Enterasys Networks ENTERASYS ATX User Manual
Page 51
4-1
Chapter 4
Using ATX Port Filtering
Port filter table information; adding filters; viewing statistics
The ATX lets you create custom filters to screen data packets, and discard or
forward traffic based on the specified filter criteria. You may have several reasons
for creating filters — for example, to monitor traffic patterns as an aid to
optimizing your network design, or to evaluate your network security. Among
the criteria you can select for filtering are the packet’s source or destination
address, its entry or exit port, the packet’s Protocol type, or a 64 byte data value
filter applied anywhere in the packet’s data.
The ATX supports two basic types of filters:
•
Entry filters are pre-processing filters, applied to a port to screen incoming
traffic. The filter condition is satisfied before a bridging decision is made at the
port. You can use this filter to block incoming traffic from a particular segment,
for instance.
•
Exit filters are post-processing filters. The packet is received and processed at
a port, and then screened after a bridging decision is made at the port. You can
use this filter to allow traffic to be forwarded from a segment to some ports on
a bridge, but not to others, for example.
There are two basic methods of determining how packets get filtered:
•
Bridge Address Table filters are created in the Bridge Filtering Database, and
are based on the address information stored in the bridge’s Source Address
Table. They let you screen packets on any source address that is recorded as a
static or dynamic entry in the bridge’s Source Address Table. The Source
Address Table can store up to 8,192 entries, of which 200 can be statically
created through management. By using these filters, you can selectively screen
traffic to or from a particular station according to its MAC address, or filter on
multicast packets — such as the FF-FF-FF-FF-FF-FF broadcast MAC address —
transmitted from a particular source address (to prevent broadcast storms
from propagating over the network from that source).