About Protocol FiltersProtocol filtering enables you to configure a module so that it selectively filters traffic based on the data's MAC frame format. The VNswitch 900 family of modules supports protocol filtering for the following frame types:
Each frame type can conform to one of a number of different protocols. When you create a protocol filter, you can configure the module to receive or forward frames on one or more selected bridge ports, based on the frame's protocol. For example, you can configure one or more ports on the module so that Ethernet frames, conforming to the AppleTalk Phase 1 protocol, are received or forwarded on those ports only. A received packet is dropped (filtered) if there is a filter for the protocol and the input port is not one of the allowed ports. Also, the packet can be output only on a port that is one of the allowed ports. You can also configure the module to receive or forward all frames of a particular type from one or more bridge ports, using protocols not already filtered as described above. You do so by configuring a default protocol filter. For example, if you configure the module so that Ethernet frames conforming to the AppleTalk Phase 1 protocol are discarded, you can then use a default filter to discard (or receive/forward) all Ethernet frames of any other protocol type such as IP, ARP, DECnet, and so on. See the VNswitch 900 Series Switch Management guide (Creating and Modifying Default Protocol Filters) for information about how to create a default protocol filter. Note: VNswitch firmware allows you to configure protocol filters based on both the encapsulation and the protocol type. That is, to configure a protocol filter for a given set of ports, you choose the encapsulation, the protocol type, and the list of the ports to which the filter applies. When configuring protocol filters, keep the following in mind. Forwarding of a packet from a LAN segment with one type of encapsulation to another LAN segment with a different encapsulation type requires translation. The translation of the packet takes place after the filter-forwarding decision is made. Therefore, if an Ethernet IP packet is forwarded to the FDDI port, an Ethernet IP filter needs to be set for the FDDI port for filtering to occur, even though the transmitted packet has a SNAP encapsulation. To prevent an error in the protocol filter configuration for a given set of ports, the best approach is to set protocol filters for all encapsulation types of the protocol to be filtered on each set of ports. This, typically, can be done without any side effects. If this approach interferes with other considerations, base the configuration on filter encapsulation and choose with caution.
|