Perle Systems IOLINK-520 manual MAC Address Filtering, Security

Page 64

Appendix B - Programmable Filtering

Programmable filtering gives the network manager the ability to control under what conditions Ethernet frames are forwarded across bridge or bridge/router ports. There are many reasons why this might need to be accomplished, some of which are security, protocol discrimination, bandwidth conservation, and general restrictions.

To reach a specific filtering goal, there is usually more than one possible filter expression that may be used. This of course is dependent on the specific filtering requirement, and how flexible the filter should be.

The following pages describe how programmable filters may be used in typical applications. Although this is only a small sampling of the many possibilities, a cross-section of use of filters is presented.

MAC Address Filtering

Security

The need for security has become increasingly important in Local Area Networking, and with the use of programmable filters, security may be easily and effectively implemented across segment boundaries. By defining a programmable filter, the network manager may control what traffic is allowed between LAN segments, thereby controlling the security of resources by preventing unauthorized user access.

The IOLINK router provides three built-in functions – in addition to defined programmable masks – to control the access to resources. The first function is “Filter if Source”; the second is “Filter if Destination.” The third function allows you to change the filter operation from “positive” to “negative.” Positive filter operation causes the specified MAC addresses to be filtered according to the entered method. Negative filter operation causes the specified MAC addresses to be forwarded according to the entered method.

You may easily prevent any station on one segment from accessing a specific resource on the other segment; for this, “positive” filtering and the use of “Filter if Destination” would be appropriate. If you want to disallow a specific station from accessing any service, “Filter if Source” could be used.

You may easily prevent stations on one segment from accessing all but a specific resource on the other segment; for this, “negative” filtering and the use of “Forward if Destination” would be appropriate. If you want to disallow all but a specific station from accessing any service on the other segment, the use of “Forward if Source” could be used.

Example cases are found on the following pages.

TCP/IP, XNS, and Novell Netware frame formats, as well as some common Ethernet type codes, are found by the back cover.

IOLINK-PRO & 520 Reference Manual — B.1

Image 64
Contents Reference Manual IOLINK-PRO & 520 Routers IP Routing and the IOLINK-PRO & 520 RoutersProxy ARP ARP-Address Resolution ProtocolComplete IP Connection IOLINK-PRO & 520 Reference Manua IP Header Details ProtocolTime to live Header ChecksumIcmp Messages OptionsUnreachable RedirectPing Time and Mask serverRIP-Routing Information Protocol Update MechanismRoute Tables IPX Routing and The IOLINK-PRO & 520 Routers IPX AddressingNetwork Layer Addressing vs. MAC Addressing IPX Address FormatOther IPX Header Information IPX HeaderEstablishing an IPX Connection Service Advertisement ProtocolSAP Broadcasts Server Types Routing Information ProtocolSAP Requests RIP/X OperationRIP/X Requests Bridging and the IOLINK-PRO & 520 RoutersRIP/X Metrics Initial Bridging Process Station Address LearningAging Timer Address PurgingFilled Address Table Aging ExceptionTelnet Iolink Router Feature DefinitionsLink Compression Introduction WAN Topologies Bandwidth On DemandPoint-to-Point MultipointTime of Day Connect Application Operating Software Upgrades Disaster Recovery Backup LinkIsdn Single Active Link & Dual Active Link Wide Area Network Topologies Supported Iolink PRO & 520 Isdn Connection ManagementCall Establishment Methods Isdn Connection Management Auto-Call Time-of-Day ConnectionsAddress Connect Manual CallConnection Process CombinationIdle Timer Protocol AwarenessSuspension Process Interesting TrafficSession Keepalive Messages Termination ProcessIP Specifics IP Address ConnectSuspension of TCP/IP Sessions RIP-Routing Information ProtocolIPX Specifics RIP/IPX and SAP/IPXSuspension of IPX Sessions IPX Serialization FramesModule Identification Pinout InformationLink Clocking Information ATL CSU/DSU Link Module Information Link Interfaces ReferenceConsole Pinouts CSU/DSU Module T1/E1 Module24 & RS232C Link Pinouts RS232 Link Pinouts11 & X.21 Link Pinouts DB15 Female DTE Direction Contact Circuits From NumberRS442 & RS530 Link Pinouts DB25 Female DTE Direction Contact Circuit From Number NameDB25 Link PinoutsNumber Name RS232 Null-Modem Cable Configuration 11 RS232 Null-Modem CableNull-Modem Cable Configuration 12 V.35 Null-Modem CableRS530 Null-Modem Cable Configuration 13 RS530 Null-Modem CableRS530 To RS449 Conversion Cable 14 RS530 to RS449 Conversion Cable11/X.21 Null-Modem Cable Configuration 15 V.11/X.21 Null-Modem CableWAN Link Control-Signal Operation Appendix a Event Logs Event logsEvent Logs IOLINK-PRO & 520 Reference Manual A.3 Event Logs IOLINK-PRO & 520 Reference Manual A.5 Event Logs IOLINK-PRO & 520 Reference Manual A.7 Event Logs Alarm Logs Event Logs IOLINK-PRO & 520 Reference Manual A.11 Event Logs IOLINK-PRO & 520 Reference Manual A.13 Event Logs IOLINK-PRO & 520 Reference Manual A.15 Event Logs IOLINK-PRO & 520 Reference Manual A.17 Event Logs IOLINK-PRO & 520 Reference Manual A.19 PPP Security Logs MAC Address Filtering SecurityProgrammable Filtering Security-Filter if DestinationSecurity-Filter if Source Security-Forward if Destination Security-Forward if Source Programmable Filtering Bridge Pattern Filtering Pattern Filter OperatorsProtocol Discrimination Protocol Type Field Internet Protocol IPFilter all IP Packets IP, and no moreTransport Control Protocol / Internet Protocol TCP/IP Filter only TCP/IPFilter all IP without TCP traffic Filter all except TCP/IPBandwidth Conservation Filter all DECEthernet Broadcasting Ethernet MulticastingInternet Addresses General RestrictionsEthernet Station Addresses Mask Combinations Mask would be 6-010203040506&12-0800&23-06 ExampleIP Router Pattern Filtering IPX Router Pattern FilteringPage Appendix C Frame Formats Octet Locations on an IP Routed TCP/IP Frame IOLINK-PRO & 520 Reference Manual C.3