Perle Systems IOLINK-520 General Restrictions, Internet Addresses, Ethernet Station Addresses

Page 74

Programmable Filtering

General Restrictions

Bridge Filter Masks may be created to generally restrict access for various purposes. Some of these purposes may be to filter specific combinations of information. This section will generally depict masks that may be created to control traffic across the bridged LAN network.

Internet Addresses

Within the Internet Protocol, there exist two address fields that are designated the Source and Destination Internet Addresses. It is these addresses that the IP uses for routing purposes.

To filter Internet Addresses, a mask must be created to look at the Source or Destination address field within the IP header.

As an example, assume a station’s Internet address is equal to 128.001.002.003, and a restriction is desired to prevent any other station from across the link on the opposite LAN from gaining access to it. In this case, the mask must filter any IP packet that is destined for this Internet address. The Destination address field within the IP header is at an offset of 30 octets into the Ethernet frame. This address is four octets long.

(Note: Although an Internet address is written in decimal notation, the address within the IP header is always in hexadecimal.)

To accomplish this, the mask would look like this: 12-0800&30-80010203

This will filter IP packets that contain the Internet address of 128.001.002.003.

As another example, assume that this Internet address should also be filtered if it originates any data. In addition to the mask above, an OR condition will have to be added to look at the IP source address. The new mask would be as follows: 12-0800&(26-8001020330-80010203)

This would filter any frame that is both an IP packet destined for or originating from Internet address 128.001.002.003. The parenthesis must be added around the Internet portion to ensure that the proper logical ordering is retained.

Ethernet Station Addresses

Ethernet addresses are assigned to LAN users in blocks. These blocks are normally assigned to manufacturers of Ethernet LAN hardware, and the blocks are sufficiently large to provide unique addresses for a given manufacturer for many years.

Thus, a manufacturer will have a block of addresses, and filtering may be performed to prevent a particular manufacturer’s LAN hardware from using the bridge facilities.

As an example, Xerox has a block of addresses that cover the range from 0000AA000000 to 0000AAFFFFFF. To prevent this equipment from accessing facilities on another LAN segment, a generic filter may be created. A mask that looked at the Source Ethernet address field would be required. The mask would be as follows: 6-0000AA

The remainder of the address is considered a “don’t care” condition. This mask results in the entire address block from using the segment LAN facilities.

IOLINK-PRO & 520 Reference Manual — B.11

Image 74
Contents Reference Manual IOLINK-PRO & 520 Routers IP Routing and the IOLINK-PRO & 520 RoutersComplete IP Connection ARP-Address Resolution ProtocolProxy ARP IOLINK-PRO & 520 Reference Manua Time to live IP Header DetailsProtocol Header ChecksumUnreachable Icmp MessagesOptions RedirectPing Time and Mask serverRoute Tables Update MechanismRIP-Routing Information Protocol Network Layer Addressing vs. MAC Addressing IPX Routing and The IOLINK-PRO & 520 RoutersIPX Addressing IPX Address FormatOther IPX Header Information IPX HeaderSAP Broadcasts Service Advertisement ProtocolEstablishing an IPX Connection SAP Requests Server TypesRouting Information Protocol RIP/X OperationRIP/X Metrics Bridging and the IOLINK-PRO & 520 RoutersRIP/X Requests Initial Bridging Process Station Address LearningAging Timer Address PurgingFilled Address Table Aging ExceptionLink Compression Iolink Router Feature DefinitionsTelnet Introduction Point-to-Point WAN TopologiesBandwidth On Demand MultipointTime of Day Connect Application Isdn Single Active Link & Dual Active Link Disaster Recovery Backup LinkOperating Software Upgrades Call Establishment Methods Iolink PRO & 520 Isdn Connection ManagementWide Area Network Topologies Supported Isdn Connection Management Auto-Call Time-of-Day ConnectionsAddress Connect Manual CallConnection Process CombinationSuspension Process Idle TimerProtocol Awareness Interesting TrafficSession Keepalive Messages Termination ProcessSuspension of TCP/IP Sessions IP SpecificsIP Address Connect RIP-Routing Information ProtocolSuspension of IPX Sessions IPX SpecificsRIP/IPX and SAP/IPX IPX Serialization FramesLink Clocking Information Pinout InformationModule Identification ATL CSU/DSU Link Module Information Link Interfaces ReferenceConsole Pinouts CSU/DSU Module T1/E1 Module24 & RS232C Link Pinouts RS232 Link Pinouts11 & X.21 Link Pinouts DB15 Female DTE Direction Contact Circuits From NumberRS442 & RS530 Link Pinouts DB25 Female DTE Direction Contact Circuit From Number NameNumber Name Link PinoutsDB25 RS232 Null-Modem Cable Configuration 11 RS232 Null-Modem CableNull-Modem Cable Configuration 12 V.35 Null-Modem CableRS530 Null-Modem Cable Configuration 13 RS530 Null-Modem CableRS530 To RS449 Conversion Cable 14 RS530 to RS449 Conversion Cable11/X.21 Null-Modem Cable Configuration 15 V.11/X.21 Null-Modem CableWAN Link Control-Signal Operation Appendix a Event Logs Event logsEvent Logs IOLINK-PRO & 520 Reference Manual A.3 Event Logs IOLINK-PRO & 520 Reference Manual A.5 Event Logs IOLINK-PRO & 520 Reference Manual A.7 Event Logs Alarm Logs Event Logs IOLINK-PRO & 520 Reference Manual A.11 Event Logs IOLINK-PRO & 520 Reference Manual A.13 Event Logs IOLINK-PRO & 520 Reference Manual A.15 Event Logs IOLINK-PRO & 520 Reference Manual A.17 Event Logs IOLINK-PRO & 520 Reference Manual A.19 PPP Security Logs MAC Address Filtering SecurityProgrammable Filtering Security-Filter if DestinationSecurity-Filter if Source Security-Forward if Destination Security-Forward if Source Programmable Filtering Protocol Discrimination Pattern Filter OperatorsBridge Pattern Filtering Filter all IP Packets Protocol Type FieldInternet Protocol IP IP, and no moreFilter all IP without TCP traffic Transport Control Protocol / Internet Protocol TCP/IPFilter only TCP/IP Filter all except TCP/IPEthernet Broadcasting Bandwidth ConservationFilter all DEC Ethernet MulticastingEthernet Station Addresses General RestrictionsInternet Addresses Mask Combinations Mask would be 6-010203040506&12-0800&23-06 ExampleIP Router Pattern Filtering IPX Router Pattern FilteringPage Appendix C Frame Formats Octet Locations on an IP Routed TCP/IP Frame IOLINK-PRO & 520 Reference Manual C.3