Enterasys Networks Fast Network 10 manual Using Filters for Security Purposes

Chapter 5: FN10 Filters

When adding or modifying a filter, you must enter both a Source Range Start value and a Source Range End value. For example:

Source Range: [NA] (InRange/OutRange/NA)>inrange

Source Range Start: [00:00:00:00:00:00] >08:00:20:00:00:00

Source Range End: [00:00:00:00:00:00] >00:40:60:0a:10:3e

Source Range Mask: [ff:ff:ff:ff:ff:ff] >ff:ff:ff:00:00:00

To filter on a single address, be sure to enter the same address in both the Source Range Start: and Source Range End: fields.

5.3 USING FILTERS FOR SECURITY PURPOSES

The various types of security restrictions that can be implemented using filters include:

•Restricting access to a network segment – you can configure a filter to prevent any traffic from being forwarded to a specific network segment.

•Restricting access to specific stations – you can use filters to restrict access to specific stations on the network.

•Preventing access by unauthorized users – you can use filters to restrict individual workstations from accessing other network devices.

For each example shown below, the situation is described first, and the objective to be accomplished is explained. Then, how the objective could be accomplished using the FN10 is explained in general terms. In these examples, single letters are used to represent MAC-layer addresses. Actual MAC addresses consist of a string of numbers, (22:14:15:4:5:6).

Example 1: Restricting Access to a Network Segment

The objective in this example is to restrict access for security reasons. Workstations on one network segment (subnet) are to be restricted entirely from access to devices on an adjoining subnet.

In this example, there are three subnets connected by a centrally located FN10 (see Figure 5-1). The subnets are referred to as Manufacturing, Engineering, and Accounting.