Enterasys Networks manual Fast Network 10 User Guide

Chapter 5: FN10 Filters

This information is used to configure the filter as follows:

•Filter identifier – port number of the port attached to LAN 2 as a destination.

•Filter fields – destination address F-H (range, match) source LAN = 1 (match).

Note that a match flag is specified for both fields; this instructs the FN10 to filter any packets that match both fields (traffic from LAN 1 and to addresses F-H on LAN 2).

Several methods are available to accomplish this goal. For example, the Port filter could have been specified as follows:

•Filter identifier – port number of the port attached to LAN 1 as a source

•Filter fields – destination address F-H (range, match)

This example is useful for illustrating three basic concepts concerning filters:

•Even though a FN10 is used to join network segments, it can also be used to block selected traffic — or all traffic if desired — between joined segments. The blocking mechanism is the filters you set up.

•Filters can be based upon various criteria: source address, destination address, packet type, and so on. In the example, the filter criteria were source port and destination MAC address.

•A filter can only block (discard) packets which must cross the FN10. The FN10 in the example can only filter traffic that travels from LAN 1 to LAN 2 (or from LAN 2 to LAN 1).

While a filter can prevent LAN 1 stations from accessing the sensitive-data workstations on LAN 2, it cannot prevent workstation E on LAN 2 from accessing these workstations. The reason is that workstation E is on the same LAN as the sensitive-data computers, and therefore does not need to use the FN10 to access them.