Policies and Filters

IP sub-net and IPX network VLANs are similar, except for these VLAN types the device examines the IP sub-net or IPX network address.

If the IP sub-net or IPX network address matches the address of the IP sub-net VLAN or IPX network VLAN, the device forwards the packet.

If the sub-net or network address does not match the VLAN, the device drops the packet.

See “Configuring VLANs” on page 16-1for VLAN configuration rules and examples.

Actions

A device forwards a packet if its Layer 3 protocol information matches the protocol VLAN’s protocol type, IP sub­ net, or IPX network; otherwise, the policy drops the packet.

Scope

The forwarding policy of a port-based VLAN applies only to that VLAN.

Syntax

Use the following CLI commands or Web management interface panels to configure VLAN policies.

Table C.5: VLAN Policies

Scope

CLI syntax

Web management links

 

 

 

VLAN type

HP9300(config)# vlan <vlan-id> by port

Configure->VLAN->Port

 

HP9300(config-vlan-1)# [untagged]

 

 

ethernet <portnum > [to ethernet <portnum>]

 

 

 

 

NOTE: The untagged command applies only if you are removing 802.1q tagging from the ports in the VLAN. 802/1q tagging allows a port to be a member of multiple port-based VLANs. Ports in a port-based VLAN are tagged by default. The default tag is 8100 and is a global parameter.

IP Access Policies

IP access policies are rules that determine whether the device forwards or drops IP packets. You create an IP access policy by defining an IP filter, then applying it to an interface. The filter consists of source and destination IP information and the action to take when a packet matches the values in the filter. You can configure an IP filter to permit (forward) or deny (drop) the packet.

You also can configure Layer 4 information in an IP filter. If you configure Layer 4 information, you are configuring a Layer 4 policy. See “TCP/UDP Access Policies” on page C-9.

You can apply an IP filter to inbound or outbound packets. When you apply the filter to an interface, you specify whether the filter applies to inbound packets or outbound packets. Thus, you can use the same filter on multiple interfaces and specify the filter direction independently on each interface.

Figure D.1 shows an example of an inbound IP access policy group applied to port 1 on slot 1 of an HP 9308M routing switch. In this example, packets enter the port from left to right. The first three packets have entered the port and have been permitted or denied. The two packets on the left have not yet entered the port. When they do, they will be permitted. Since the last policy in the group is a “permit any” policy, all packets that do not match another policy are permitted. The “permit any” policy changes the default action to permit.

C - 7