Programmable Filtering
General Restrictions
Bridge Filter Masks may be created to generally restrict access for various purposes. Some of these purposes may be to filter specific combinations of information. This section will generally depict masks that may be created to control traffic across the bridged LAN network.
Internet Addresses
Within the Internet Protocol, there exist two address fields that are designated the Source and Destination Internet Addresses. It is these addresses that the IP uses for routing purposes.
To filter Internet Addresses, a mask must be created to look at the Source or Destination address field within the IP header.
As an example, assume a station’s Internet address is equal to 128.001.002.003, and a restriction is desired to prevent any other station from across the link on the opposite LAN from gaining access to it. In this case, the mask must filter any IP packet that is destined for this Internet address. The Destination address field within the IP header is at an offset of 30 octets into the Ethernet frame. This address is four octets long.
(Note: Although an Internet address is written in decimal notation, the address within the IP header is always in hexadecimal.)
To accomplish this, the mask would look like this:
This will filter IP packets that contain the Internet address of 128.001.002.003.
As another example, assume that this Internet address should also be filtered if it originates any data. In addition to the mask above, an OR condition will have to be added to look at the IP source address. The new mask would be as follows:
This would filter any frame that is both an IP packet destined for or originating from Internet address 128.001.002.003. The parenthesis must be added around the Internet portion to ensure that the proper logical ordering is retained.
Ethernet Station Addresses
Ethernet addresses are assigned to LAN users in blocks. These blocks are normally assigned to manufacturers of Ethernet LAN hardware, and the blocks are sufficiently large to provide unique addresses for a given manufacturer for many years.
Thus, a manufacturer will have a block of addresses, and filtering may be performed to prevent a particular manufacturer’s LAN hardware from using the bridge facilities.
As an example, Xerox has a block of addresses that cover the range from 0000AA000000 to 0000AAFFFFFF. To prevent this equipment from accessing facilities on another LAN segment, a generic filter may be created. A mask that looked at the Source Ethernet address field would be required. The mask would be as follows:
The remainder of the address is considered a “don’t care” condition. This mask results in the entire address block from using the segment LAN facilities.
