Filtering
52
General RestrictionsBridge Filter Masks may be created to generally restrict access for va rious purposes. Some of these purposes may be to fil ter
specific combinations of information . This section will generally d epict masks that may be create d to control traffic across the
bridged LAN network.
Internet Addresses
Within the Internet Protocol, there exist two address fields that are designated the Source and Destination Internet
Addresses. It is these addresses that the IP uses for routing purposes.
To filter Internet Addresses, a mask must be created to look at the Source or Destination address field within the IP
header.
As an example, assume a station’s Internet address is equal to 128.001.002.003, and a restriction is desired to prevent
any other station from across the link on the opposite LAN from gaining access to it. In this case, the mas k must
filter any IP packet that is destined for this Internet address. The Destination address field within the IP header is at
an offset of 30 octets into the Ethernet frame. This address is four oc tets long.
(Note: Although an Internet address is written in decimal notation, the address within the IP header is al ways in
hexadecimal.)
To accomplish this, the mask would look like this: 12-0800&30-80010203
This will filter IP packets that contain the Internet address of 128.001.002.003.
As another example, assume that this Internet add ress should also be filtered if it orig inates any data. In addition to
the mask above, an OR condition will have to be added to look at the IP source address. The new mask would be as
follows: 12-0800&(26-80010203|30-80010203)
This would filter any frame that is both an IP packet destined for or originating from Internet address
128.001.002.003. The parenthesis must be added around the Internet portion to ensure that the proper logical
ordering is retained.
Ethernet Station Addresses
Ethernet addresses are assigned to LAN users in blocks. These blocks are normally assigned to manufacturers of
Ethernet LAN hardware, and the blocks are sufficiently large to provide unique addresses for a given manufacturer
for many years.
Thus, a manufacturer will have a block of addresses, and filtering may be performed to prevent a particular
manufacturer’s LAN hardware from using the bridge facilities.
As an example, Xerox has a block of addresses that cover the range from 0000AA000000 to 0000AAFFFFFF. To
prevent this equipment from accessing facilities on another LAN segment, a generic filter may be created. A mask
that looked at the Source Ethernet address field would be required. The mask would be as follows:
6-0000AA
The remainder of the address is considered a “don’t care” condition. This mask results in the entire address block
from using the segment LAN facilities.