User`s guide

Table Of Contents

4-1

Chapter 4

Using ATX Port Filtering

Port ﬁlter table information; adding ﬁlters; viewing statistics

The ATX lets you create custom ﬁlters to screen data packets, and discard or

forward trafﬁc based on the speciﬁed ﬁlter criteria. You may have several reasons

for creating ﬁlters — for example, to monitor trafﬁc patterns as an aid to

optimizing your network design, or to evaluate your network security. Among

the criteria you can select for ﬁltering are the packet’s source or destination

address, its entry or exit port, the packet’s Protocol type, or a 64 byte data value

ﬁlter applied anywhere in the packet’s data.

The ATX supports two basic types of ﬁlters:

• Entry ﬁlters are pre-processing ﬁlters, applied to a port to screen incoming

trafﬁc.The ﬁlterconditionis satisﬁed beforea bridgingdecisionis made atthe

port.Youcanusethisﬁltertoblockincomingtrafﬁcfromaparticularsegment,

for instance.

• Exit ﬁlters are post-processing ﬁlters. The packet is received and processed at

aport,and then screenedafterabridging decision ismade at theport.Youcan

use this ﬁlterto allowtrafﬁcto be forwarded froma segment tosome portson

a bridge, but not to others, for example.

There are two basic methods of determining how packets get ﬁltered:

• Bridge Address Table ﬁlters are created in the Bridge Filtering Database, and

are based on the address information stored in the bridge’s Source Address

Table. They let you screen packets on any source address that is recorded as a

static or dynamic entry in the bridge’s Source Address Table. The Source

Address Table can store up to 8,192 entries, of which 200 can be statically

createdthroughmanagement.Byusingtheseﬁlters,youcanselectively screen

trafﬁcto orfroma particular station according to its MACaddress, or ﬁlteron

multicastpackets—suchastheFF-FF-FF-FF-FF-FFbroadcastMACaddress—

transmitted from a particular source address (to prevent broadcast storms

from propagating over the network from that source).