Manualshelf

Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
71727374757677787980
Chapter 4. Configuring Special Features 79
Bridge Filtering and IP Firewall
You can control the flow of packets across the router using bridge filtering. Bridge filtering lets you ÒdenyÓ or
ÒallowÓ packets to cross the network based on position and hexadecimal content within the packet. This enables
you to restrict or forward messages with a specified address, protocol, or data content. Common uses are to
prevent access to remote networks, control unauthorized access to the local network, and limit unnecessary traffic.
For example, it might be necessary to restrict remote access for specific users on the local network. In this case,
bridging filters are defined using the local MAC address for each user to be restricted. Each bridging filter is
specified as a ÒdenyÓ filter based on the MAC address and position of the address within the packet. To initiate
bridge filtering, ÒdenyÓ filtering mode is then enabled. Every packet with one of the MAC addresses would not be
bridged across the router until ÒdenyÓ filtering mode was disabled.
Similarly, protocol filtering can be used to prevent a specific protocol from being bridged. In this case, the
protocol id field in a packet is used to deny or allow a packet. You can also restrict, for example, the bridging of
specific broadcast packets.
Configure Bridge Filtering
Bridge filtering allows you to control the packets transferred across the router. This feature can be used to enhance
security or improve performance. The filtering is based on matched patterns within the packet at a specified offset.
Two filtering modes are available:
¥ ÒDenyÓ mode will discard any packet matched to the ÒdenyÓ filters in the filter database and let all other
packets pass.
¥ ÒAllowÓ mode will only pass the packets that match the ÒallowÓ filters in the filter database and discard all
others.
Up to 40 ÒallowÓ filters or 40 ÒdenyÓ filters can be activated from the filter database.
Enter the filters, including the pattern, offset, and filter mode, into a filter database. If you intend to restrict
specific stations or subnetworks from bridging, then add the filters with a ÒdenyÓ designation and then enable
ÒdenyÓ filtering. If you wish to allow only specific stations or subnetworks to bridge, then add the filters with an
ÒallowÓ designation and enable ÒallowÓ filtering. Add each filter with the following command:
filter br add [pos] [data] [deny | allow]
where [pos]
is the byte offset within a packet (number from 0-127) to a [data] (a hex number up to 6 bytes). This
data and offset number can be used to identify an address, a protocol id, or data content. After entering your
filters, verify your entries with the following command:
filter br list
If you have entered an incorrect filter, delete the filter using the filter br del command. When you are satisfied
with the filter list, save the filtering database with the save filter command. You must reboot the router to load the
filtering database. Then enable bridging filtering with the following command:
filter br use [none | deny | allow]
To test the filtering configuration, access the remote destination identified in the filter.