3 using filters for security purposes – Enterasys Networks Fast Network 10 User Manual

Chapter 5: FN10 Filters

Page 5-10

Fast Network 10 User Guide

When adding or modifying a filter, you must enter both a Source Range
Start value and a Source Range End value. For example:

Source Range: [NA] (InRange/OutRange/NA)>inrange

Source Range Start: [00:00:00:00:00:00] >08:00:20:00:00:00

Source Range End: [00:00:00:00:00:00] >00:40:60:0a:10:3e

Source Range Mask: [ff:ff:ff:ff:ff:ff] >ff:ff:ff:00:00:00

To filter on a single address, be sure to enter the same address in both the

Source Range Start:

and

Source Range End:

fields.

5.3 USING FILTERS FOR SECURITY PURPOSES

The various types of security restrictions that can be implemented using
filters include:

•

Restricting access to a network segment – you can configure a filter to
prevent any traffic from being forwarded to a specific network
segment.

•

Restricting access to specific stations – you can use filters to restrict
access to specific stations on the network.

•

Preventing access by unauthorized users – you can use filters to restrict
individual workstations from accessing other network devices.

For each example shown below, the situation is described first, and the
objective to be accomplished is explained. Then, how the objective could
be accomplished using the FN10 is explained in general terms. In these
examples, single letters are used to represent MAC-layer addresses.
Actual MAC addresses consist of a string of numbers, (22:14:15:4:5:6).

Example 1: Restricting Access to a Network Segment

The objective in this example is to restrict access for security reasons.
Workstations on one network segment (subnet) are to be restricted
entirely from access to devices on an adjoining subnet.

In this example, there are three subnets connected by a centrally located
FN10 (see Figure 5-1). The subnets are referred to as Manufacturing,
Engineering, and Accounting.