Enterasys Networks Fast Network 10 User Manual

Chapter 5: FN10 Filters

Page 5-14

Fast Network 10 User Guide

This information is used to configure the filter as follows:

•

Filter identifier – port number of the port attached to LAN 2 as a
destination.

•

Filter fields – destination address F-H (range, match) source LAN = 1
(match).

Note that a match flag is specified for both fields; this instructs the
FN10 to filter any packets that match both fields (traffic from LAN 1 and
to addresses F-H on LAN 2).

Several methods are available to accomplish this goal. For example, the
Port filter could have been specified as follows:

•

Filter identifier – port number of the port attached to LAN 1 as a source

•

Filter fields – destination address F-H (range, match)

This example is useful for illustrating three basic concepts concerning
filters:

•

Even though a FN10 is used to join network segments, it can also be
used to block selected traffic — or all traffic if desired — between
joined segments. The blocking mechanism is the filters you set up.

•

Filters can be based upon various criteria: source address, destination
address, packet type, and so on. In the example, the filter criteria were
source port and destination MAC address.

•

A filter can only block (discard) packets which must cross the FN10.
The FN10 in the example can only filter traffic that travels from LAN
1 to LAN 2 (or from LAN 2 to LAN 1).

While a filter can prevent LAN 1 stations from accessing the
sensitive-data workstations on LAN 2, it cannot prevent workstation E
on LAN 2 from accessing these workstations. The reason is that
workstation E is on the same LAN as the sensitive-data computers, and
therefore does not need to use the FN10 to access them.