12-4
Traffic/Security Filters and Monitors
Filter Types and Operation
■
You can include all destination ports and trunks in the switch on a
single source-port filter.
■
Each source-port filter includes:
•
One source port or port trunk (
trk1
,
trk2
, ...
trk
n
)
•
A set of destination ports and/or port trunks that includes all
untrunked LAN ports and port trunks on the switch
•
An action (forward or drop) for each destination port or port trunk
When you create a source-port filter, the switch automatically sets the
filter to forward traffic from the designated source to all destinations for
which you do not specifically configure a “drop” action. Thus, it is not
necessary to configure a source-port filter for traffic you want the switch
to forward unless the filter was previously configured to drop the desired
traffic.
■
When you create a source port filter, all ports and port trunks (if any)
on the switch appear as destinations on the list for that filter, even if
routing is disabled and separate VLANs and/or subnets exist. Where
traffic would normally be allowed between ports and/or trunks, the
switch automatically forwards traffic to the outbound ports and/or
trunks you do not specifically configure to drop traffic. (Destination
ports that comprise a trunk are listed collectively by the trunk name—
such as
Trk1
— instead of by individual port name.)
■
Packets allowed for forwarding by a source-port filter are subject to
the same operation as inbound packets on a port that is not configured
for source-port filtering.
■
With multiple IP addresses configured on a VLAN, and routing
enabled on the switch, a single port or trunk can be both the source
and destination of packets moving between subnets in that same
VLAN. In this case, you can prevent the traffic of one subnet from
being routed to another subnet of the same port by configuring the
port or trunk as both the source and destination for traffic to drop.
Example
If you wanted to prevent server “A” from receiving traffic sent by workstation
“X”, but do not want to prevent any other servers or end nodes from receiving
traffic from workstation “X”, you would configure a filter to drop traffic from
port 5 to port 7. The resulting filter would drop traffic from port 5 to port 7,
but would forward all other traffic from any source port to any destination
port. (Refer to figures 12-2 and 12-3.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......