Section 11-2. Protocol Filtering

Previous page
Table of content
Next page

11-2. Protocol Filtering

  • Protocol filtering can be configured on Catalyst 4000, 5000, or 6000 series switches.

  • Protocol filtering does not require any special feature cards on the switch to operate.

  • Protocol filtering enables you to configure a port to filter or block flood (broadcast, multicasts, and unknown unicasts) traffic based on protocols.

  • Protocol filtering is only supported on Layer 2 access ports and cannot be configured on trunk links or Layer 3 ports.

  • Protocol filtering supports blocking of IP, IPX, AppleTalk, VINES, and DECnet traffic. All other protocols are not affected by protocol filtering.

  • Administrative protocols such as Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), and VLAN Trunking Protocol (VTP) are not blocked by protocol filtering.

Configuration

By configuring protocol filtering on a switch, you are preventing the port from flooding traffic of that type received from other ports in the VLAN out the given port. This can be useful in controlling traffic from clients within the same VLAN running different and "chatty" protocols. To configure protocol filtering, use the following steps.

1.

Enable protocol filtering for the switch:

COS

 
 set protocolfilter enable

IOS

 
 (global) protocol-filter


Protocol filtering is disabled by default. For the ports to control the traffic, you must first enable protocol filtering for the switch. After enabling the process, you can set up the ports to react to a given protocol.

2.

Enable protocol filtering on an access port:

COS

[View full width]

 set port protocol mod/port {ip | ipx  group} {on |  off | auto}

IOS

[View full width]

 (interface) switchport protocol {ip | ipx | group}  {on | off | auto}


For each port on which you want to control traffic, you must specify the protocol and how traffic is to be handled. The protocol option specifies the given type of protocol. You can choose from among the following options: ip (IP), ipx (IPX), and group (AppleTalk, DECnet, and Banyan VINES). The options specify how traffic is to be handled. The option on specifies that a port is to receive traffic for the protocol and forward flood traffic for that protocol. The option off specifies that the port cannot receive or flood traffic for a given protocol. The option auto indicates that the port will not flood traffic for a given protocol until it first receives a packet of that protocol on the port. Table 11-1 lists the default actions if the ports are not configured.

Table 11-1. Protocol Filtering Defaults

Protocol

Mode

IP

on

IPX

auto

Group

auto


Verification

To verify the configuration of protocol filtering, use the following commands:

COS

 
 show port protocol mod/port(s)

IOS

 
 (privileged) show protocol-filtering

-OR-

[View full width]

 (privileged) show protocol-filtering interface  {type slot/port}


These show commands display the configuration for the specified ports. In IOS, the command show protocol-filtering without any port designations will only show ports that have at least one protocol that is in the nondefault mode.

Feature Example

This example shows the configuration for protocol filtering. This example enables protocol filtering. It then sets the Fast Ethernet ports 5/1 through 5/6 to allow IP traffic to pass without being filtered and blocks all other traffic. This example also configures ports 5/7 to 5/8 to allow only IPX traffic. In this example, ports 5/9 to 5/10 allow IP and IPX traffic only if the ports detect an IP or IPX client on the specific port and allow all other traffic to be forwarded.

An example of the Catalyst OS configuration follows:

 Catalyst(enable)>set protocolfilter enable Catalyst(enable)>set port protocol 5/1-6 ip on Catalyst(enable)>set port protocol 5/1-6 ipx off Catalyst(enable)>set port protocol 5/1-6 group off Catalyst(enable)>set port protocol 5/7-8 ip off Catalyst(enable)>set port protocol 5/7-8 ipx on Catalyst(enable)>set port protocol 5/7-8 group off Catalyst(enable)>set port protocol 5/9-10 ip auto Catalyst(enable)>set port protocol 5/9-10 ipx auto Catalyst(enable)>set port protocol 5/9-10 group on

An example of the Supervisor IOS configuration follows:

 Switch(config)#protocol-filter Switch(config)#interface fastethernet 5/1 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/2 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/3 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/4 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/5 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/6 Switch(config-if)#switchport protocol ip on Switch(config-if)#switchport protocol ipx off Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/7 Switch(config-if)#switchport protocol ip off Switch(config-if)#switchport protocol ipx on Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/8 Switch(config-if)#switchport protocol ip off Switch(config-if)#switchport protocol ipx on Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/9 Switch(config-if)#switchport protocol ip auto Switch(config-if)#switchport protocol ipx auto Switch(config-if)#switchport protocol group off Switch(config-if)#interface fastethernet 5/10 Switch(config-if)#switchport protocol ip auto Switch(config-if)#switchport protocol ipx auto Switch(config-if)#switchport protocol group off Switch(config-if)#end Switch(config)#copy running-config startup-config


Previous page
Table of content
Next page
Cisco Field Manual. Catalyst Switch Configuration
Cisco Field Manual. Catalyst Switch Configuration
ISBN: 1587050439
EAN: N/A
Year: 2001
Pages: 150
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
The .NET Developers Guide to Directory Services Programming
Software Configuration Management
Managing Enterprise Systems with the Windows Script Host
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy