HP (Hewlett-Packard) 2600-PWR Series Switch User Manual


 
10-2
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)
Overview
Overview
This chapter describes the use of source-port filters on the Series 2600/
2600-PWR switches and on the Series 2800 switches. For information on filters
for the Series 2500 switches, refer to the Management and Configuration
Guide provided for these devices.
General Operation. You can enhance in-band security and improve control
over access to network resources by configuring static per-port filters to
forward (the default action) or drop unwanted traffic. That is, you can config-
ure a traffic filter to either forward or drop all network traffic moving between
an inbound (source) port or trunk and any outbound (destination) ports and
trunks (if any) on the switch.
With routing disabled on the switch (the default), source-port filtering
can operate on traffic moving within the same VLAN.
With routing enabled on the switch, source-port filtering can operate
on traffic moving between VLANs as well as within the same VLAN.
(However, if you configure and enable routing on the switch when
multinetting within a VLAN has been configured, source-port filtering
will not work.)
Source-port filters have no effect on traffic being routed across
VLANs.
Note The switch manages a port trunk as a single source or destination for source-
port filtering. If you configure a port for filtering before adding it to a port
trunk, the port retains the filter configuration, but suspends the filtering action
while a member of the trunk. If you want a trunk to perform filtering, first
configure the trunk, then configure the trunk for filtering. Refer to “Config-
uring a Filter on a Port Trunk” on page 10-6.
When you create a source port filter, all ports or port trunks on the switch
appear as destinations on the list for that filter. The switch automatically
forwards traffic to the ports and/or trunks you do not specifically configure
to drop traffic. (Destination ports that comprise a trunk are listed collectively
by the trunk name—such as Trk1— instead of by individual port name.) For
example, if you want to prevent server "A" from receiving traffic sent by
workstation "X", but do not want to prevent any other servers or end nodes