Policies and Filters
IP sub-net and IPX network VLANs are similar, except for these VLAN types the device examines the IP sub-net
or IPX network address.
• If the IP sub-net or IPX network address matches the address of the IP sub-net VLAN or IPX network VLAN,
the device forwards the packet.
• If the sub-net or network address does not match the VLAN, the device drops the packet.
See “Configuring VLANs” on page 16-1 for VLAN configuration rules and examples.
Actions
A device forwards a packet if its Layer 3 protocol information matches the protocol VLAN’s protocol type, IP sub-
net, or IPX network; otherwise, the policy drops the packet.
Scope
The forwarding policy of a port-based VLAN applies only to that VLAN.
Syntax
Use the following CLI commands or Web management interface panels to configure VLAN policies.
Table C.5: VLAN Policies
Scope CLI syntax Web management links
VLAN type HP9300(config)# vlan <vlan-id> by port
HP9300(config-vlan-1)# [untagged]
ethernet <portnum > [to | ethernet <portnum>]
Configure->VLAN->Port
NOTE: The untagged command applies only if you are removing 802.1q tagging from the ports in the VLAN.
802/1q tagging allows a port to be a member of multiple port-based VLANs. Ports in a port-based VLAN are
tagged by default. The default tag is 8100 and is a global parameter.
IP Access Policies
IP access policies are rules that determine whether the device forwards or drops IP packets. You create an IP
access policy by defining an IP filter, then applying it to an interface. The filter consists of source and destination
IP information and the action to take when a packet matches the values in the filter. You can configure an IP filter
to permit (forward) or deny (drop) the packet.
You also can configure Layer 4 information in an IP filter. If you configure Layer 4 information, you are configuring
a Layer 4 policy. See “TCP/UDP Access Policies” on page C-9.
You can apply an IP filter to inbound or outbound packets. When you apply the filter to an interface, you specify
whether the filter applies to inbound packets or outbound packets. Thus, you can use the same filter on multiple
interfaces and specify the filter direction independently on each interface.
Figure D.1 shows an example of an inbound IP access policy group applied to port 1 on slot 1 of an HP 9308M
routing switch. In this example, packets enter the port from left to right. The first three packets have entered the
port and have been permitted or denied. The two packets on the left have not yet entered the port. When they do,
they will be permitted. Since the last policy in the group is a “permit any” policy, all packets that do not match
another policy are permitted. The “permit any” policy changes the default action to permit.
C - 7