Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.1E
Configuring Layer 3 Protocol Filtering on Supervisor Engine 1
Downloads: This chapterpdf (PDF - 182.0KB) The complete bookPDF (PDF - 7.08MB) | Feedback

Configuring Layer 3 Protocol Filtering on Supervisor Engine 1

Table Of Contents

Configuring Layer 3 Protocol Filtering on Supervisor Engine 1

Understanding How Layer 3 Protocol Filtering Works

Configuring Layer 3 Protocol Filtering

Enabling Layer 3 Protocol Filtering

Configuring Layer 3 Protocol Filtering on a Layer 2 LAN Interface

Verifying Layer 3 Protocol Filtering Configuration


Configuring Layer 3 Protocol Filtering on Supervisor Engine 1



Note Layer 3 protocol filtering is supported with Supervisor Engine 1. Layer 3 protocol filtering is not supported with Supervisor Engine 2.


This chapter describes how to configure Layer 3 protocol filtering on Layer 2 LAN ports on the Catalyst 6500 series switches.


Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Cisco IOS Command Reference publication.


This chapter consists of these sections:

Understanding How Layer 3 Protocol Filtering Works

Configuring Layer 3 Protocol Filtering

Understanding How Layer 3 Protocol Filtering Works

Layer 3 protocol filtering prevents specific Layer 3 protocol packets from being received or transmitted on a Layer 2 LAN port, which reduces the broadcast domain of specific protocols in a VLAN. For example, you can configure a Layer 2 LAN port in a VLAN to allow IP packets only, while another Layer 2 LAN port in the same VLAN allows both IP and Internetwork Packet Exchange (IPX) packets.

Layer 2 LAN trunk ports do not support protocol filtering. You can configure Layer 3 protocol filtering on a trunk, but the configuration is ignored while the port is a trunk.

Protocol filtering cannot be configured on Layer 3 interfaces—only nontrunk Layer 2 LAN ports support Layer 3 protocol filtering.

Layer 3 protocol filtering does not support the features available with standard and extended Cisco IOS ACLs.

Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3 protocol filtering. Layer 2 LAN ports that have port security enabled are members of all protocol groups.

You can configure a Layer 2 LAN port with any one of these modes for each protocol group: on, off, or auto. If the configuration is set to on, the port allows all traffic for that protocol. If the configuration is set to off, the port does not allow any traffic for that protocol.

If the configuration is set to auto, the Layer 2 LAN port initially does not allow any flood traffic to be transmitted from the port. After a packet is received on that port, the port will transmit traffic for that protocol group. Once in this state, the port reverts back to allowing flood traffic to be transmitted if no packets for that protocol have been received for 60 minutes. Layer 2 LAN ports are also removed from the protocol group when the supervisor engine detects that the link is down on the port.

If a host that supports both IP and IPX is connected to a Layer 2 LAN port configured as auto for IPX, but the host is transmitting only IP traffic, the port to which the host is connected will not transmit any flooded IPX traffic. However, if the host sends an IPX packet, the supervisor engine software detects the protocol traffic and the port begins transmitting flooded IPX traffic. If the host stops sending IPX traffic for more than 60 minutes, the port stops transmitting flooded IPX traffic.

By default, Layer 2 LAN ports are configured to on for all protocol groups. Typically, you should only configure a Layer 2 LAN port to auto for IP if an end station is directly connected to the port.

Protocol filters are configured according to groups of protocols, not specific protocols. There are four groups of protocols defined:

IP

IPX

AppleTalk, DECnet, and Banyan VINES ("group")

Packets not belonging to any of these protocols ("other")

Configuring Layer 3 Protocol Filtering

These sections describe how to configure Layer 3 protocol filtering on Ethernet-type VLANs and on any type of Layer 2 LAN port:

Enabling Layer 3 Protocol Filtering

Configuring Layer 3 Protocol Filtering on a Layer 2 LAN Interface

Verifying Layer 3 Protocol Filtering Configuration


Note With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command.


Enabling Layer 3 Protocol Filtering

To enable Layer 3 protocol filtering globally, perform this task:

Command
Purpose

Router(config)# protocol-filter

Enables Layer 3 protocol filtering globally.

Router(config)# no protocol-filter

Disables Layer 3 protocol filtering globally.


This example shows how to enable Layer 3 protocol filtering globally:

Router# configure terminal
Router(config)# protocol-filtering 

Configuring Layer 3 Protocol Filtering on a Layer 2 LAN Interface

To configure Layer 3 protocol filtering on a Layer 2 LAN port, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface {{type1  slot/port} | {port-channel number}}

Selects the interface to configure.

Step 2 

Router(config-if)# switchport protocol {appletalk | ip | ipx | group} {on | off | auto}

Configures Layer 3 protocol filtering on the LAN port.

Router(config-if)# no switchport protocol {appletalk | ip | ipx | group}

Clears Layer 3 protocol filtering configuration on the LAN port.

1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

This example shows how to configure the protocol membership of Fast Ethernet port 5/8 to allow IPX packets only, and verify the configuration:

Router(config)# interface fastethernet 5/8
Router(config-if)# switchport protocol appletalk off
Router(config-if)# switchport protocol ip off
Router(config-if)# switchport protocol ipx on

Verifying Layer 3 Protocol Filtering Configuration

To verify Layer 3 protocol filtering configuration, perform this task:

Command
Purpose

Router# show protocol-filtering interface {{type1  slot/port} | {port-channel number}}

Verifies the interface filtering configuration.

1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet


This example shows how to verify the Layer 3 protocol filtering configuration of Fast Ethernet port 5/8:

Router# show protocol-filtering interface fastethernet 5/8
Interface       IP Mode         IPX Mode        Group Mode      Other Mode
--------------------------------------------------------------------------
Fa5/8           OFF             ON              OFF             OFF
Router# 

Note The show protocol filtering command shows only ports that have at least one protocol set to the nondefault configuration.