Software Configuration Guide (4.5)
Configuring Token Ring Filters
Download this chapter
Configuring Token Ring FiltersConfiguring Token Ring Filters
give_us_feedback

Table Of Contents

Configuring Token Ring Filters

Understanding How Token Ring Filters Work

Configuring Token Ring Filters

Adding a MAC Address Filter

Adding a Protocol Filter

Clearing Filters


Configuring Token Ring Filters

This chapter describes how to configure Token Ring filters on the Catalyst 5000 series switch.

Note   For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference for your switch.

This chapter consists of these sections:

Understanding How Token Ring Filters Work

Configuring Token Ring Filters

Understanding How Token Ring Filters Work

Catalyst 5000 series Token Ring modules provide filtering capabilities to reduce broadcast traffic, block protocols, and provide basic security.

You can filter frames based on the following:

MAC address (source address or destination address)—Defines a filter that explicitly allows data from the select group of users (based on MAC address) to be sent to that port using MAC filters.

Protocol (destination service access point [DSAP]/Subnetwork Access Protocol [SNAP])—Creates a filter that blocks all data to a port except data that is explicitly allowed.

You can configure MAC address filters for input ports only, and configure DSAP/SNAP filters for both input and output ports. You can configure up to 16 MAC address or DSAP/SNAP filters for each port on the Token Ring modules.

To filter data based on the MAC address, you must specify an address and indicate whether you want to block or allow frames that contain the address as a source or destination address. To filter data based on a protocol, specify either a DSAP or SNAP, and specify whether to permit or deny frames with that protocol.

Configuring Token Ring Filters

These sections describe how to configure Token Ring filters:

Adding a MAC Address Filter

Adding a Protocol Filter

Clearing Filters

Adding a MAC Address Filter

When configuring a MAC address filter, you can enter the MAC address in canonical or noncanonical form. Frames that contain the MAC address as a source or destination address are dropped or passed, depending on whether you specify that the filter permits or denies the frames.

Note   You can define up to 16 MAC address filters per port to be filtered at the port of entry into the Token Ring modules. MAC addresses can be unicast, multicast (group), or broadcast.

To add a filter based on MAC addresses, perform this task in privileged mode:

Task
Command

Step 1 Add a filter based on the MAC addresses.

set port filter mod_num/port_num mac_addr {permit | deny}

Step 2 Verify the MAC filter configuration.

show port filter [mod_num[/port_num]] [canonical]
show port filter mac_addr [canonical]


This example shows how to set up a port filter and verify the configuration: 

Console> (enable) set port filter 3/2 00:40:0b:01:bc:65 permit

Port 3/2 filter Mac Address 00:40:0b:01:bc:65 set to permit.

Console> (enable) show port filter 3/2

Port  Mac-Addr          Type

----- ----------------- ------

 3/2  00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny


Port  Protocol          Type

----- ----------------- ------

 3/2  0x8035(ip)        deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

Console> (enable)

Adding a Protocol Filter

Note   You can define up to 16 protocol filters (8 SAP and 8 DSAP classes) per port to be filtered at the port of entry into the Token Ring modules.

To add a filter based on protocol, perform this task in privileged mode:

Task
Command

Step 1 Add a filter based on protocols.

set port filter mod_num/port_num protocol_type {permit | deny}

Step 2 Verify the protocol filter configuration.

show port filter [mod_num[/port_num]] [canonical]


This example shows how to configure a protocol filter on a port and verify the configuration: 

Console> (enable) set port filter 3/2 ip permit

Port 3/2 filter Protocol ip set to permit.

Console> (enable) show port filter 3/2

Port  Mac-Addr          Type

----- ----------------- ------

 3/2  00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny

      00:00:00:00:00:00 deny


Port  Protocol          Type

----- ----------------- ------

 3/2  0x8035(ip)        deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

      0xfefe            deny

      0xffff            deny

Console> (enable)

Clearing Filters

To clear a MAC address filter, protocol filter, or all configured filters, perform this task in privileged mode:

Task
Command

Clear a MAC address filter, protocol filter, or all configured filters.

clear port filter [mod_num/port_num] [mac_addr | protocol_type | all]


This example shows how to clear all filters on a port: 

Console> (enable) clear port filter all

All filter MAC addresses and Protocols cleared

Console> (enable)