|
|
This chapter describes how to configure Layer 3 protocol filtering on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces on the Catalyst 6000 family switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet, and Gigabit Ethernet switch interfaces on switching modules and fixed-configuration switches, as well as to supervisor engine Gigabit Ethernet uplink interfaces.
This chapter consists of these sections:
Layer 3 protocol filtering prevents certain packets for specific Layer 3 protocols from being received and transmitted on a switching interface. This filtering is configured individually on each interface and provides control over traffic patterns within a VLAN. For example, you can configure an interface in a VLAN to allow IP packets only, while another interface in the same VLAN allows both IP and Internetwork Packet Exchange (IPX) packets.
Trunking interfaces do not perform any protocol filtering at all. Although the interface configuration keeps its protocol filtering configuration, that configuration is simply ignored until the interface becomes an access interface again.
Layer 3 protocol filtering is supported on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, but only while these interfaces are in access mode---trunking interfaces do not support protocol filtering. Although protocol filtering is a packet classification mechanism, it differs from access control lists (ACLs) in that standard and extended IOS ACL classified packets can be subject to features such as access control (security), encryption, policy-based routing, and so on. Protocol filtering is used to reduce the broadcast domain of specific protocols in a VLAN. Protocol filtering cannot be configured on routed interfaces---only switched interfaces allow protocol filtering to be configured.
Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3 protocol filtering. Interfaces that have interface security enabled are members of all protocol groups.
You can configure an interface with any one of these modes for each protocol group: on, off, or auto. If the configuration is set to on, the interface allows all traffic for that protocol. If the configuration is set to off, the interface does not allow any traffic for that protocol.
If the configuration is set to auto, the interface initially does not allow any flood traffic to be transmitted from the interface. Once a packet is received on that interface, the interface will transmit traffic for that protocol group. Once in this state, the interface reverts back to allowing flood traffic to be transmitted if no packets for that protocol have been received for 60 minutes. Interfaces are also removed from the protocol group when the supervisor engine detects that the link is down on the interface.
If a host that supports both IP and IPX is connected to a switchport configured as auto for IPX, but the host is transmitting only IP traffic, the interface to which the host is connected will not transmit any flooded IPX traffic. However, if the host sends an IPX packet, the supervisor engine software detects the protocol traffic and the interface begins transmitting flooded IPX traffic. If the host stops sending IPX traffic for more than 60 minutes, the interface stops transmitting flooded IPX traffic.
By default, interfaces are configured to on for all protocol groups. Typically, you should only configure an interface to auto for IP if an end station is directly connected to the interface.
Protocol filters are configured according to groups of protocols, not specific protocols. There are four groups of protocols defined:
These sections describe how to configure Layer 3 protocol filtering on Ethernet-type VLANs and on any type of Ethernet interface:
To configure Layer 3 protocol filtering on Ethernet interfaces, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# protocol-filter | Enable Layer 3 protocol filtering on the switch. | ||
| Router(config-if)# switchport protocol {appletalk | ip | ipx | group} {on | off | auto}
| In interface configuration mode, set the protocol membership of the desired interfaces. | ||
| Router# show protocol-filtering [{interface interface-num} | {begin | exclude | include}]
| In privileged EXEC mode, verify the interface filtering configuration. |
This example shows how to enable Layer 3 protocol filtering, set the protocol membership of Fast Ethernet interface 5/8 to allow IPX packets only, and verify the configuration:
Router(config)#protocol-filteringRouter(config-if)#switchport protocol appletalk offRouter(config-if)#switchport protocol ip offRouter(config-if)#switchport protocol ipx onRouter(config)#exit*Oct 25 13:32:26: %SYS-5-CONFIG_I: Configured from console by consoleRouter#show protocol-filtering interface fas 5/8Interface IP Mode IPX Mode Group Mode Other Mode--------------------------------------------------------------------------Fa5/8 OFF ON OFF OFFRouter#
To disable Layer 3 protocol filtering, perform this task:
| Command | Purpose |
|---|---|
Router(config)# no protocol-filter | Disable Layer 3 protocol filtering on the switch. |
The example shows how to disable Layer 3 protocol filtering on the switch and verify the configuration:
Router(config)#no protocol-filteringRouter(config)#exit*Oct 25 13:33:38: %SYS-5-CONFIG_I: Configured from console by consoleRouter#show protocol-filteringProtocol filtering is disabledRouter#
Posted: Mon Jan 3 14:16:19 PST 2000
Copyright 1989-1999©Cisco Systems Inc.