Riverstone Networks WICT1-12 用户手册
Riverstone Networks RS Switch Router User Guide Release 8.0 25-7
Security Configuration
Layer-2 Security Filters
Static entry filters
These filters allow or force traffic to go to a set of destination ports based on a frame's
source MAC address, destination MAC address, or both source and destination MAC
addresses in flow bridging mode. Static entries are always configured and applied at
the input port.
source MAC address, destination MAC address, or both source and destination MAC
addresses in flow bridging mode. Static entries are always configured and applied at
the input port.
Secure port filters
A secure filter shuts down access to the RS based on MAC addresses. All packets
received by a port are dropped. When combined with static entries, however, these
filters can be used to drop all received traffic but allow some frames to go through.
received by a port are dropped. When combined with static entries, however, these
filters can be used to drop all received traffic but allow some frames to go through.
25.2.1
Configuring Layer-2 Address Filters
If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter.
Address filters are always configured and applied to the input port. You can set address filters on the following:
Address filters are always configured and applied to the input port. You can set address filters on the following:
•
A source MAC address, which filters out any frame coming from a specific source MAC address
•
A destination MAC address, which filters out any frame destined to specific destination MAC
address
address
•
A flow, which filters out any frame coming from a specific source MAC address that is also destined
to a specific destination MAC address
to a specific destination MAC address
To configure Layer-2 address filters, enter the following commands in Configure mode:
25.2.2
Configuring Layer-2 Port-to-Address Lock Filters
Port address lock filters allow you to bind or “lock” specific source MAC addresses to a port or set of ports. Once a
port is locked, only the specified source MAC address is allowed to connect to the locked port and the specified source
MAC address is not allowed to connect to any other ports.
port is locked, only the specified source MAC address is allowed to connect to the locked port and the specified source
MAC address is not allowed to connect to any other ports.
To configure Layer-2 port address lock filters, enter the following commands in Configure mode:
Configure a source MAC based address
filter.
filter.
filters add address-filter name
<name>
source-mac
<MACaddr>
|any
source-mac-mask
<mask>
|any
vlan
<VLAN-num>
|any in-port-list
<port-list>
Configure a destination MAC based
address filter.
address filter.
filters add address-filter name
<name>
dest-mac
<MACaddr>
|any dest-mac-mask
<mask>
vlan
<VLAN-num>
|any in-port-list
<port-list>
Configure a Layer-2 flow address filter.
filters add address-filter name
<name>
source-mac
<MACaddr>
|any source-mac-mask
<mask>
dest-mac
<MACaddr>
|any dest-mac-mask
<mask>
vlan
<VLAN-num>
|any in-port-list
<port-list>
Configure a port address lock filter.
filters add port-address-lock name
<name>
source-mac
<MACaddr>
vlan
<VLAN-num>
in-port-list
<port-list>