Overview - HP ProCurve 2810 Series Access Security Manual

Traffic/Security Filters

Overview

Note
10-2

Overview

General Operation. You can enhance in-band security and improve control
over access to network resources by configuring static per-port filters to
forward (the default action) or drop unwanted traffic. That is, you can config-
ure a traffic filter to either forward or drop all network traffic moving between
an inbound (source) port or trunk and any outbound (destination) ports and
trunks (if any) on the switch. Source-port filters have no effect on traffic being
routed across VLANs.
The switch manages a port trunk as a single source or destination for source-
port filtering. If you configure a port for filtering before adding it to a port
trunk, the port retains the filter configuration, but suspends the filtering action
while a member of the trunk. If you want a trunk to perform filtering, first
configure the trunk, then configure the trunk for filtering. Refer to "Configur-
ing a Filter on a Port Trunk" on page 10-5.
When you create a source port filter, all ports or port trunks on the switch
appear as destinations on the list for that filter. The switch automatically
forwards traffic to the ports and/or trunks you do not specifically configure
to drop traffic. (Destination ports that comprise a trunk are listed collectively
by the trunk name—such as Trk1— instead of by individual port name.) For
example, if you want to prevent server "A" from receiving traffic sent by
workstation "X", but do not want to prevent any other servers or end nodes
from receiving traffic from workstation "X", you would configure a filter to
drop traffic from port 5 to port 7. The resulting filter would drop traffic from
port 5 to port 7, but would forward all other traffic from any source port to
any destination port (refer to figures 10-1 and 10-2).
Workstation " X"
Figure 10-1. Example of a Filter Blocking Traffic only from Port 5 to Server "A"
Port 7
Port 5
Port 8
Port 9
Server "A"
Server "B"
Server "C"