■ Protocol filtering can be configured on Catalyst 4500 and 6500
series switches.
■ Protocol filtering does not require any special feature cards on the
switch to operate.
■ Protocol filtering enables you to configure a port to filter or block flood
(broadcast, multicasts, and unknown unicasts) traffic based on protocols.
■ Protocol filtering is supported only on Layer 2 access ports and
cannot be configured on trunk links or Layer 3 ports.
■ Protocol filtering supports blocking of IP, IPX, AppleTalk, VINES,
and DECnet traffic. All other protocols are not affected by protocol
filtering.
■ Administrative protocols such as Spanning Tree Protocol (STP),
Cisco Discovery Protocol (CDP), and VLAN Trunking Protocol
(VTP) are not blocked by protocol filtering.
Configuration
By configuring protocol filtering on a switch, you prevent the port
from flooding traffic of that type received from other ports in the
VLAN out the given port. This can be useful in controlling traffic
from clients within the same VLAN running different and “chatty”
protocols. To configure protocol filtering, use the following steps.
1. Enable protocol filtering for the switch:
(global) protocol-filter
Protocol filtering is disabled by default. For the ports to control
the traffic, you must first enable protocol filtering for the switch.
After enabling the process, you can set up the ports to react to
a given protocol.
2. Enable protocol filtering on an access port:
(interface) switchport protocol {ip | ipx | group} {on | off | auto}
For each port on which you want to control traffic, you must specify
the protocol and how traffic is to be handled. The protocol option
specifies the given type of protocol. You can choose from among the
following options: ip (IP), ipx (IPX), and group (AppleTalk, DECnet,
and Banyan VINES). The options specify how traffic is to be handled.
The option on specifies that a port is to receive traffic for the protocol
and forward flood traffic for that protocol. The option off specifies that
the port cannot receive or flood traffic for a given protocol. The option
auto indicates that the port will not flood traffic for a given protocol until
it first receives a packet of that protocol on the port.
Verification
To verify the configuration of protocol filtering, use the following
commands:
(privileged) show protocol-filtering
OR
(privileged) show protocol-filtering interface {type slot/port}
These show commands display the configuration for the specified
ports. In IOS, the command show protocol-filtering without any
port designations will show only ports that have at least one protocol
that is in the nondefault mode.
Feature Example
This example shows the configuration for protocol filtering. This
example enables protocol filtering. It then sets the Fast Ethernet
ports 5/1 through 5/6 to enable IP traffic to pass without being
filtered and blocks all other traffic. This example also configures
ports 5/7 to 5/8 to enable only IPX traffic. In the following example,
ports 5/9 to 5/10 enable IP and IPX traffic only if the ports detect
an IP or IPX client on the specific port and enable all other traffic to
be forwarded:
Switch(config)# protocol-filter
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/2
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/3
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/4
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/5
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/6
Switch(config-if)# switchport protocol ip on
Switch(config-if)# switchport protocol ipx off
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/7
Switch(config-if)# switchport protocol ip off
Switch(config-if)# switchport protocol ipx on
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/8
Switch(config-if)# switchport protocol ip off
Switch(config-if)# switchport protocol ipx on
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/9
Switch(config-if)# switchport protocol ip auto
Switch(config-if)# switchport protocol ipx auto
Switch(config-if)# switchport protocol group off
Switch(config-if)# interface fastethernet 5/10
Switch(config-if)# switchport protocol ip auto
Switch(config-if)# switchport protocol ipx auto
Switch(config-if)# switchport protocol group off
Switch(config-if)# end
Switch(config)# copy running-config startup-config
biOos
2 comments:
This feature would be exactly what I'm looking for to attach it on printer ports - unfortunately I couldn't find any Catalyst in our network which supports it or even know the commands.
Found a configuration guide for c6500 12.1E which says it was introduced with 12.0(7)XE (...) but I don't have the impression that it's still supported.
rolfis, Protocol filtering can be configured on Catalyst 4500 and 6500
series switches only.
Post a Comment