Use this wizard to filter:
Filtering can be based on network addresses, TCP/UDP applications, or (for Catalyst 3550 switches) both. The wizard lets you choose whether to drop or forward packets that meet the filtering criteria.
To use the wizard, you must know how the network is designed and how interfaces are used on the filtering device -- that is, which interfaces are for inbound traffic and which are for outbound traffic.
From the Host Name list, select a device on which you want to filter packets.
The maximum of four user-defined masks have been defined on the device. There are no available masks for configuring security. Refer to the Resource Monitor window for more details.
The maximum of four user-defined masks have been defined on the device. You might be able to configure security if the selections you make in the next steps use the existing masks. Refer to the Resource Monitor window for more details.
From the Available Interfaces list, select one or more interfaces on which you want to filter inbound packets. Then click Add. The interfaces that you select will move to the Selected Interfaces list.
If you do not want to filter inbound packets on an interface in the Selected Interfaces list, select it and click Remove.
From the Available Interfaces list, select one or more routed ports or SVIs on which you want to filter outbound packets. Then click Add. Your selections will move to the Selected Interfaces list.
If you do not want to filter outbound packets on a routed port or SVI in the Selected Interfaces list, select it and click Remove.
From the Available VLANs list, select one or more VLANs on which you want to filter packets. Then click Add. The VLANs that you selected will move to the Selected VLANs list.
Note: For each selected VLAN, the wizard will create a VLAN map and apply it to the VLAN.
If you do not want to filter packets on a VLAN in the Selected VLANs list, select it and click Remove.
Select permit all or deny all from the Default Action list. Selecting permit all means that all packets will be forwarded except those that match your filters (to be created in later steps). Selecting deny all means that no packets will be forwarded except those that match your filters.
Your filters will be compared to data in packet header. Specify whether you want them to be compared to IP addresses, application ports, or both. If they will be compared to IP addresses, check the Network box. If application ports, check the Applications box. If both, check both.
Your filters will be compared to data in packet header. Specify whether you want them to be compared to IP addresses or application ports. If they will be compared to IP addresses, select Network. If application ports, select Applications.
Each row in this table is a filter that is compared to IP addresses. If the device you selected is a Catalyst 3550 switch, each filter can be compared to destination addresses as well as to source addresses.
To add a filter to the table, click Create. To remove a filter, select it and click Delete.
In the Source Address field, enter the source IP address that you want to use with a subnet mask.
From the Source Subnet Mask list, select a subnet mask to be used with the source IP address. If the device you selected is a Catalyst 2950 switch, the source subnet mask you select for your first filter must be used in subsequent filters.
Your mask selection is converted to binary, as is the source IP address. The binary strings are compared, and a set of IP addresses is generated. Wherever a 0 occurs in the mask, generated IP addresses retain whatever value is opposite the 0 in the source IP address. Wherever a 1 occurs in the mask, the value opposite the 1 is irrelevant; generated IP addresses can contain either a 1 or a 0 in that position. If a generated IP address occurs in the source IP address field of the packet header, the source part of the filter has a match, but the packet is forwarded or dropped only if the entire filter matches the packet header.
The choice any in the Source Subnet Mask list is equivalent to a string of binary 1's. It matches any source IP address in the packet header. The choice host is equivalent to a string of binary 0's. It matches only the IP address you enter in the Source Address field.
In the Destination Address field, enter the destination IP address that you want to use with a subnet mask.
From the Destination Subnet Mask list, select a subnet mask to be used with the destination IP address. If the device you selected is a Catalyst 2950 switch, the destination subnet mask you select for your first filter must be used in subsequent filters.
Your mask selection is converted to binary, as is the destination IP address. The binary strings are compared, and a set of IP addresses is generated. Wherever a 0 occurs in the mask, generated IP addresses retain whatever value is opposite the 0 in the destination IP address. Wherever a 1 occurs in the mask, the value opposite the 1 is irrelevant; generated IP addresses can contain either a 1 or a 0 in that position. If a generated IP address occurs in the destination IP address field of the packet header, the destination part of the filter has a match, but the packet is forwarded or dropped only if the entire filter matches the packet header.
The choice any in the Destination Subnet Mask list is equivalent to a string of binary 1's. It matches any destination IP address in the packet header. The choice host is equivalent to a string of binary 0's. It matches only the IP address you enter in the Destination Address field.
From the Available Applications list, select the applications that you want the filter to drop or forward. Then click Add. The applications that you selected will move to the Selected Applications list.
If you do not want to filter an application in the Selected Applications list, select it and click Remove.
To define a new entry in the Available Applications list, click Add New.
This window lets you select the TCP or UDP applications that you want the filter to forward or drop. Select tcp to see a list of available TCP applications; select udp to see a list of available UDP applications.
From the Available Applications list, select the TCP or UDP applications to be forwarded or dropped. Then click Add. The applications that you selected will move to the Selected Applications list.
If you do not want to filter an application in the Selected Applications list, select it and click Remove.
To define a new entry in the Available Applications list, click Add New.
From the Protocol list, select the protocol -- either tcp or udp -- for the application that you are defining.
In the Application Name field, enter the name of the application.
In the TCP/UDP Port field, enter a port number between 1 and 65535, inclusive.
When you click Next, you return to the preceding step and see the application that you defined in the Selected Applications list.
Note: The new application will not appear as an available or selected application if you use the wizard again.