Using named source-port filters

A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Network configuration for named source-port filters. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11.

Figure 110: Network configuration for named source-port filters


While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step.

Figure 111: Applying example named source-port filters

Once the named source-port filters have been defined and configured we now apply them to the switch ports.

Figure 112: Source port filters applied to switch ports

The show filter command shows what ports have filters applied.

Figure 113: Example of the show filter command

Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value). The two outputs below show a non-accounting and an accounting switch port.

Figure 114: Showing traffic filtered on specific ports

The same command, using IDX 26, shows how traffic from the Internet is handled.

Figure 115: Source port filtering with internet traffic

As the company grows, more resources are required in accounting. Two additional accounting workstations are added and attached to ports 12 and 13. A second server is added attached to port8.

Figure 116: Expanded network configuration for named source-port filters

The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.

Figure 117: Network traffic management with source port filters
switch(config)# filter source-port named-filter accounting forward 8,12,13
switch(config)# filter source-port named-filter no-incoming-web drop 8,12,13
switch(config)# show filter source-port

 Traffic/Security Filters

 Filter Name        | Port List         | Action
 ------------------ + ----------------- + ----------------
 web-only           | 2-6,8-9,12-26     | drop 2-26
 accounting         | 7,10-11           | drop 1-6,9,14-26
 no-incoming-web    | 1                 | drop 7-8,10-13

We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named), before applying the new named source-port filters we first remove the existing source-port filters on the port.

Figure 118: No filter source-port
switch(config)# no filter source-port 8,12,13
switch(config)# filter source-port 8,12,13 named-filter accounting

The named source-port filters now manage traffic on the switch ports as shown below, using the show filter source-port command.

Figure 119: Named source-port filters managing traffic
switch(config)# show filter source-port

 Traffic/Security Filters

 Filter Name        | Port List         | Action
 ------------------ + ----------------- + ----------------
 web-only           | 2-6,8-9,14-26     | drop 2-26
 accounting         | 7-8,10-13         | drop 1-6,9,14-26
 no-incoming-web    | 1                 | drop 7-8,10-13