Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify.
-
For inbound traffic matching the filter type, determine the filter action you want for each outbound (destination) port on the switch (forward or drop). The default action for a new filter is to forward traffic of the specified type to all outbound ports.
-
Use
show filterto check the filter listing to verify that you have configured correct action for the desired outbound ports.
Syntax:
Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The
noform of the command deletes the source-port filter for <port-number> and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.)
NOTE: If multiple VLANs are configured, the source-port and the destination port(s) must be in the same VLAN unless routing is enabled. Similarly, if a VLAN containing both the source and destination is multinetted, the source and destination ports and/or trunks must be in the same subnet unless routing is enabled.
![[NOTE: ]](images/note.gif)
Syntax:
Configures the filter to drop traffic for the ports and/or trunks in the designated
<. Can be followed bydestination-port-list>forward<if you have other destination ports set todestination-port-list>dropthat you want to change toforward. If no drop or forward action is specified, the switch automatically creates a filter with aforwardaction from the designated source port (or trunk) to all destination ports (or trunks) on the switch.
Syntax:
Configures the filter to forward traffic for the ports and/ or trunks in the designated
<. Becausedestination-port-list>forwardis the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured fordropand you want to change them toforward. Can be followed bydrop<if you have other destination ports set todestination-port-list>forwardthat you want to change todrop. If no drop or forward action is specified, the switch automatically creates a filter with a forward action from the designated source port (or trunk) to all destination ports (or trunks) on the switch.
Example:
For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15. To create this filter you would execute this command:
Later, suppose you wanted to shift the destination port range for this filter up by two ports; that is, to have the filter drop all traffic received on port 5 with a destination of any port in the range of port 12 to port 17. (The Trk1 destination is already configured in the filter and can remain as-is.)With one command you can restore forwarding to ports 10 and 11 while adding ports 16 and 17 to the "drop" list:
This operation uses the same command as is used for configuring a filter on an individual port. However, the configuration process requires two steps:
For example, to create a filter on port trunk 1 to drop traffic received inbound for trunk 2 and ports 10-15:
Note that if you first configure a filter on a port and then later add the port to a trunk, the port remains configured for filtering but the filtering action will be suspended while the port is a member of the trunk. That is, the trunk does not adopt filtering from the port configuration. You must still explicitly configure the filter on the port trunk. If you use the show filter < command for a filter created before the related source port was added to a trunk, the port number appears between asterisks ( * ), indicating that the filter action has been suspended for that filter. For example, if you create a filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following:index>
The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port or trunk. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter. For example, suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2. The resulting filter is shown on the left in Assigning additional destination ports to an existing filter. Later, you update the filter to drop traffic received on port 8 and destined for ports 3 through 5. Since only one filter exists for a given source port, the filter on traffic from port 8 appears as shown on the right in Assigning additional destination ports to an existing filter:
Assigning additional destination ports to an existing filter
HP Switch(config)# show filter 1 HP Switch(config)# show filter 1 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 8 Source Port : 8 Dest Port Type | Action Dest Port Type | Action --------- --------- + ------- --------- --------- + ------- 1 100/1000T | Drop 1 100/1000T | Drop 2 100/1000T | Drop 2 100/1000T | Drop 3 100/1000T | Forward 3 100/1000T | Drop 4 100/1000T | Forward 4 100/1000T | Drop 5 100/1000T | Forward 5 100/1000T | Drop 6 100/1000T | Forward 6 100/1000T | Forward 7 100/1000T | Forward 7 100/1000T | Forward
Syntax:
Example:
Suppose you wanted to configure the filters in Filter example on a switch. (For more on source-port filters, see Configuring a source-port traffic filter.
Filter example
| Filter type | Filter value | Action | Destination ports |
|---|---|---|---|
| source-port | Inbound ports: 1, 2[a] | Drop | 1-4 |
| multicast | 010000-123456 | Drop | 5-8, 9-12 |
| multicast | 010000-224466 | Drop | 13-15 |
| protocol | Appletalk | Drop | 16-19, 1 |
| protocol | ARP | Drop | 22, 23-24 |
|
[a] *Because the switch allows one inbound port in a source-port filter, the requirement to filter ports 1 and 2 means you will configure two separate source-port filters. |
|||
The following commands configure the filters listed above:
Configuring various traffic/security filters
HP Switch(config)# filter source-port 1 drop e 1-4 HP Switch(config)# filter source-port 2 drop 1-4 HP Switch(config)# filter multicast 010000-123456 drop e 5-8,9-12 HP Switch(config)# filter multicast 010000-224466 drop e 13-15 HP Switch(config)# filter protocol appletalk drop e 16-19,1 HP Switch(config)# filter protocol arp drop e 22,23-24
The switch automatically assigns each new filter to the lowest-available index (IDX) number. The index numbers are included in the show filter command described in the next section and are used with the show filter < command to display detailed information about a specific filter.index>
If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1-3. However, if you then delete the filter using index number “2” and then configure two new filters, the first new filter will receive the index number “2” and the second new filter will receive the index number "4". This is because the index number “2” was made vacant by the earlier deletion, and was therefore the lowest index number available for the next new filter.
This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters.
Syntax:
Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing.
Filter Type
Indicates the type of filter assigned to the IDX number (source-port, multicast, or protocol).
Value
Indicates the port number or port-trunk name of the source port or trunk assigned to the filter.
[index]Lists the filter type and other data for the filter corresponding to the index number in the show filter output. Also lists, for each outbound destination port in the switch, the port number, port type, and filter action (forward or drop). The switch assigns the lowest available index number to a new filter. If you delete a filter, the index number for that filter becomes available for the next filter you create.
Example:
To display the filters created in Configuring various traffic/security filters and then list the details of the multicast filter for multicast address 010000-224466:
