1.1.8 Notes on using filters

<Structure of this section>

(1) Filters on frames with VLAN Tag

You cannot filter frames with three or more VLAN tags by using an Ethernet type for a MAC condition, an IPv4 condition, or an IPv6 condition specified as a flow detection condition.

Either of the following conditions must be satisfied to filter the frames with two VLAN tags on the receiving side by an Ethernet type for a MAC condition, an IPv4 condition, or an IPv6 condition as a flow detection condition:

The VLAN tunneling functionality is not active on the Switch.
The VLAN tunneling functionality is active on the Switch but frames were received by a trunk port.

(2) Filters for IPv4 fragment packets

If you filter by using a TCP/UDP header or ICMP header specified as a flow detection condition for a fragmented IPv4 packet, the second and subsequent fragments cannot be detected because the TCP/UDP header and ICMP header are not in those packets. To filter frames that include fragmented packets, specify the MAC header or IP header in the flow detection conditions.

(3) Filtering IPv6 Packets with Extension Headers

You cannot filter IPv6 packets that have an IPv6 extension header by using a TCP/UDP header or ICMP header as a flow detection condition. To filter packets that have an extension header, specify the MAC header or IPv6 header in the flow detection conditions.

(4) Understanding IPv4 Protocol-Discovery

The protocol name ah or the protocol number 51 cannot be detected as a filter condition.

(5) Operation when a filter entry is applied

When filter entries are applied to the interfaces on the Switch^#, packets may be detected by other filter entries including an implicit discard entry until the specified filter entries are applied. In this case, statistics for the filter entries including the implicit discard entry that detected the packets are collected.

#

When an access list containing one or more entries is applied to the interface by using the access group command
When an access list is applied by using the access group command to add an entry
When a filter entry is applied when the switch is started, the copy operation command is executed, or the restart vlan operation command is executed

(6) Behavior when changing filter entries

If a filter entry applied to an interface is changed on the Switch, detectable frames cannot be detected until the change has been applied. Consequently, such frames are detected as if they matched another filter entry or the implicit discard entry.

(7) Simultaneous operation with other functions

(a) Statistics for frames discarded under certain conditions

Frames are discarded when one of the conditions listed below is satisfied. However, if a frame matches a filter entry specified for the receiving-side interface, statistics for that filter entry are collected.

Frames are received from the VLAN port whose data transfer status is Blocking (data transfer stopped).
Frames are received from a port specified by the inter-port relay blocking functionality.
Frames without a VLAN tag are received when the native LAN is not set as the VLAN that uses a trunk port for sending and receiving frames.
Received frames that have a VLAN tag are not set for a VLAN that uses a trunk port for sending and receiving frames.
Frames with a VLAN Tag are received at access, protocol or MAC ports.
Frames are discarded by the MAC address learning functionality.
Frames are discarded by the Layer 2 relay blocking functionality.
Frames are discarded by the Layer 2 authentication functionality.
When a frame is discarded due to an invalid Layer 2 protocol
Frames are discarded by IGMP snooping or MLD snooping.
Frames are discarded by DHCP snooping.
Fames are discarded by QoS control.
Frames are discarded by storm control.
Packets are discarded by IP layer or IPv6 layer forwarding.

(b) Storm detection when using a filter

When discarding by filter detection and by storm detection occur at the same time, more frames may be discarded, including frames that would originally be forwarded.