12.1.4 Terminal filter
- <Structure of this section>
(1) Overview
A terminal filter monitors the IPv4 packets that pass through the Switch and limits access from untrusted terminals.
The following figure provides an overview of how a terminal filter works.
|
You can set a terminal filter for each port by using the ip verify source configuration command.
To use the terminal filter, you must set the supported mode (custom with layer3-dhcp-1,layer3-suppress-dhcp-1, or dhcp-filter) of the terminal filter in the receive-side flow detection mode in advance.
(2) Inspecting IPv4 Packets
If the switch receives an IPv4 packet on an untrusted port, the switch checks whether the source of the packet is in the binding database. If the packet comes from an unregistered terminal, the switch discards the IPv4 packet.
The following table describes the items checked by a terminal filter.
Filtering to be performed |
IPv4 packet |
|||
---|---|---|---|---|
Receiving interface |
Ethernet header |
IP header |
||
Port |
VLAN ID |
Source MAC address |
Source IP address |
|
Check source MAC addresses only |
OK |
OK |
OK |
- |
Check source IP addresses only |
OK |
OK |
- |
OK |
Check source MAC addresses and source IP addresses |
OK |
OK |
OK |
OK |
(Legend) OK: Inspection object-: Not inspected