Use this wizard to filter:

For Catalyst 2950 switches, filtering can be based on IP addresses or on TCP/UDP applications. For Catalyst 3550 switches, filtering can be based on IP addresses or MAC addresses, as well as on TCP/UDP applications. The wizard lets you choose whether to drop or forward packets that meet the filtering criteria.

To use the wizard, you must know how the network is designed and how interfaces are used on the filtering devicethat is, which interfaces are for inbound traffic and which are for outbound traffic.

From the Host Name list, select a device on which you want to filter packets.

From the Available Interfaces list, select one or more interfaces on which you want to filter inbound packets. For Catalyst 3550 switches, the list can contain switch ports, routed ports, and SVIs if no interface is being used for filtering. You can select either switch ports, which are Layer 2 interfaces, or routed ports and SVIs, which are Layer 3 interfaces. You cannot select both Layer 2 and Layer 3 interfaces.

If an ACL is attached to a switch port, only switch ports appear in the list. If a ACL is attached to a routed port or a VLAN map is attached to a VLAN, only routed ports and SVIs appear in the list.

Notes:

When you click Add, your selections move to the Selected Interfaces list.

If you do not want to filter inbound packets on an interface in the Selected Interfaces list, select it and click Remove.

From the Available Interfaces list, select one or more routed ports or SVIs on which you want to filter outbound packets.

Notes:

When you click Add, your selections move to the Selected Interfaces list.

If you do not want to filter outbound packets on a routed port or SVI in the Selected Interfaces list, select it and click Remove.

From the Available VLANs list, select one or more VLANs on which you want to filter packets. Then click Add. The VLANs that you selected will move to the Selected VLANs list.

Note: For each selected VLAN, the wizard will create a VLAN map and apply it to the VLAN.

If you do not want to filter packets on a VLAN in the Selected VLANs list, select it and click Remove.

If you leave both boxes checked, the wizard prompts you to create filters for IP packets and non-IP packets (that is, MAC packets). Uncheck one of the boxes if you want to filter one kind of packet but not the other.

Select permit all IP packets or deny all IP packets from the Default Action list. Selecting permit all IP packets means that all IP packets will be forwarded except those that match your filters (to be created in later steps). Selecting deny all IP packets means that only the IP packets that match your filters will be forwarded.

Your filters will be compared to data in packet header. Specify whether you want them to be compared to IP addresses, application ports, or both. If they will be compared to IP addresses, check the Network box. If application ports, check the Applications box. If both, check both.

Your filters will be compared to data in packet header. Specify whether you want them to be compared to IP addresses or application ports. If they will be compared to IP addresses, select Network. If application ports, select Applications.

Each row in this table is a filter that is compared to IP addresses. If the device you selected is a Catalyst 3550 switch, each filter can be compared to destination addresses as well as to source addresses.

To add a filter to the table, click Create. To remove a filter, select it and click Delete.

In the Source Address field, enter the source IP address that you want to use with a subnet mask.

From the Source Subnet Mask list, select a subnet mask to be used with the source IP address. If the device you selected is a Catalyst 2950 switch, the source subnet mask you select for your first filter must be used in subsequent filters.

Your mask selection is converted to binary, as is the source IP address. The binary strings are compared, and a set of IP addresses is generated. Wherever a 0 occurs in the mask, generated IP addresses retain whatever value is opposite the 0 in the source IP address. Wherever a 1 occurs in the mask, the value opposite the 1 is irrelevant; generated IP addresses can contain either a 1 or a 0 in that position. If a generated IP address occurs in the source IP address field of the packet header, the source part of the filter has a match, but the packet is forwarded or dropped only if the entire filter matches the packet header.

The choice any in the Source Subnet Mask list is equivalent to a string of binary 1's. It matches any source IP address in the packet header. The choice host is equivalent to a string of binary 0's. It matches only the IP address you enter in the Source Address field.

In the Destination Address field, enter the destination IP address that you want to use with a subnet mask.

From the Destination Subnet Mask list, select a subnet mask to be used with the destination IP address. If the device you selected is a Catalyst 2950 switch, the destination subnet mask you select for your first filter must be used in subsequent filters.

Your mask selection is converted to binary, as is the destination IP address. The binary strings are compared, and a set of IP addresses is generated. Wherever a 0 occurs in the mask, generated IP addresses retain whatever value is opposite the 0 in the destination IP address. Wherever a 1 occurs in the mask, the value opposite the 1 is irrelevant; generated IP addresses can contain either a 1 or a 0 in that position. If a generated IP address occurs in the destination IP address field of the packet header, the destination part of the filter has a match, but the packet is forwarded or dropped only if the entire filter matches the packet header.

The choice any in the Destination Subnet Mask list is equivalent to a string of binary 1's. It matches any destination IP address in the packet header. The choice host is equivalent to a string of binary 0's. It matches only the IP address you enter in the Destination Address field.

From the Available Applications list, select the applications that you want the filter to drop or forward. Then click Add. The applications that you selected will move to the Selected Applications list.

If you do not want to filter an application in the Selected Applications list, select it and click Remove.

To define a new entry in the Available Applications list, click Add New.

This window lets you select the TCP or UDP applications that you want the filter to forward or drop. Select tcp to see a list of available TCP applications; select udp to see a list of available UDP applications.

From the Available Applications list, select the TCP or UDP applications to be forwarded or dropped. Then click Add. The applications that you selected will move to the Selected Applications list.

If you do not want to filter an application in the Selected Applications list, select it and click Remove.

To define a new entry in the Available Applications list, click Add New.

From the Protocol list, select the protocoleither tcp or udpfor the application that you are defining.

In the Application Name field, enter the name of the application.

In the TCP/UDP Port field, enter a port number between 1 and 65535, inclusive.

When you click Next, you return to the preceding step and see the application that you defined in the Selected Applications list.

Note: The new application will not appear as an available or selected application if you use the wizard again.

Select permit all non-IP packets or deny all non-IP packets from the Default Action list. Selecting permit all non-IP packets means that all non-IP packets will be forwarded except those that match your filters (to be created in later steps). Selecting deny all non-IP packets means that only the non-IP packets that match your filters will be forwarded.

Each row in this table is a filter that is compared to MAC addresses.

To add a filter to the table, click Create. To remove a filter, select it and click Delete.

In the Source MAC Address field, enter the source MAC address that you want to use with a source mask.

From the Source Mask list, select a mask to be used with the source MAC address. The choice any is equivalent to a string of binary 1's. It matches any source MAC address. The choice host is equivalent to a string of binary 0's. It matches only the MAC address that you specify as the source. The choice 0000.00ff.ffff matches all the devices that have the same vendor code (the first half of your source MAC address).

In the Destination MAC Address field, enter the destination MAC address that you want to use with a destination mask.

From the Destination Mask list, select a mask to be used with the destination MAC address. The choice any is equivalent to a string of binary 1's. It matches any destination MAC address. The choice host is equivalent to a string of binary 0's. It matches only the MAC address that you specify as the destination. The choice 0000.00ff.ffff matches all the devices that have the same vendor code (the first half of your destination MAC address).

The maximum of four user-defined masks have been defined on the device. There are no available masks for configuring security. See the help topic for the Resource Monitor window for more information.

The maximum of four user-defined masks have been defined on the device. You might be able to configure security if the selections you make in the next steps use the existing masks. See the help topic for the Resource Monitor window for more information.