Filtering Protocols and Ports

You can filter (block) specified protocols and ports from leaving the AP and SM and entering the network. This protects the network from both intended and inadvertent packet loading or probing by network users. By keeping the specified protocols or ports off the network, this feature also provides a level of protection to users from each other.

Protocol and port filtering is set per AP/SM. Except for filtering of SNMP ports, filtering occurs as packets leave the AP/SM. If SM is configured to filter SNMP, then SNMP packets are blocked from entering the SM and, thereby, from interacting with the SNMP portion of the protocol stack on the SM.

Port Filtering with NAT Enabled
Where NAT is enabled on the SM, you can filter only the three user-defined ports. The following are examples for situations where you can configure port filtering where NAT is enabled:
• To block a subscriber from using FTP, you can filter Ports 20 and 21 (the FTP ports) for both the TCP and UDP protocols.
• To block a subscriber from access to SNMP, you can filter Ports 161 and 162 (the SNMP ports) for both the TCP and UDP protocols.
In only the SNMP case, filtering occurs before the packet interacts with the protocol stack.

Protocol and Port Filtering with NAT Disabled
Where NAT is disabled on the SM, you can filter both protocols and the three user-defined ports. Using the check boxes on the interface, you can either:
• Allow all protocols except those that you wish to block.
• Block all protocols except those that you wish to allow.
You can allow or block any of the following protocols:
• PPPoE (Point to Point Protocol over Ethernet)
• Any or all of the following IPv4 (Internet Protocol version 4) protocols:
o SMB (Network Neighborhood)
o Up to 3 user-defined ports
o All other IPv4 traffic (see Figure 29)
o Uplink Broadcast
o ARP (Address Resolution Protocol)
o All others (see Figure 29)

The following are example situations in which you can configure protocol filtering where NAT is disabled:
• If you block a subscriber from only PPPoE and SNMP, then the subscriber retains access to all other protocols and all ports.
• If you block PPPoE, IPv4, and Uplink Broadcast, and you also check the All others selection, then only Address Resolution Protocol is not filtered.
The ports filtered as a result of protocol selections in the Protocol Filtering tab of the SM are listed in Table 58.

Table 58.jpg

1 Like