8600 src/dst acl?

[ltollefs]

Hello all,

I'm new to Nortel equipment and I find myself having to create a Vlan ACL, for a Nortel 8600 with a 8630GBR installed, that filters on both src and dst IPs, similar to a Cisco extended access list. Is this possible? The documentation suggests not, as does working with the cli. Any tips would be much appreciated!

Thanks.

 

[andy88]

You can define an ACL for ingress port/vlan egress port/vlan

Check out the following doc

http://support.nortel.com/go/main.jsp?cscat=DOCDETAIL&id=436165&poid=9015

 

[ltollefs]

Thanks for responding Andy88,

Yes, that is the document I've been using, and yes I know I can configure vlan/port filters for both ingress and egress traffic, but what I don't know is, can I create a single ACE that will filter based on both source and destination IPs as I can with a Cisco extended access list? What I'm trying to achieve is a filter that will allow only specific hosts situated on disparate networks to reach specific hosts on a vlan, but allow all other traffic to reach all other hosts on said vlan. With Cisco style ACLs, this is a cake walk, and perhaps it is with Nortel ACLs, but I don't quite get it.

 

[andy88]

I see what you are trying to do, unfortunatly i cannot see a way to do it.

 

[HungryHouse]

have you tried doing this with a standard IP Filter? These came out well before ACLs and I believe should accomplish what you're looking to do. You can no longer use JDM to config this but you can still us command line:
config ip traffic-filter

Happy trails. -HH

 

[ltollefs]

Andy88 and HungryHouse,

Thanks for the replies. It would seem Cisco style src/dst acl's are not possible here; a noteable lack of functionaliity if you ask me. HungryHouse, the old style filters are not supported on R Modules, but thanks for the suggestion.

 

[andy88]

I think i might have found the solution. Within the predefined ACT's there is the followin;

4092 IP Sa & Da ACT Filters on the IP attributes: srcIp, dstIp.

This looks to be what you need

 

[ltollefs]

Andy88,

Tried that, but the options available during the config of the ACL is either src-ip or dst-ip, not both.

Thanks for the help.

 

[nerd4nortel]

I was just noticing this post. Perhaps I am not understanding the issue in it's entirety, but it seems to me that this functionality certainly exists in the 8600 with R modules. If configuring via DM, you must make sure that your ACT contains both srcIp and dstIp. The pre-configured ACT #4092 has both of these fields. Create the ACL and then the ACE's. I would recommend an ACL with a default action of Allow. Then create a number of ACE's that specifically allow the hosts you want to be able to reach each other, with the option selected to "stop on match." Finally, create ACE's to deny the specific IP subnets that you wish to dis-allow (make sure they are entered in the order specified, it is an ordered list.)

For CLI syntax, here is an example. For this example

VLAN 300 is for subnet 10.1.30.0/24
VLAN 301 is for subnet 10.1.31.0/24

I wish to allow host 10.1.30.100 to communicate to hosts 10.1.31.100-10.1.31.110

I wish to block all other traffic between 10.1.30.x and 10.1.31.x

filter acl 1 create inVlan act 4092
filter acl 1 vlan add 300-301
filter acl 1 ace 1 action permit stop-on-match true
filter acl 1 ace 1 ip src-ip eq 10.1.30.100
filter acl 1 ace 1 ip dst-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 1 enable
filter acl 1 ace 2 action permit stop-on-match true
filter acl 1 ace 2 ip src-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 2 ip dst-ip eq 10.1.30.100
filter acl 1 ace 2 enable
filter acl 1 ace 3 action deny stop-on-match true
filter acl 1 ace 3 ip src-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 3 ip dst-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 3 enable
filter acl 1 ace 4 action deny stop-on-match true
filter acl 1 ace 4 ip src-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 4 ip dst-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 4 enable

Best regards,
Steve
Nortel

 

[ltollefs]

Steve,

Thank you for the response. I guess when coming from a Cisco background I didn't expect the solution to be as involed as it is. With Cisco ACLs the equivalent is 4 lines of configuration, 2 for the ACLs and 2 to assign the ACLs to the interfaces.

Lyle.