Accelar(passport) switch IP Filter? 1

[dflanagan]

Does anyone have a handle on this IP filtering option of the Accelar(Passport)1200 switch? I need to separate 2 logical ip networks that run on the same physical network.
172.20.188.0 (255.255.252.0)
192.0.150.0 (255.255.255.0)

The problem is, I have router that they BOTH need to access on the 172.20.188.0 network....

I do not want any of the machines on the 192.0.15.0 network to see ANY addresses on the 172.20.188.0 network EXCEPT the router (172.20.188.1).

I though that I may be able to use the IP filtering on a port level telling the switch to drop all traffic from 172.20.188.0 except for 172.20.188.1. IS THIS POSSIBLE?

If so, can you explain?

Thanks!

 

[jimbopalmer]

Wow, you started 21 threads and never found a post useful, I am feeling challenged!

http://www.nortelnetworks.com/solutions/lan/collateral/ppaipfwp.pdf

is the best Nortel supplied tutorial that I found. (in the fine print, Global filters have NEVER worked, ignore them)

All Filters are applied as the packet enters the switch and the switch applys Specific masks before it applies less specific masks.

one way to interpet your request is that one port has all the 172.20.188.0 network behind it and all we wish to pass is one address 172.20.188.1, we can do so by putting a source filter on THAT port which accepts a source of 172.20.188.1 mask 255.255.255.255 but has a default action of drop. then any packet not from the router is dropped. (note: technically you can still send to the other network, they just can't reply.)

if the port to 172.20.188.0 also has some 192.0.15.0 addresses on it it gets trickier, as you need a filter for 172.20.188.1 mask 255.255.255.255 but now the default is forward. this just lets .1 by, and a ip Filter for 172.20.188.0 mask 255.255.255.0 to drop with a default to forward this wipes out the rest of the network. Packets not for 172.20.188.0 fail both filters and are forwarded ( again, technically you can still send, but they can't reply)

On could attempt to apply a destination filter pair to every other port of the 192.0.15.0 net to block in both directions, but as there are no sucsessful one way conversations, a one way block should be enough.


Now lets assume only one port has 192.0.15.0 traffic and you wish them to only find 172.20.188.1, but not the rest of the switch.

you can put a Destination filter on the port with a default of drop and a destination of 172.20.188.1 mask 255.255.255.255 (again the 172.20.188.0 can still send to 192.0.15.0, but they can't reply)

if none of my intertepations are correct, try to explain in detail which ports are 172.20.188.0, which are 192.0.15.0 adn if any are both.

any help? I confess that while I use IP filters, I only have one subnet that I provide for a subcontractor, that I allow internet access but not local access to the other 32 subnets, but I use this concept. My main use of IP filters is to raise the priority of the VoIP traffic, where both the action and the default are Forward. I tried to remain child-like, all I acheived was childish.

 

[dflanagan]

Hey!
Thanks ALOT!! I am not sure WHY you think I do not find the posts useful... I ALWAYS do! Is there something that I have not posted somewhere saying that they are?

Anyway, the info you gave me was great, I am however having a problem:

I cannot seem to get my port to have a default action of DROP. I assign it this action, then check the info on it and it says the default-action is in fact drop, but then when I assign a filter to is, the default action is automatically switched to forward....

I have this network (192.168.150.0/24- I know its different then before..)) which will be only behind port 3/15 on the switch... this network needs to access the WAN via ip address 172.20.188.1(next router) I need to PREVENT anyone on the 172.20.188.0/22 network from seeing the 192.168.150.0/24 network, and I thought the best way to do that would be to create a destination filter for the 3/15 port which has the address of the network on the other side of the WAN that it needs to access. The I would tell the port to DROP all other traffic by default... I was assuming that if my DESTINATION was within the scope of the filter, then it would pass the traffic even if it has to go to 172.20.188.1 to get there since the routing table will tell it that. Is this right??

I REALLY APPRECIATE ALL OF YOUR HELP!!! lol!

Dave

 

[jimbopalmer]

you have the option to mark useful post in the lower left corner, you never have I tried to remain child-like, all I acheived was childish.

 

[dflanagan]

ahh... nover actually took notice to that... thanks! and I gave you a good post click.

 

[jimbopalmer]

I have looked at my Accelars; I cannot find where I ever used drop as a default action. Trying it out it refuses to accept it and changes it back.

"Default action of drop is functional in ARU3 The action of not supported in ARU2." in the PDF I refenced you to, sigh.

Your accelar must be a similar age to mine, -A is ARU2 -B is ARU3 I tried to remain child-like, all I acheived was childish.

 

[dflanagan]

Yes, mine is OLD too! lol anyway, I have what may turn out to be an easier solution. Is there a way to just separate these networks logically? I tried to assign another ip address to my default Vlan, but it said that "multinetting" is not supported... my plan was to have it repsond to this second ip address, then apply filters across all ports in the switch:

one dropping traffic from 192.168.151.0 to 172.20.188.0

one dropping traffic from 172.20.188.0 to 192.168.151.0 (in case there was something I was not thinking of)

I assume traffic with a destination ip of a network across the WAN would be forwarded via 172.20.188.1 (Wan router) since the actual DESTINATION address is not 172.20.188.1 but only uses this address to get to the destination.

Anyway, so I can separate them logically instead of physically. I am just not real experienced with this technique... Can I do this with filters? OR, is there a better way??

Thanks again for all your help!!

Dave