Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Filters in Passport 8600 2

Status
Not open for further replies.

jacobauskas

Technical User
Mar 11, 2002
28
BR
Friends,

I need to implant filters in the passport 8600.
Does anybody have a documentation on the subject?

thnaks a lot


Jacobauskas
 
hello jacobauskas , there is not much in the way of documentation that we could find just a matter of trial & error ,one thing is important though is that filters DO NOT work on early firmware versions , you will need ver 3.2.2.
The early versions do not allow to have a default action of DROP .which may make life easier.

mucka
 
for the Accelar 1200 there was a fair amount of 'technical' liturature in presales directorys that was not in the technical documentation in support. Now that they don't sell the 1200 it is hard to obtain.


is the similar document for the 8600 I tried to remain child-like, all I acheived was childish.
 
By the way, Global filters NEVER worked on the 1200, desination filters and source filters did. I was able to enforce 802.1p QOS across 6 1200s by looking for packets headed for or coming from my PBX subnets and raising their priority. (each 1200 had to rediscover the priority, I never could figure out how to route packets with 802.1p information intact) I tried to remain child-like, all I acheived was childish.
 
Dear Jaco,
Regarding filters on 8600 u need version 3.2.2.
following is the way to configure the filters by cli.

1)creats filters go for source or destination.
while creating be clear with which protocol u want to and what to do with that.

2)then create filterlist for the filter created.

3)add ports to that filter sets.

and then iumplemented it.

Nortel doesn't has any good docs for users.But if u can wait i have one very good template which i will upload for you tommorow.

Best of luck
 
Friends,

I possess the version 3.2.1, of the passport 8600.
Does anybody already have the passport 8600 with the version 3.2.2 and did it test filters and did obtain satisfactory results?
How do I get the version 3.2.2? Is that the last version?
I got in the past a version 3.2.2, but when I made upgrade gave problem when I unzip the image.
Which the size of the files of that version?

Thank you very much,
Jacobauskas


 
Dear Jaco,
I have applied filters on pp8600 with version 3.2 and it worked.

about the way to configure i have told u above.

from nortel or u r vendor can get u new version of image. Hitender
Try & Try Till U succedd and update others on u r achievments
 
Hitender



Could you send examples of the filters configured in your passport?
If possible it would like the configuration:
filters
global sets
filtered ports

Does some exist sequence that we should proceed in the Global sets?
Because it depends on the order that I create the filters and of the order that I associate in the global sets he stops working.

Thanks
 
HI Jaco,
pls go through follwing steps


just go through following eg.

V1-DEFAULT VLAN
VLAN 2-=192.168.134.x/24
V3--192.168.136.x/24
v4-192.168.138.x/24

imply filters so that v2 and v3 are not able totalktoeach other.

step 1
config ip traffic-filter create destination dst-ip 192.168.134.x/24 src-ip 192.168.136.x/24 id 20(any id)


config ip traffic-filter filter 20 action mode drop


config ip traffic-filter filter 20 name "nortel(any name)

step 2

creatig filter sets


ip traffic-filter set 200 create name "anyname"

ip traffic-filter set 200 add-filter 20


step 3
apply filetrs to port

ethernet port no. ip traffic-filetr create

ethernet port no. ip traffic-filetr add set 200


save config




Hitender
Try & Try Till U succedd and update others on u r achievments
 
Hitender,


I tested that configuration, however it sometimes works, it doesn't sometimes work.
I believe that action standard of the port is FOWARD.
Imagine that I have a servant in the port 1/44 (ip-10.3.16.55) and I need to liberate that he only answers for the following machine:
192.168.0.25


step 1- filters global
Configuring the following filters, GLOBAL:

Id origin destiny mode
1 192.168.0.5/32 10.3.16.55/32 foward
2 10.3.16.55/32 192.168.0.5/32 foward
300 0.0.0.0 0.0.0.0 drop

step 2 - global sets

id-1
name-trial
filteridlist-1,2,300


step 3- filtered Ports

ports 1/44
filterset-trial
set enable
default action-foward

That configuration doesn't work.
After tests,they only works if I use the id's 1,2,3 (in sequence)
Do you know about some thing?
Thank you very much!

Jacobauskas
 
Jaco,

Pls let me know that whatever vlan's u have creatdeare subnet based or port based. Hitender
Best Of luck
Try & Try Till U succedd and update others on u r achievments
 
Hitender,


The machine 10.3.16.55 is in Vlan6 -10.3.16.0/24
The machine 192.168.0.25 is in Vlan3 -192.168.0.0/24
Vlan by port.
To servant of the port 1/44 possue the ip 10.3.16.55, that the only máquinha that can access him/it is 192.168.0.25.
However as description above, depends on the order of the id's the filter doesn't work.

Could you simulate this filter in your passport?
Creating him with id's no sequential (1,2,300) or (20,30,40) ?
Your release is 3.2.2 correct ?

Thanks

Jacobauskas
 
Jaco,
If a machine woth these ip's are static then why don't u implement Mac address secuirity.
Although,u r configuration seems to be ok. Hitender
Best Of luck
Try & Try Till U succedd and update others on u r achievments

hit_singh@rediffmail.com
 
Hitender,

The ip's of the machine are static.
What does happen if you configure the same filter above, in your passport?
Do you use filters out of the sequence (1,2,3,4,5)? Could you try no sequence (1,2,300)?
Tell me please,How I do implement security by MAC?


Thanks
 
jaco
Most probably when u create filter set globally u have to assigned filter id more that 300.just go through the manual.
I can't imp[lement this thing because we are vendore and i can'timplement on Customer site Hitender
Best Of luck
Try & Try Till U succedd and update others on u r achievments

hit_singh@rediffmail.com
 
Hitender,

the problem also happens, in that order:
1,2,6
1,2,100
1,2,4
1,2,8

It needs to be 1,2,3. Out of hist order i have problem.
 
jaco

pls got hrough manualand look thta can u assign global filter id less than 300. Hitender
Best Of luck
Try & Try Till U succedd and update others on u r achievments

hit_singh@rediffmail.com
 
Hello All,

Just went through all the messages related to filters on 8600. I am new to 8600 and its filters.
I have got the basic idea how to go about it i.e creating filters, adding them to filter sets and then applying the set to the particular interface. But there are some things which need clarification here,
1) Do these filters work the same way as Cisco ACLs do? I mean what order do they follow. If a match is found are the rest of filters traversed?

2) For eg I have two VLANs - VLAN1 (192.168.121.0) and VLAN2 (192.168.126.0). I need to given ftp access for server1 (192.168.121.8) from user1 (192.168.126.32)

Now should i go for a Scr based filter or a dst based filter or try a port value greater than filter?

Regards,

Faisal Naik
 
Hi everybody,

I've read all this parts of this thread, 'cause I have also problems of filtering with a Passport 8006;
I use the 3.5 release with a 5.7 version of D-Manager. I try to filter the traffic on a Gigabit Ethernet switching module, I want to forward just an ip destination @ with a tcp port 80 and to drop all the others @(for filtering a web access).
I want to use global filters.

So I follow all the steps on Device Manager who are :

1) On the edit/Chassis menu, verify that: 'VlanByScrMacEnable' is false and 'GlobalFilterEnable' is true

2) Insert a Global filter with an Ip @ 192.168.2.2 mask 255.255.255.255, 'tcp' protocol, DstPort '80', DstOption 'equal', Mode 'forward'.

3) Create a Global list in the 'Global Sets' tab, and add/insert the filter.

4) Apply the list in the 'Filtered Ports' tab, with the 4/2 port and a drop default action. /.../

But when I enable this filter, all the trafic is dropped !

I work on a test environment, with a passport 8006, a Gigabit module with 2 Gigabit Interface Converters and 2 BayStack 470switches. I've created 2 Vlan's (the 2nd with the 4/2 port) and I emulate a web Server with the Web interface menu configuration of one of the Switch. I've tried many different simulations, like to put a drop filter and a forward default action, but the traffic is just forwarding and the drop filter for the ip adress is not working.I also try to do the same thing with the CLI in text mode, but nothing better !

Anyone has an idea of my problem, and where did I forget to do something ? .... I know, this is a long post, an may be a bad english, but please, apologize, I'm a french guy !

Jp.Teillet
 
Hey people,

Could you check if the passport is block the packet arp request ?
Give the commands arp -d / arp -a on the workstation and check this.
I see a document for this and there spoke to create vlan arp, but when i will go to create by console my passport boot, and i never try again.


Thanks


Jacobauskas
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top