Nortel IP Filters

[rennemings]

thread902-1424348

I use this reference to create access list and i cant get communication to stop between my selected vlans. do i need the advance licence on my 8600 to allow access list to work ???


filter acl 1 create inVlan act 4092
filter acl 1 vlan add 300-301
filter acl 1 ace 1 action permit stop-on-match true
filter acl 1 ace 1 ip src-ip eq 10.1.30.100
filter acl 1 ace 1 ip dst-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 1 enable
filter acl 1 ace 2 action permit stop-on-match true
filter acl 1 ace 2 ip src-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 2 ip dst-ip eq 10.1.30.100
filter acl 1 ace 2 enable
filter acl 1 ace 3 action deny stop-on-match true
filter acl 1 ace 3 ip src-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 3 ip dst-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 3 enable
filter acl 1 ace 4 action deny stop-on-match true
filter acl 1 ace 4 ip src-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 4 ip dst-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 4 enable

Best regards,
Steve
Nortel

 

[Yaoul]

Hi,

No there's no need for advanced licence in order to perform traffic filtering.
I usually rather use the ip traffic-filter feature for this purpose.

ip traffic-filter create global src-ip 10.1.30.0/255.255.255.0 dst-ip 10.1.31.0/255.255.255.0 id 255
ip traffic-filter 255 action mode drop

ip traffic-filter create global src-ip 10.1.31.0/255.255.255.0 dst-ip 10.1.30.0/255.255.255.0 id 256
ip traffic-filter 256 action mode drop

ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.100/255.255.255.255 id 100
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.101/255.255.255.255 id 101
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.102/255.255.255.255 id 102
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.103/255.255.255.255 id 103
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.104/255.255.255.255 id 104
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.105/255.255.255.255 id 105
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.106/255.255.255.255 id 106
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.107/255.255.255.255 id 107
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.108/255.255.255.255 id 108
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.109/255.255.255.255 id 109
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.110/255.255.255.255 id 110

ip traffic-filter create global src-ip 10.1.31.100/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 200
ip traffic-filter create global src-ip 10.1.31.101/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 201
ip traffic-filter create global src-ip 10.1.31.102/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 202
ip traffic-filter create global src-ip 10.1.31.103/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 203
ip traffic-filter create global src-ip 10.1.31.104/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 204
ip traffic-filter create global src-ip 10.1.31.105/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 205
ip traffic-filter create global src-ip 10.1.31.106/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 206
ip traffic-filter create global src-ip 10.1.31.107/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 207
ip traffic-filter create global src-ip 10.1.31.108/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 208
ip traffic-filter create global src-ip 10.1.31.109/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 209
ip traffic-filter create global src-ip 10.1.31.110/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 210

ip traffic-filter global-set 100 create name "My Filter"
ip traffic-filter global-set 100 add-filter 100
ip traffic-filter global-set 100 add-filter 101
ip traffic-filter global-set 100 add-filter 102
ip traffic-filter global-set 100 add-filter 103
ip traffic-filter global-set 100 add-filter 104
ip traffic-filter global-set 100 add-filter 105
ip traffic-filter global-set 100 add-filter 106
ip traffic-filter global-set 100 add-filter 107
ip traffic-filter global-set 100 add-filter 108
ip traffic-filter global-set 100 add-filter 109
ip traffic-filter global-set 100 add-filter 110
ip traffic-filter global-set 100 add-filter 200
ip traffic-filter global-set 100 add-filter 201
ip traffic-filter global-set 100 add-filter 202
ip traffic-filter global-set 100 add-filter 203
ip traffic-filter global-set 100 add-filter 204
ip traffic-filter global-set 100 add-filter 205
ip traffic-filter global-set 100 add-filter 206
ip traffic-filter global-set 100 add-filter 207
ip traffic-filter global-set 100 add-filter 208
ip traffic-filter global-set 100 add-filter 209
ip traffic-filter global-set 100 add-filter 210
ip traffic-filter global-set 100 add-filter 255
ip traffic-filter global-set 100 add-filter 256

Then apply it to the ports you need :

ethernet 1/1 ip traffic-filter create
ethernet 1/1 ip traffic-filter add set 100
ethernet 1/1 ip traffic-filter default-action forward

etc.

This becomes heavy as you have to write a filter for each source/destination address, unless you can use a full subnet (here addresses 10.1.31.100 -> 10.1.31.110 can't be declared as a subnet).
Anyway it works fine.


If you use ACE/ACL, I think you have to first create an ACT, then your ACL containing ACEs, then apply ACT.
I haven't used yet this kind of configuration, you can find more about it on Nortel/Avaya document called NN46205-507 (Nortel Ethernet Routing Switch 8600 : Configuration — QoS and IP Filtering for R and RS Modules)


Cheers,

y/