Upload
tomta-franck
View
234
Download
0
Embed Size (px)
Citation preview
7/25/2019 :Alcatel Lucent Configuring Packet Ip Filters
1/5
12/26/2015 Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way
http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/ 1/5
PAlcatel-Lucent. Configuring Packet (IP) Filters
acket filters (or in Cisco terminology Access Control Lists aka ACL) are one of the most used tools
in a network engineers tool set. Blocking telnet/ssh access, restricting specific traffic flows,
implementing policy-based routing or NATing all of these tasks use IP filters capabilities.
In this example Ill show you how to configure basic SSH-blocking IP filter on Alcatel-Lucent Service
Routing OS running
.
According to the topology provided we will block SSH access to R1s system IP. This particular task
could be done in various ways, but we will configure IP filter on R2 (applied to R2s interface in
the incoming direction).
And the rule we will configure on R2 will be as follows:
If R2 receives a packet with TCP destination port equals to 22 on interface is must drop
it.
Lets begin with testing ssh access before any configuration is made:
TiMOS-B-12.0.R8both/i386 ALCATEL SR7750Copyright(c)2000-2015Alcatel-
Lucent
to_R4
to_R4
1
2
3
4
5
A:R4#ssh 1.1.1.1
Theauthenticityofhost'1.1.1.1(1.1.1.1)'can'tbeestablished.
RSAkeyfingerprintis9c:97:50:00:b0:f7:45:6f:9e:14:9a:06:11:ba:c6:e8.
Areyousureyouwanttocontinueconnecting(yes/no)?yes
7/25/2019 :Alcatel Lucent Configuring Packet Ip Filters
2/5
12/26/2015 Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way
http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/ 2/5
Working, as expected. Good. Now lets block SSH access via IP filter configuration on R2:
We created a simple IP filter, but it was not applied to any interface. Lets do this:
6
7
8
9
10
11
12
13
14
15
16
TiMOS-B-12.0.R8both/i386ALCATELSR7750Copyright(c)2000-2015Alcatel-Lucent.
Allrightsreserved.Allusesubjecttoapplicablelicenseagreements.
BuiltonFriJan909:55:30PST2015bybuilderin/rel12.0/b1/R8/panos/main
[email protected]'spassword:
ThissimulationsoftwareisthepropertyofAlcatel.Itmaynot
besold,leased,loanedorlicensedtoanynon-Alcatelentity.
A:R1#logout
Connectionto1.1.1.1closed.
1
2
3
4
5
6
78
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
3233
34
35
36
37
38
39
40
41
42
43
44
## Creating ip-filter
*A:R2#configure filter ip-filter 100 create
## Adding description (optional)
*A:R2>config>filter>ip-filter$description block ssh to 1.1.1.1/32
## Adding name to this filter (optional)*A:R2>config>filter>ip-filter$filter-name block_ssh_to_R1
## Creating filter entry
*A:R2>config>filter>ip-filter$entry 10 create
## Specifying match statement for TCP packets, since SSH uses TCP
*A:R2>config>filter>ip-filter>entry$match protocol tcp
## In match context specifying SSH port number
*A:R2>config>filter>ip-filter>entry>match$dst-port eq 22
## optionally adding another match rule - Destination IP for R1
*A:R2>config>filter>ip-filter>entry>match$dst-ip 1.1.1.1/32
## Leaving "match" context and adding DROP action to this filter's entry
*A:R2>config>filter>ip-filter>entry>match$back
*A:R2>config>filter>ip-filter>entry$action drop
## Moving one step back to filter's context and addinf default action FORWARD, since implicitly i
*A:R2>config>filter>ip-filter>entry$back
*A:R2>config>filter>ip-filter$default-action forward
## Lets see the whole filter config at once
*A:R2#configure filter ip-filter 100
*A:R2>config>filter>ip-filter#info----------------------------------------------
filter-name"block_ssh_to_R1"
default-actionforward
description"block ssh to 1.1.1.1/32"
entry10create
matchprotocoltcp
dst-ip1.1.1.1/32
dst-porteq22
exit
actiondrop
exit
----------------------------------------------
7/25/2019 :Alcatel Lucent Configuring Packet Ip Filters
3/5
12/26/2015 Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way
http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/ 3/5
Done, filter has been applied to appropriate interface and now should be working fully. Now retry to
make an ssh connection on R4 once again
You use command to see the details of newly created filter along with # of packets
matched:
show filter
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*A:R2#configure router interface toR4
*A:R2>config>router>if#ingress filter ip
ip
"block_ssh_to_R1" 100## you can refer to ip filter by its name or id
*A:R2>config>router>if#ingress filter ip block_ssh_to_R1
## make sure that ip filter applied correctly
*A:R2>config>router>if#info
----------------------------------------------
address10.2.4.2/24
port1/1/3
ingress
filterip100
exit
noshutdown
----------------------------------------------
1
2
A:R4#ssh 1.1.1.1
Connecttoaddress1.1.1.1failed ##Ourfilterisworkingasexpected
1
2
3
4
5
6
7
*A:R2#show filter ip 100
===============================================================================
IPFilter
===============================================================================
FilterId :100 Applied :Yes
Scope :Template Def.Action :Forward
7/25/2019 :Alcatel Lucent Configuring Packet Ip Filters
4/5
12/26/2015 Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way
http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/ 4/5
MATCH-LIST AND PORT LIST
In the example above we used one ip address and one port to create our filter, but what if we need
to match on the whole range of IP addresses and ports? You need to use match-list and port-list in this
case:
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
3031
32
33
34
RadiusInsPt:n/a
CrCtl.InsPt:n/a
RadSh.InsPt:n/a
Entries :1
Description :blocksshto1.1.1.1/32
-------------------------------------------------------------------------------
FilterMatchCriteria:IP
-------------------------------------------------------------------------------
Entry :10
Description :(NotSpecified)
LogId :n/a
Src.IP :0.0.0.0/0
Src.Port :n/a
Dest.IP :1.1.1.1/32
Dest.Port :eq22
Protocol :6 Dscp :Undefined
ICMPType :Undefined ICMPCode :Undefined
Fragment :Off SrcRouteOpt :Off
Sampling :Off Int.Sampling :On
IP-Option :0/0 MultipleOption:Off
TCP-syn :Off TCP-ack :Off
Option-pres :Off
Matchaction:DropIng.Matches:2pkts(156bytes) ## See matched SSH packets
Egr.Matches:0pkts
===============================================================================
1
2
3
4
5
6
7
8
910
11
12
13
14
15
16
17
18
19
20
2122
23
24
*A:R1>config>filter#info
----------------------------------------------
match-list
ip-prefix-list"3_routes"create
prefix10.10.10.10/32
prefix20.20.20.20/32
prefix30.30.30.30/32
exit
port-list"allowed_ports"create port22
port80
exit
exit
ip-filter10create
default-actionforward
entry10create
matchprotocoltcp
dst-portport-list"allowed_ports"
src-ipip-prefix-list"3_routes"
exit
actiondrop exit
exit
----------------------------------------------
7/25/2019 :Alcatel Lucent Configuring Packet Ip Filters
5/5
12/26/2015 Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way
http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/ 5/5
And thats all for this quick IP filter tutorial. You can always ask questions via comments form and
explore new filter capabilities by hitting =)
noshut exit all
How to run Juniper vMX in UNetLab
Do anyone know how to use
bridging? I tried to install it in a Ubuntu box
but got a lot issues,
LDP. Ordered Label Distribution Control
explained
Yes, independent
control is valid only for label switching of
IPv4 traffic. For
How to achieve Alcatel-Lucents Network
Routing Specialist I (NRS
Yes, I will eventually, but I
dont know when =)
Alcatel-Lucent virtual 7750 SR (vRR/vSR,
TiMOS) first boot
It works! First, removed these
lines from timos.php (rifster posting clued me
to this): if
NOSHUT
0 Comments 1
Tab
About Latest Posts
Roman odin
Network engineerat Alcatel-Lucent
Eagerness to learn multiplied by passion to share.
You can reach me at LinkedIn
https://disqus.com/home/forums/noshut/https://disqus.com/home/forums/noshut/https://disqus.com/home/inbox/http://twitter.com/@noshut_ruhttps://www.linkedin.com/in/rdodinhttp://noshut.ru/author/admin/http://noshut.ru/author/admin/https://help.disqus.com/customer/portal/articles/1657951?utm_source=disqus&utm_medium=embed-footer&utm_content=privacy-btnhttps://publishers.disqus.com/engage?utm_source=noshut&utm_medium=Disqus-Footerhttps://disqus.com/https://disqus.com/home/inbox/https://disqus.com/home/forums/noshut/http://disq.us/url?url=http%3A%2F%2Fnoshut.ru%2F2015%2F09%2Falcatel-lucent-7750-sr-timos-first-boot-provisioning%2F%3AchcZOFDLZvYTdhKWsc77_EQGGy8&imp=11k4ru73e9jq0f&prev_imp=11jusjn2hdj6lu&forum_id=3620839&forum=noshut&thread_id=3874975670&thread=4172544333&zone=thread&area=bottom&object_type=thread&object_id=4172544333http://disq.us/url?url=http%3A%2F%2Fnoshut.ru%2F2015%2F08%2Fhow-to-achieve-alcatel-lucents-network-routing-specialist-i-nrs-i-certification%2F%3AriAetAg-3h65BKr93afozoBzW_A&imp=11k4ru73e9jq0f&prev_imp=11jusjn2hdj6lu&forum_id=3620839&forum=noshut&thread_id=3874975670&thread=4005415858&zone=thread&area=bottom&object_type=thread&object_id=4005415858http://disq.us/url?url=http%3A%2F%2Fnoshut.ru%2F2015%2F06%2Fldp-ordered-label-distribution-control-explained%2F%3AGIGzaAh2RICkmtUVtXjSGiOM_bo&imp=11k4ru73e9jq0f&prev_imp=11jusjn2hdj6lu&forum_id=3620839&forum=noshut&thread_id=3874975670&thread=3814133345&zone=thread&area=bottom&object_type=thread&object_id=3814133345http://disq.us/url?url=http%3A%2F%2Fnoshut.ru%2F2015%2F09%2Fhow-to-run-juniper-vmx-in-unetlab%2F%3AxrPJl_3upqXwUkuOvmvDDxlGBZE&imp=11k4ru73e9jq0f&prev_imp=11jusjn2hdj6lu&forum_id=3620839&forum=noshut&thread_id=3874975670&thread=4120693667&zone=thread&area=bottom&object_type=thread&object_id=4120693667