Nokia (Alcatel-Lucent). Configuring Packet (IP) Filters

Packet filters (or in Cisco terminology Access Control Lists aka ACL) are one of the most used tools in a network engineer’s tool set. Blocking telnet/ssh access, restricting specific traffic flows, implementing policy-based routing or NATing – all of these tasks use IP filter’s capabilities.

In this example I’ll show you how to configure basic SSH-blocking IP filter on Alcatel-Lucent Service Routing OS running  TiMOS-B-12.0.R8 both/i386 ALCATEL SR 7750 Copyright (c) 2000-2015 Alcatel-Lucent .

According to the topology provided we will block SSH access to R1’s system IP. This particular task could be done in various ways, but we will configure IP filter on R2 (applied to R2’s interface  to_R4 in the incoming direction).

 

And the rule we will configure on R2 will be as follows:

  • If R2 receives a packet with TCP destination port equals to 22 on interface   to_R4 is must drop it.

Lets begin with testing ssh access before any configuration is made:

Working, as expected. Good. Now lets block SSH access via IP filter configuration on R2:

We created a simple IP filter, but it was not applied to any interface. Lets do this:

Done, filter has been applied to appropriate interface and now should be working fully. Now retry to make an ssh connection on R4 once again

You use show filter  command to see the details of newly created filter along with # of packets matched:

Match-list and Port list

In the example above we used one ip address and one port to create our filter, but what if we need to match on the whole range of IP addresses and ports? You need to use match-list and port-list in this case:

And that’s all for this quick IP filter tutorial. You can always ask questions via comments form and explore new filter capabilities by hitting  Tab =)

noshut# exit all

Roman Dodin

Network engineer at Nokia
Eagerness to learn multiplied by passion to share.
You can reach me at LinkedIn

You Might Also Like