12/26/2015

Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way

Alcatel-Lucent.ConfiguringPacket(IP)Filters

acketfilters (or in Cisco terminology Access Control Lists aka ACL) are one of the most used tools
in a network engineers tool set. Blocking telnet/ssh access, restricting specific traffic flows,

implementing policy-based routing or NATing all of these tasks use IP filters capabilities.
In this example Ill show you how to configure basic SSH-blocking IP filter on Alcatel-Lucent Service
Routing OS running TiMOS-B-12.0.R8 both/i386 ALCATEL SR 7750 Copyright (c) 2000-2015 AlcatelLucent .

According to the topology provided we will block SSH access to R1s system IP. This particular task
could be done in various ways, but we will configure IP filter on R2 (applied to R2s interface to_R4 in
the incoming direction).

And the rule we will configure on R2 will be as follows:

If R2receives a packet with TCP destination port equals to 22 on interface to_R4 ismustdrop
it.
Lets begin with testing ssh access before any configuration is made:

1
2
3
4
5

A:R4# ssh 1.1.1.1

The authenticity of host '1.1.1.1 (1.1.1.1)' can't be established.
RSA key fingerprint is 9c:97:50:00:b0:f7:45:6f:9e:14:9a:06:11:ba:c6:e8.
Are you sure you want to continue connecting (yes/no)? yes

http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/

1/5

12/26/2015

6
7
8
9
10
11
12
13
14
15
16

Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way

TiMOS-B-12.0.R8 both/i386 ALCATEL SR 7750 Copyright (c) 2000-2015 Alcatel-Lucent.

All rights reserved. All use subject to applicable license agreements.
Built on Fri Jan 9 09:55:30 PST 2015 by builder in /rel12.0/b1/R8/panos/main

admin@1.1.1.1's password:

This simulation software is the property of Alcatel. It may not

be sold, leased, loaned or licensed to any non-Alcatel entity.
A:R1# logout
Connection to 1.1.1.1 closed.

Working, as expected. Good. Now lets block SSH access via IP filter configuration on R2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

## Creating ip-filter
*A:R2# configure filter ip-filter 100 create

## Adding description (optional)

*A:R2>config>filter>ip-filter$ description "block ssh to 1.1.1.1/32"

## Adding name to this filter (optional)

*A:R2>config>filter>ip-filter$ filter-name "block_ssh_to_R1"

## Creating filter entry

*A:R2>config>filter>ip-filter$ entry 10 create

## Specifying match statement for TCP packets, since SSH uses TCP
*A:R2>config>filter>ip-filter>entry$ match protocol "tcp"

## In match context specifying SSH port number

*A:R2>config>filter>ip-filter>entry>match$ dst-port eq 22

## optionally adding another match rule - Destination IP for R1

*A:R2>config>filter>ip-filter>entry>match$ dst-ip 1.1.1.1/32

## Leaving "match" context and adding DROP action to this filter's entry
*A:R2>config>filter>ip-filter>entry>match$ back
*A:R2>config>filter>ip-filter>entry$ action drop

## Moving one step back to filter's context and addinf default action FORWARD, since implicitly it is D
*A:R2>config>filter>ip-filter>entry$ back
*A:R2>config>filter>ip-filter$ default-action forward

## Lets see the whole filter config at once

*A:R2# configure filter ip-filter 100
*A:R2>config>filter>ip-filter# info
---------------------------------------------filter-name "block_ssh_to_R1"
default-action forward
description "block ssh to 1.1.1.1/32"
entry 10 create
match protocol tcp
dst-ip 1.1.1.1/32
dst-port eq 22
exit
action drop
exit
----------------------------------------------

We created a simple IP filter, but it was not applied to any interface. Lets do this:

http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/

2/5

12/26/2015

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way

*A:R2# configure router interface "toR4"

*A:R2>config>router>if# ingress filter ip
ip
"block_ssh_to_R1" 100 ## you can refer to ip filter by its name or id

*A:R2>config>router>if# ingress filter ip "block_ssh_to_R1"

## make sure that ip filter applied correctly

*A:R2>config>router>if# info
---------------------------------------------address 10.2.4.2/24
port 1/1/3
ingress
filter ip 100
exit
no shutdown
----------------------------------------------

Done, filter has been applied to appropriate interface and now should be workingfully. Now retry to
make an ssh connection on R4 once again

1 A:R4# ssh 1.1.1.1

2 Connect to address 1.1.1.1 failed## Our filter is working as expected

Youuse show filter command to see the details of newly created filter along with # of packets
matched:

1
2
3
4
5
6
7

*A:R2# show filter ip 100

===============================================================================
IP Filter
===============================================================================
Filter Id: 100Applied: Yes
Scope: Template Def. Action: Forward

http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/

3/5

12/26/2015

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way

Radius Ins Pt: n/a

CrCtl. Ins Pt: n/a
RadSh. Ins Pt: n/a
Entries: 1
Description: block ssh to 1.1.1.1/32
------------------------------------------------------------------------------Filter Match Criteria : IP
------------------------------------------------------------------------------Entry: 10
Description: (Not Specified)
Log Id : n/a
Src. IP: 0.0.0.0/0
Src. Port: n/a
Dest. IP : 1.1.1.1/32
Dest. Port : eq 22
Protocol : 6Dscp : Undefined
ICMP Type: UndefinedICMP Code: Undefined
Fragment : OffSrc Route Opt: Off
Sampling : OffInt. Sampling: On
IP-Option: 0/0Multiple Option: Off
TCP-syn: OffTCP-ack: Off
Option-pres: Off
Match action : Drop
Ing. Matches : 2 pkts (156 bytes) ## See matched SSH packets
Egr. Matches : 0 pkts

===============================================================================

MATCH-LISTANDPORTLIST
In the example above we used one ip address and one port to create our filter, but what if we need
tomatch on the wholerange of IP addresses and ports? You need to use match-list and port-list in this
case:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

*A:R1>config>filter# info
---------------------------------------------match-list
ip-prefix-list "3_routes" create
prefix 10.10.10.10/32
prefix 20.20.20.20/32
prefix 30.30.30.30/32
exit
port-list "allowed_ports" create
port 22
port 80
exit
exit
ip-filter 10 create
default-action forward
entry 10 create
match protocol tcp
dst-port port-list "allowed_ports"
src-ip ip-prefix-list "3_routes"
exit
action drop
exit
exit
----------------------------------------------

http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/

4/5

12/26/2015

Alcatel-Lucent. Configuring Packet (IP) Filters | Networking in a Service Provider way

And thats all for this quick IP filter tutorial. You can always ask questions via comments form and
explore new filter capabilities by hitting Tab =)
noshut# exit all

About LatestPosts

RomanDodin
Network engineer at Alcatel-Lucent

Eagerness to learn multiplied by passion to share.

You can reach me at LinkedIn

0 Comments
Recommend

noshut

Share

Login

Sort by Oldest

Start the discussion

Be the first to comment.

WHAT'S THIS?

ALSO ON NOSHUT

How to run Juniper vMX in UNetLab

10 comments 3 months ago

kiki&sharona Do anyone know how to use

LDP. Ordered Label Distribution Control

explained
6 comments 7 months ago

bridging? I tried to install it in a Ubuntu box

but got a lot issues,

Alexander Okonnikov Yes, independent

control is valid only for label switching of

IPv4 traffic. For

How to achieve Alcatel-Lucents Network

Routing Specialist I (NRS

Alcatel-Lucent virtual 7750 SR (vRR/vSR,

TiMOS) first boot

2 comments 5 months ago

26 comments 3 months ago

Roman Dodin Yes, I will eventually, but I

Kwame It works! First, removed these

dont know when =)

lines from timos.php (rifster posting clued me

to this): if

Subscribe

Add Disqus to your site Add Disqus Add

http://noshut.ru/2015/06/alcatel-lucent-configuring-packet-ip-filters/

Privacy

5/5