INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Nortel IP Filters

Nortel IP Filters

(OP)
thread902-1424348: 8600 src/dst acl?

I use this reference to create access list and i cant get communication to stop between my selected vlans. do i need the advance licence on my 8600 to allow access list to work ???


filter acl 1 create inVlan act 4092
filter acl 1 vlan add 300-301
filter acl 1 ace 1 action permit stop-on-match true
filter acl 1 ace 1 ip src-ip eq 10.1.30.100
filter acl 1 ace 1 ip dst-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 1 enable
filter acl 1 ace 2 action permit stop-on-match true
filter acl 1 ace 2 ip src-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 2 ip dst-ip eq 10.1.30.100
filter acl 1 ace 2 enable
filter acl 1 ace 3 action deny stop-on-match true
filter acl 1 ace 3 ip src-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 3 ip dst-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 3 enable
filter acl 1 ace 4 action deny stop-on-match true
filter acl 1 ace 4 ip src-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 4 ip dst-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 4 enable

Best regards,
Steve
Nortel

RE: Nortel IP Filters

Hi,

No there's no need for advanced licence in order to perform traffic filtering.
I usually rather use the ip traffic-filter feature for this purpose.

ip traffic-filter create global src-ip 10.1.30.0/255.255.255.0 dst-ip 10.1.31.0/255.255.255.0 id 255
ip traffic-filter 255 action mode drop

ip traffic-filter create global src-ip 10.1.31.0/255.255.255.0 dst-ip 10.1.30.0/255.255.255.0 id 256
ip traffic-filter 256 action mode drop

ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.100/255.255.255.255 id 100
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.101/255.255.255.255 id 101
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.102/255.255.255.255 id 102
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.103/255.255.255.255 id 103
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.104/255.255.255.255 id 104
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.105/255.255.255.255 id 105
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.106/255.255.255.255 id 106
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.107/255.255.255.255 id 107
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.108/255.255.255.255 id 108
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.109/255.255.255.255 id 109
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.110/255.255.255.255 id 110

ip traffic-filter create global src-ip 10.1.31.100/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 200
ip traffic-filter create global src-ip 10.1.31.101/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 201
ip traffic-filter create global src-ip 10.1.31.102/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 202
ip traffic-filter create global src-ip 10.1.31.103/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 203
ip traffic-filter create global src-ip 10.1.31.104/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 204
ip traffic-filter create global src-ip 10.1.31.105/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 205
ip traffic-filter create global src-ip 10.1.31.106/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 206
ip traffic-filter create global src-ip 10.1.31.107/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 207
ip traffic-filter create global src-ip 10.1.31.108/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 208
ip traffic-filter create global src-ip 10.1.31.109/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 209
ip traffic-filter create global src-ip 10.1.31.110/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 210

ip traffic-filter global-set 100 create name "My Filter"
ip traffic-filter global-set 100 add-filter 100
ip traffic-filter global-set 100 add-filter 101
ip traffic-filter global-set 100 add-filter 102
ip traffic-filter global-set 100 add-filter 103
ip traffic-filter global-set 100 add-filter 104
ip traffic-filter global-set 100 add-filter 105
ip traffic-filter global-set 100 add-filter 106
ip traffic-filter global-set 100 add-filter 107
ip traffic-filter global-set 100 add-filter 108
ip traffic-filter global-set 100 add-filter 109
ip traffic-filter global-set 100 add-filter 110
ip traffic-filter global-set 100 add-filter 200
ip traffic-filter global-set 100 add-filter 201
ip traffic-filter global-set 100 add-filter 202
ip traffic-filter global-set 100 add-filter 203
ip traffic-filter global-set 100 add-filter 204
ip traffic-filter global-set 100 add-filter 205
ip traffic-filter global-set 100 add-filter 206
ip traffic-filter global-set 100 add-filter 207
ip traffic-filter global-set 100 add-filter 208
ip traffic-filter global-set 100 add-filter 209
ip traffic-filter global-set 100 add-filter 210
ip traffic-filter global-set 100 add-filter 255
ip traffic-filter global-set 100 add-filter 256

Then apply it to the ports you need :

ethernet 1/1 ip traffic-filter create
ethernet 1/1 ip traffic-filter add set 100
ethernet 1/1 ip traffic-filter default-action forward

etc.

This becomes heavy as you have to write a filter for each source/destination address, unless you can use a full subnet (here addresses 10.1.31.100 -> 10.1.31.110 can't be declared as a subnet).
Anyway it works fine.


If you use ACE/ACL, I think you have to first create an ACT, then your ACL containing ACEs, then apply ACT.
I haven't used yet this kind of configuration, you can find more about it on Nortel/Avaya document called NN46205-507 (Nortel Ethernet Routing Switch 8600 : Configuration — QoS and IP Filtering for R and RS Modules)


Cheers,

y/

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close