INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...I posted a query a short while ago and had an informed answer within a couple of hours. Terrific!..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > Communications Rack > Networking > Nortel networking solutions Forum

Nortel IP Filters

Read More Threads Like This One

rennemings (IS/IT--Management)

26 Jun 12 17:43

thread902-1424348: 8600 src/dst acl?

I use this reference to create access list and i cant get communication to stop between my selected vlans. do i need the advance licence on my 8600 to allow access list to work ???

filter acl 1 create inVlan act 4092
filter acl 1 vlan add 300-301
filter acl 1 ace 1 action permit stop-on-match true
filter acl 1 ace 1 ip src-ip eq 10.1.30.100
filter acl 1 ace 1 ip dst-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 1 enable
filter acl 1 ace 2 action permit stop-on-match true
filter acl 1 ace 2 ip src-ip eq 10.1.31.100-10.1.31.110
filter acl 1 ace 2 ip dst-ip eq 10.1.30.100
filter acl 1 ace 2 enable
filter acl 1 ace 3 action deny stop-on-match true
filter acl 1 ace 3 ip src-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 3 ip dst-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 3 enable
filter acl 1 ace 4 action deny stop-on-match true
filter acl 1 ace 4 ip src-ip eq 10.1.31.0-10.1.31.255
filter acl 1 ace 4 ip dst-ip eq 10.1.30.0-10.1.30.255
filter acl 1 ace 4 enable

Best regards,
Steve
Nortel

Yaoul (TechnicalUser)

26 Jul 12 10:51

Hi,

No there's no need for advanced licence in order to perform traffic filtering.
I usually rather use the ip traffic-filter feature for this purpose.

ip traffic-filter create global src-ip 10.1.30.0/255.255.255.0 dst-ip 10.1.31.0/255.255.255.0 id 255
ip traffic-filter 255 action mode drop

ip traffic-filter create global src-ip 10.1.31.0/255.255.255.0 dst-ip 10.1.30.0/255.255.255.0 id 256
ip traffic-filter 256 action mode drop

ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.100/255.255.255.255 id 100
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.101/255.255.255.255 id 101
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.102/255.255.255.255 id 102
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.103/255.255.255.255 id 103
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.104/255.255.255.255 id 104
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.105/255.255.255.255 id 105
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.106/255.255.255.255 id 106
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.107/255.255.255.255 id 107
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.108/255.255.255.255 id 108
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.109/255.255.255.255 id 109
ip traffic-filter create global src-ip 10.1.30.100/255.255.255.255 dst-ip 10.1.31.110/255.255.255.255 id 110

ip traffic-filter create global src-ip 10.1.31.100/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 200
ip traffic-filter create global src-ip 10.1.31.101/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 201
ip traffic-filter create global src-ip 10.1.31.102/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 202
ip traffic-filter create global src-ip 10.1.31.103/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 203
ip traffic-filter create global src-ip 10.1.31.104/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 204
ip traffic-filter create global src-ip 10.1.31.105/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 205
ip traffic-filter create global src-ip 10.1.31.106/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 206
ip traffic-filter create global src-ip 10.1.31.107/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 207
ip traffic-filter create global src-ip 10.1.31.108/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 208
ip traffic-filter create global src-ip 10.1.31.109/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 209
ip traffic-filter create global src-ip 10.1.31.110/255.255.255.255 dst-ip 10.1.30.100/255.255.255.255 id 210

ip traffic-filter global-set 100 create name "My Filter"
ip traffic-filter global-set 100 add-filter 100
ip traffic-filter global-set 100 add-filter 101
ip traffic-filter global-set 100 add-filter 102
ip traffic-filter global-set 100 add-filter 103
ip traffic-filter global-set 100 add-filter 104
ip traffic-filter global-set 100 add-filter 105
ip traffic-filter global-set 100 add-filter 106
ip traffic-filter global-set 100 add-filter 107
ip traffic-filter global-set 100 add-filter 108
ip traffic-filter global-set 100 add-filter 109
ip traffic-filter global-set 100 add-filter 110
ip traffic-filter global-set 100 add-filter 200
ip traffic-filter global-set 100 add-filter 201
ip traffic-filter global-set 100 add-filter 202
ip traffic-filter global-set 100 add-filter 203
ip traffic-filter global-set 100 add-filter 204
ip traffic-filter global-set 100 add-filter 205
ip traffic-filter global-set 100 add-filter 206
ip traffic-filter global-set 100 add-filter 207
ip traffic-filter global-set 100 add-filter 208
ip traffic-filter global-set 100 add-filter 209
ip traffic-filter global-set 100 add-filter 210
ip traffic-filter global-set 100 add-filter 255
ip traffic-filter global-set 100 add-filter 256

Then apply it to the ports you need :

ethernet 1/1 ip traffic-filter create
ethernet 1/1 ip traffic-filter add set 100
ethernet 1/1 ip traffic-filter default-action forward

etc.

This becomes heavy as you have to write a filter for each source/destination address, unless you can use a full subnet (here addresses 10.1.31.100 -> 10.1.31.110 can't be declared as a subnet).
Anyway it works fine.

If you use ACE/ACL, I think you have to first create an ACT, then your ACL containing ACEs, then apply ACT.
I haven't used yet this kind of configuration, you can find more about it on Nortel/Avaya document called NN46205-507 (Nortel Ethernet Routing Switch 8600 : Configuration — QoS and IP Filtering for R and RS Modules)

Cheers,

y/

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Nortel networking solutions