×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Accelar(passport) switch IP Filter?

Accelar(passport) switch IP Filter?

Accelar(passport) switch IP Filter?

(OP)
Does anyone have a handle on this IP filtering option of the Accelar(Passport)1200 switch?  I need to separate 2 logical ip networks that run on the same physical network.
172.20.188.0 (255.255.252.0)  
192.0.150.0 (255.255.255.0)

The problem is, I have router that they BOTH need to access on the 172.20.188.0 network....

I do not want any of the machines on the 192.0.15.0 network to see ANY addresses on the 172.20.188.0 network EXCEPT the router (172.20.188.1).

I though that I may be able to use the IP filtering on a port level telling the switch to drop all traffic from 172.20.188.0 except for 172.20.188.1.   IS THIS POSSIBLE?

If so, can you explain?

Thanks!

RE: Accelar(passport) switch IP Filter?

Wow, you started 21 threads and never found a post useful, I am feeling challenged!

http://www.nortelnetworks.com/solutions/lan/collateral/ppaipfwp.pdf

is the best Nortel supplied tutorial that I found. (in the fine print, Global filters have NEVER worked, ignore them)

All Filters are applied as the packet enters the switch and the switch applys Specific masks before it applies less specific masks.

one way to interpet your request is that one port has all the 172.20.188.0 network behind it and all we wish to pass is one address    172.20.188.1, we can do so by putting a source filter on THAT port which accepts a source of 172.20.188.1 mask 255.255.255.255 but has a default action of drop.  then any packet not from the router is dropped.  (note: technically you can still send to the other network, they just can't reply.)

if the port to 172.20.188.0 also has some 192.0.15.0 addresses on it it gets trickier, as you need a filter for 172.20.188.1 mask 255.255.255.255 but now the default is forward. this just lets .1 by, and a ip Filter for 172.20.188.0 mask 255.255.255.0 to drop with a default to forward  this wipes out the rest of the network.  Packets not for 172.20.188.0 fail both filters and are forwarded  ( again, technically you can still send, but they can't reply)

On could attempt to apply a destination filter pair to every other port of the 192.0.15.0 net to block in both directions, but as there are no sucsessful one way conversations, a one way block should be enough.


Now lets assume only one port has 192.0.15.0 traffic and you wish them to only find 172.20.188.1, but not the rest of the switch.

you can put a Destination filter on the port with a default of drop and a destination of 172.20.188.1 mask 255.255.255.255  (again the 172.20.188.0 can still send to 192.0.15.0, but they can't reply)

if none of my intertepations are correct, try to explain in detail which ports are 172.20.188.0, which are 192.0.15.0 adn if any are both.

any help?  I confess that while I use IP filters, I only have one subnet that I provide for a subcontractor, that I allow internet access but not local access to the other 32 subnets, but I use this concept.  My main use of IP filters is to raise the priority of the VoIP traffic, where both the action and the default are Forward.  

I tried to remain child-like, all I acheived was childish.

RE: Accelar(passport) switch IP Filter?

(OP)
Hey!
Thanks ALOT!!  I am not sure WHY you think I do not find the posts useful... I ALWAYS do!  Is there something that I have not posted somewhere saying that they are?

Anyway, the info you gave me was great, I am however having a problem:

I cannot seem to get my port to have a default action of DROP.  I assign it this action, then check the info on it and it says the default-action is in fact drop, but then when I assign a filter to is, the default action is automatically switched to forward....

I have this network (192.168.150.0/24- I know its different then before..)) which will be only behind port 3/15 on the switch... this network needs to access the WAN via ip address 172.20.188.1(next router)  I need to PREVENT anyone on the 172.20.188.0/22 network from seeing the 192.168.150.0/24 network, and I thought the best way to do that would be to create a destination filter for the 3/15 port which has the address of the network on the other side of the WAN that it needs to access.  The I would tell the port to DROP all other traffic by default... I was assuming that if my DESTINATION was within the scope of the filter, then it would pass the traffic even if it has to go to 172.20.188.1 to get there since the routing table will tell it that.  Is this right??

I REALLY APPRECIATE ALL OF YOUR HELP!!!  lol!

Dave

RE: Accelar(passport) switch IP Filter?

you have the option to mark useful post in the lower left corner, you never have

I tried to remain child-like, all I acheived was childish.

RE: Accelar(passport) switch IP Filter?

(OP)
ahh... nover actually took notice to that... thanks!  and I gave you a good post click.  

RE: Accelar(passport) switch IP Filter?

I have looked at my Accelars; I cannot find where I ever used drop as a default action. Trying it out it refuses to accept it and changes it back.  

"Default action of drop is functional in ARU3 The action of not supported in ARU2." in the PDF I refenced you to, sigh.

Your accelar must be a similar age to mine, -A is ARU2  -B is ARU3

I tried to remain child-like, all I acheived was childish.

RE: Accelar(passport) switch IP Filter?

(OP)
Yes, mine is OLD too!  lol  anyway, I have what may turn out to be an easier solution.  Is there a way to just separate these networks logically?  I tried to assign another ip address to my default Vlan, but it said that "multinetting" is not supported... my plan was to have it repsond to this second ip address, then apply filters across all ports in the switch:

one dropping traffic from 192.168.151.0 to 172.20.188.0

one dropping traffic from 172.20.188.0 to 192.168.151.0 (in case there was something I was not thinking of)

I assume traffic with a destination ip of a network across the WAN would be forwarded via 172.20.188.1 (Wan router) since the actual DESTINATION address is not 172.20.188.1 but only uses this address to get to the destination.

Anyway, so I can separate them logically instead of physically.  I am just not real experienced with this technique...  Can I do this with filters?  OR, is there a better way??

Thanks again for all your help!!

Dave

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close