[alcatel-nsp] ACL/Rule Set

Garcia Del Rio, Diego (Diego) diego.garcia_del_rio at alcatel-lucent.com
Fri Apr 26 14:44:43 EDT 2013

Keep in mind that Management access filters apply to both out-of-band AND in-band connections, and also include any control-plane protocols. So you'll need to open things like OSPF, BGP, etc.

If im not mistaken, there is a "source port" on the match parameters, so you can have a couple of entries matching src-port "cpm" (this means the OOB port on the CPM) and then a drop-all on anything else on the CPM port. Then do matches (or an allow all) on the in-band traffic. For in-band traffic we recommend you use the cpm-filters which are based on hardware.

Please be careful when doing these kind of changes so as not to log yourself out of the box.

In particular, you might want to use a cron-job to "disable" the MAF and CPM filters every 10 minutes in case you lock yourself out. Even if you have OOB serial connectivity, if you're using RADIUS or other login authentication methods with no fallback, you might not even be able to login to the box itself if you break things badly enough.

Best Regards

[nuage-alu copy]
755 Ravendale Drive
Mountain View CA 94043
Mobile: +1 (415) 439-9420
OnNet: 2852-2726
diego at nuagenetworks.net | diego.garcia_del_rio at alcatel-lucent.com

From: alcatel-nsp [mailto:alcatel-nsp-bounces at puck.nether.net] On Behalf Of Coulter, John (John)
Sent: Friday, 26 April 2013 6:03 AM
To: Amit Dhamija; alcatel-nsp at puck.nether.net
Subject: Re: [alcatel-nsp] ACL/Rule Set


To filter traffic on the mgmt port you use management access filter under:

configure system security management-access-filter


From: alcatel-nsp [mailto:alcatel-nsp-bounces at puck.nether.net] On Behalf Of Amit Dhamija
Sent: Friday, April 26, 2013 7:43 AM
To: alcatel-nsp at puck.nether.net<mailto:alcatel-nsp at puck.nether.net>
Subject: Re: [alcatel-nsp] ACL/Rule Set


I managed to get the config , Facing one issue while applying the filters under CPM to restrict SSH,Telnet access , I am able to do it  for system & interfaces address . I am using out of band management if i want to restrict for same .How to do it ??

In Below statement i am dropping all TCP Port 23 , but out of band management is still working..

                    entry 20 create
                        action drop
                        description "Telnet-Access"
                        match protocol tcp
                            dst-port 23 65535
                    entry 21 create
                        action drop
                        description "Untrusted Telnet access"
                        match protocol tcp
                            dst-port 23 65535


On Fri, Apr 26, 2013 at 1:24 PM, Amit Dhamija <amiitdhamija at gmail.com<mailto:amiitdhamija at gmail.com>> wrote:

Could you please help me with config how to apply ACL's or rule set for Protcols SNMP,NTP,Telnet Server etc in ALU.

Also if i want to apply ACL on Interface /MDA Port what is the configuration for that.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/alcatel-nsp/attachments/20130426/adfb7ca5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2270 bytes
Desc: image001.gif
URL: <https://puck.nether.net/pipermail/alcatel-nsp/attachments/20130426/adfb7ca5/attachment.gif>

More information about the alcatel-nsp mailing list