[no] management-access-filter
config>system>security
Supported on all 7210 SAS platforms as described in this document
Commands in this context edit management access filters and to reset match criteria.
Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific subnetworks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of this command removes management access filters from the configuration.
[no] ip-filter
config>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure management access IP filter parameters.
[no] ipv6-filter
config>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
Commands in this context configure management access IPv6 filter parameters.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
default-action {permit | deny | deny-host-unreachable}
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.
This command enables the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted.
Specifies that packets not matching the selection criteria be denied and that an ICMP host unreachable message are not issued.
Specifies that packets not matching the selection criteria are denied and a host unreachable message is issued.
[no] entry entry-id
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.
This command creates or edits a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the specified entry from the management access filter.
Specifies an entry ID that uniquely identifies a match criteria and the corresponding action. Nokia recommends that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.
action {permit | deny | deny-host-unreachable}
no action
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command enables the context associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
If the packet does not meet any of the match criteria, the configured default action is applied.
Specifies that packets matching the configured criteria are permitted.
Specifies that packets matching the configured selection criteria are denied and that a ICMP host unreachable message is issued.
Specifies that packets matching the configured selection criteria are denied and that a host unreachable message is not issued.
[no] dst-port port [mask]
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source TCP or UDP port number or port range for a management access filter match criterion.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the source port match criterion.
Specifies the source TCP or UDP port number as match criteria.
Specifies a range of source port numbers as the match criterion.
This 16-bit mask can be configured using the formats in the following table.
Format style |
Format syntax |
Example |
|---|---|---|
Decimal |
DDDDD |
63488 |
Hexadecimal |
0xHHHH |
0xF800 |
Binary |
0bBBBBBBBBBBBBBBBB |
0b1111100000000000 |
To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
[no] fragment {true | false}
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
Supported on all 7210 SAS platforms as described in this document
This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.
An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the Layer 4 information.
The no form of this command removes the match criterion.
no fragment
Specifies to match on all fragmented IP packets. A match occurs for all packets that have either the MF (more fragment) bit set or the Fragment Offset field of the IP header set to a non-zero value.
Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and the Fragment Offset field also set to zero.
[no] l4-src-port port [mask]
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source TCP or UDP port number for an IP filter match criterion. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the source port match criterion.
no l4-src-port
Specifies the source port number to be used as a match criteria expressed as a decimal integer.
Specifies the mask in dotted decimal notation.
flow-label value
no flow-label
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.
Specifies the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows. For more information, see RFC 3595, Textual Conventions for IPv6 Flow Label.
[no] log
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command enables match logging. When enabled, matches on this entry cause the Security event mafEntryMatch to be raised.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
no log
next-header next-header
no next-header
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
This command specifies the next header to match. The protocol type, such as TCP, UDP, OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).
Specifies the IP protocol field for IPv6 MAF, and for IPv6 the next header type to be used in the match criteria for this MAF Entry.
[no] protocol protocol-id
config>system>security>mgmt-access-filter>ip-filter>entry
Supported on all 7210 SAS platforms as described in this document
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type, such as TCP, UDP, and OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
The no form of this command removes the protocol from the match criteria.
Specifies the protocol number for the match criterion.
router {router-instance}
no router
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
The command configures a router name or service ID to be used as a management access filter match criterion.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the router name or service ID from the match criteria.
router Base
Specifies the router name.
renum old-entry-number new-entry-number
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command renumbers existing management access filter entries to resequence filter entries.
The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
Specifies the entry number of the existing entry.
Specifies the new entry number that will replace the old entry number.
src-port {port-id | lag lag-id}
no src-port
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfies the match criteria.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of the command reverts to the default value.
Specifies the port ID in the following format: slot[/mda]/port.
[no] src-ip {ip-prefix/prefix-length | ip-prefix netmask}
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source IP address range to be used as a management access filter match criterion.
To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of the command removes the source IP address match criterion.
Specifies the IP prefix used for IP match criteria in dotted decimal notation. Can be IPv4 or an IPv6 prefix.
ipv4-prefix — a.b.c.d
ipv4-prefix-length — 0 to 32
ipv6-prefix — x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x: [0..FFFF]H
d: [0..255]D
ipv6-prefix-length — 0 to 128 (7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C)
0 to 64 (7210 SAS-Dxp)
Specifies the subnet mask in dotted decimal notation.