[no] management-access-filter
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context edit management access filters and to reset match criteria.
Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific networks or subnetworks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of this command removes management access filters from the configuration.
[no] ip-filter
config>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure management access IP filter parameters.
[no] ipv6-filter
config>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure management access IPv6 filter parameters.
default-action {permit | deny | deny-host-unreachable}
config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
Specifies that packets not matching the configured selection criteria in any of the filter entries will be permitted.
Specifies that packets not matching the selection criteria be denied and that an ICMP host unreachable message will not be issued. .
Specifies that packets not matching the selection criteria be denied and a host unreachable message will be issued.
[no] entry entry-id
config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The no form of this command removes the specified entry from the management access filter.
An entry ID uniquely identifies a match criteria and the corresponding action. Nokia recommends that entries be numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.
action {permit | deny | deny-host-unreachable}
no action
config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables the action associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
If the packet does not meet any of the match criteria the configured default action is applied.
Specifies that packets matching the configured criteria will be permitted.
Specifies that packets matching the configured selection criteria will be denied and that a ICMP host unreachable message will not be issued.
Specifies that packets matching the configured selection criteria will be denied and that a host unreachable message will not be issued.
[no] dst-port port [mask]
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a source TCP or UDP port number or port range for a management access filter match criterion.
The no form of this command removes the source port match criterion.
Specifies the source TCP or UDP port number as match criteria.
Specifies mask used to specify a range of source port numbers as the match criterion.
This 16-bit mask can be configured using the formats listed in the following table.
| Format style | Format syntax | Example |
|---|---|---|
Decimal |
DDDDD |
63488 |
Hexadecimal |
0xHHHH |
0xF800 |
Binary |
0bBBBBBBBBBBBBBBBB |
0b1111100000000000 |
To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
[no] fragment {true | false}
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.
An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the Layer 4 information.
The no form of this command removes the match criterion.
no fragment
Specifies to match on all fragmented IP packets. A match will occur for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.
Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.
[no] l4-src-port port [mask]
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a source TCP or UDP port number for an IP filter match criterion.
an entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the source port match criterion.
no l4-src-port
Specifies the source port number to be used as a match criteria expressed as a decimal integer.
Specifies the mask in dotted-decimal notation
flow-label value
no flow-label
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.
Specifies the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows, in accordance with RFC 3595, Textual Conventions for IPv6 Flow Label.
[no] log
config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables match logging. When enabled, matches on this entry will cause the security event mafEntryMatch to be raised.
no log
next-header next-header
no next-header
config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies the next header to match. The protocol type, such as TCP, UDP, or OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).
Specifies the IP protocol field for IPv4 Management Access Filter (MAF), and the next header type to be used in the match criteria for this MAF entry for IPv6.
[no] protocol protocol-id
config>system>security>mgmt-access-filter>ip-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type, such as TCP, UDP, and OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
The no form this command removes the protocol from the match criteria.
Specifies the protocol number for the match criterion.
router {router-instance}
no router
config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a router name or service ID to be used as a management access filter match criterion.
The no form of this command removes the router name or service ID from the match criteria.
base
Specifies the router name.
renum old-entry-number new-entry-number
config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command renumbers existing management access filter entries to re-sequence filter entries.
The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered differently from most to least explicit.
Specifies the entry number of the existing entry.
Specifies the new entry number that will replace the old entry number.
src-port {port-id | lag lag-id}
no src-port
config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.
The no form of this command reverts to the default value.
any interface
Specifies the port ID in the following format: slot[/mda]/port.
Syntax: port-id: slot/mda/port
[no] src-ip {ip-prefix/prefix-length | ip-prefix> netmask}
config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a source IP address range to be used as a management access filter match criterion.
To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The no form of this command removes the source IP address match criterion.
Specifies the IP prefix used for IP match criteria in dotted-decimal notation. It can be IPv4 or an IPv6 prefix.
Specifies the subnet mask in dotted-decimal notation.