Configuring IPv4 or IPv6 CPM (CSM) Filters

CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.

Use the following CLI commands to configure an IPv4 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
    default-action {accept | drop}
    ip-filter
        entry entry-id [create]
            action {accept | drop}
            description description-string
            log log-id 
            match [protocol protocol-id]
                dscp dscp-name
                dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                dst-port [tcp/udp port-number] [mask]
                fragment {true | false}
                icmp-code icmp-code
                icmp-type icmp-type
                ip-option ip-option-value [ip-option-mask]
                multiple-option {true | false}
                option-present {true | false}
                src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                src-port src-port-number [mask]
                tcp-ack {true | false}
                tcp-syn {true | false}
            renum old-entry-id new-entry-id

Use the following CLI commands to configure an IPv6 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
    default-action {accept | drop}
    ipv6-filter
        entry entry-id [create]
            action {accept | drop}
            description description-string
            log log-id 
            match [next-header next-header]
            dscp dscp-name
            dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
            dst-port [tcp/udp port-number] [mask]
            icmp-code icmp-code
            icmp-type icmp-type
            src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
            src-port src-port-number [mask]
            tcp-ack {true | false}
            tcp-syn {true | false}
            renum old-entry-id new-entry-id

The following displays an IPv4 CPM filter configuration example:

A:ALU-49>config>sys>sec>cpm>ip-filter# info
----------------------------------------------
                    entry 10 create
                        action drop
                        description "CPM-Filter 10.4.101.2 #101"
                        log 101
                    exit
                    entry 20 create
                        no action
                        description "CPM-Filter 10.4.101.2 #201"
                        log 101
                    exit
                    no shutdown
----------------------------------------------
A:ALU-49>config>sys>sec>cpm>ip-filter#
Parent topic: Security Configuration Procedures