Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7705 SAR router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router.
Management access filters apply to the management Ethernet port, which supports both IPv4 and IPv6 filters.
The 7705 SAR exits the filter when the first match is found and executes the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.
Use the following CLI commands to configure an IPv4 management access filter.
config>system
security
management-access-filter
ip-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
log
protocol protocol-id
router router-instance
src-ip {ip-prefix[/mask][netmask] | ip-prefix-list ip-prefix-list-name}
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdownUse the following CLI commands to configure an IPv6 management access filter.
config>system
security
management-access-filter
ipv6-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
flow-label value
log
next-header next-header
router router-instance
src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdownThe following example displays an IPv4 management access filter configuration. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.
config>system>security# management-access-filter
config>system>security>mgmt-access-filter# ip-filter default-action deny
config>system>security>mgmt-access-filter# ip-filter entry 1
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.104/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit
config>system>security>mgmt-access-filter# entry 2
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.1/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exitThe following example displays the management access filter configuration.
ALU-1>config>system>security# info
----------------------------------------------
management-access-filter
ip-filter
default-action deny
entry 1
action permit
src-ip 10.10.10.104/32
exit
entry 2
action permit
src-ip 10.10.0.1/32
exit
exit
----------------------------------------------
ALU-1>config>system>security#If configuring management access filters via a Telnet session, ensure that data from the host IP address is permitted before setting the default action to deny; otherwise, the session is dropped. To do this, set the default action to permit, configure an entry with the src-ip address of the host as a permitted match criterion, then set the default action back to deny. Alternatively, use a direct console connection to the node for configuration; in this case, the order of filter configuration does not matter.