[no] management-access-filter
config>system>security
This command enables the context to edit management access filters and to reset match criteria.
Management access filters control all traffic in and out of the CSM. They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of the command removes management access filters from the configuration.
n/a
ip-filter
config>system>security>management-access-filter
This command enables the context to configure IP filter commands.
ipv6-filter
config>system>security>management-access-filter
This command enables the context to configure IPv6 filter commands.
default-action {permit | deny | deny-host-unreachable}
config>system>security>management-access-filter>ip-filter
config>system>security>management-access-filter>ipv6-filter
This command creates the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
n/a
specifies that packets not matching the configured selection criteria in any of the filter entries will be permitted
specifies that packets not matching the selection criteria will be denied
specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued
[no] entry
config>system>security>management-access-filter>ip-filter
config>system>security>management-access-filter>ipv6-filter
This command is used to create or edit a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7705 SAR exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The no form of the command removes the specified entry from the management access filter.
n/a
an entry ID uniquely identifies a match criteria and the corresponding action. It is recommended that entries be numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.
action {permit | deny | deny-host-unreachable}
no action
config>system>security>management-access-filter>ip-filter>entry
config>system>security>management-access-filter>ipv6-filter>entry
This command creates the action associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
If the packet does not meet any of the match criteria, the configured default action is applied.
n/a
specifies that packets matching the configured criteria will be permitted
specifies that packets not matching the selection criteria will be denied
specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued
dst-port port [mask]
no dst-port
config>system>security>management-access-filter>ip-filter>entry
config>system>security>management-access-filter>ipv6-filter>entry
This command configures a destination TCP or UDP port number or port range for a management access filter match criterion.
The no form of the command removes the destination port match criterion.
n/a
the source TCP or UDP port number as match criteria
mask used to specify a range of destination port numbers as the match criterion
This 16-bit mask can be configured using the formats in Table: 16-bit Mask Formats.
Format Style |
Format Syntax |
Example |
|---|---|---|
Decimal |
DDDDD |
63488 |
Hexadecimal |
0xHHHH |
0xF800 |
Binary |
0bBBBBBBBBBBBBBBBB |
0b1111100000000000 |
For example, to select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
flow-label value
no flow-label
config>system>security>management-access-filter>ipv6-filter>entry
This command configures flow label match conditions for a management access filter match criterion. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default QoS or real-time service.
This command applies to IPv6 filters only.
the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows (see RFC 3595, Textual Conventions for IPv6 Flow Label)
[no] log
config>system>security>management-access-filter>ip-filter>entry
config>system>security>management-access-filter>ipv6-filter>entry
This command enables match logging.
The no form of this command disables match logging.
no log
[no] next-header next-header
config>system>security>management-access-filter>ipv6-filter>entry
This command specifies the next header to match as a management access filter match criterion.
This command applies to IPv6 filters only.
protocol-number or protocol-name
the IPv6 next header to match, expressed as a protocol number in decimal, hexadecimal, or binary. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
the IPv6 next header to match, expressed as a protocol name. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
[no] protocol protocol-id
config>system>security>management-access-filter>ip-filter>entry
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
This command applies to IPv4 filters only.
The no form of the command removes the protocol from the match criteria.
n/a
protocol-number or protocol-name
the protocol number for the match criterion, expressed in decimal, hexadecimal, or binary. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
the protocol name for the match criterion. See Table: IP Protocol IDs and Descriptions for the protocol IDs and descriptions for the IP protocols.
router router-instance
router service-name service-name
no router
config>system>security>management-access-filter>ip-filter>entry
config>system>security>management-access-filter>ipv6-filter>entry
This command configures a router name or service ID to be used as a management access filter match criterion.
The no form of the command removes the router name or service ID from the match criteria.
specifies one of the following parameters for the router instance:
router-name — specifies a router name up to 32 characters to be used in the match criteria
service-id — specifies an existing service ID to be used in the match criteria
specifies the service name of an existing service
src-ip {ip-prefix[/mask] [/netmask]| ip-prefix-list ip-prefix-list-name}
no src-ip
config>system>security>management-access-filter>ip-filter>entry
This command specifies a source IPv4 address range or specifies an IPv4 prefix list configured under the match-list command to be used as a match criterion for a management access filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the source IP address, specify the address and the associated mask (for example, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The no form of the command removes the source IPv4 address or IPv4 prefix list match criterion.
n/a
the IP prefix for the IP match criterion in dotted-decimal notation
the subnet mask length expressed as a decimal integer
the subnet mask in dotted-decimal notation
the name of the IP prefix list configured with the match-list command
src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
no src-ip
config>system>security>management-access-filter>ipv6-filter>entry
This command configures a source IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as a match criterion for a management access filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.
To match on the source IP address, specify the address and prefix length; for example, 11::12/128.
The no form of the command removes the source IP address or IPv6 prefix list match criterion.
n/a
the IPv6 address on the interface
the name of the IPv6 prefix list configured with the match-list command
src-port {port-id | cpm | lag lag-id}
no src-port
config>system>security>management-access-filter>ip-filter>entry
config>system>security>management-access-filter>ipv6-filter>entry
This command restricts ingress management traffic to either the CSM Ethernet port or any other logical port (port or channel) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.
The no form of the command reverts to the default value.
any interface
the port ID
specifies that ingress management traffic is restricted to the CSM Ethernet port
the LAG ID
renum old-entry-number new-entry-number
config>system>security>management-access-filter>ip-filter
config>system>security>management-access-filter>ipv6-filter
This command renumbers existing management access filter entries to resequence filter entries.
The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered from most to least explicit.
the entry number of the existing entry
the new entry number that will replace the old entry number