Configuring IP CPM filters

Nokia recommends using a strict CPM filter policy allowing traffic from trusted IP subnets for protocols and ports actively used in the router and to explicitly drop other traffic.

The configuration below is an example that follows the recommendations for SSH and BGP:

A:Dut-A>config>sys>security>cpm-filter# info
----------------------------------------------
              default-action drop
              ip-filter
                  entry 100 create
                      action accept
                      description "SSH: server terminated TCP sessions from trusted 
subnets"
                      match protocol tcp
                          dst-port 22 65535
                          src-ip ip-prefix-list "trusted-mgmt-subnet"
                      exit
                  exit
                  entry 200 create
                      action accept
                      description "BGP: server terminated TCP Sessions"
                      match protocol tcp
                          dst-port 179 65535
                          src-ip ip-prefix-list "trusted-bgp-subnet"
                      exit
                  exit
                  entry 300 create
                      action accept
                      description "BGP: client responses for initiated TCP sessions"
                      match protocol tcp
                          src-ip ip-prefix-list "trusted-bgp-subnet"
                          src-port 179 65535
                      exit
                  exit
                  entry 6000 create
                      action drop
                      description "Drop all other UDP"
                      log 102
                      match protocol udp
                      exit
                  exit
                  entry 6010 create
                      action drop
                      description "drop all other TCP"
                      log 103
                      match protocol tcp
                      exit
                  exit
                  no shutdown
              exit
----------------------------------------------