Nokia IP Filter Configuration Example 2

ip-filter-example

Nokia IP Filter Configuration Example 2

Almost all engineers have realized that, they can access specific subnets and devices but they can not access the others. One of the ways to do this is IP Filters. With IP Filters, specific subnets can be restircted for some services and can be allowed for others.

In this IP Filter Configuration Example, we will do a more complex configuration and we will restrict a user goru for a specific device while we allow another user group. For this example, we will restrict engineer group to reach to the Firewall while they can access to the File Server in the same network. For the security team, we will allow to access firewall.

ip-filter-example

SR1# configure filter
SR1>config>filter# ip filter 20 create
SR1>config>filter>ip-filter# description AllowServers
SR1>config>filter>ip-filter# default-action deny
SR1>config>filter>ip-filter# entry 1 create
SR1>config>filter>ip-filter>entry# match src-ip 10.10.10.0/24
SR1>config>filter>ip-filter>entry# action allow
SR1>config>filter>ip-filter>entry# exit
SR1>config>filter>ip-filter# entry 2 create
SR1>config>filter>ip-filter>entry# match src-ip 20.20.20.0/24
SR1>config>filter>ip-filter>entry# action allow
SR1>config>filter>ip-filter>entry# exit

We will add this IP Filter through the inbound interface.

SR1# configure router
SR1>config>router# interface “toSwitch1”
SR1>config>router>if# ingress
SR1>config>router>if>ingress# filter ip 20

Firstly, we have allow both engineers and security team to access the router. Because we create an inbound ip filter. Now, let’s create an outbound filter that allow security team to access Filewall and FileServer. This will also include an entry for engineers FileServer access.

SR1# configure filter
SR1>config>filter# ip filter 30 create
SR1>config>filter>ip-filter# description FileServerAccess
SR1>config>filter>ip-filter# default-action deny
SR1>config>filter>ip-filter# entry 1 create
SR1>config>filter>ip-filter>entry# match src-ip 20.20.20.0/24
SR1>config>filter>ip-filter>entry# action forward
SR1>config>filter>ip-filter>entry# exit
SR1>config>filter>ip-filter# entry 1 create
SR1>config>filter>ip-filter>entry# match src-ip 10.10.10.0/24
SR1>config>filter>ip-filter>entry# match dst-ip 192.168.1.200/24
SR1>config>filter>ip-filter>entry# action forward
SR1>config>filter>ip-filter>entry# exit

After IP Filter creation, we will add this interface through egress. If a restricted access try is done, at this point it will be restricted.

SR1# configure router
SR1>config>router# interface “toSwitch2”
SR1>config>router>if# egress
SR1>config>router>if>egress# filter ip 30

In this example, we denied to access Firewall except Security Team while other team Engineers can access the FileServer in the same network with Firewall.

Lesson tags: access-list, ACL, ip filter
Back to: NRS I > IP Filters

NRS I