Filtering settings which use destination IP addresses (direct specification/ range specification/ address group).¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
Flow of the packet filtering settings
Setting for rejecting communications originated from a specific destination IP address¶
Presumed case for sample setting
To reject communications forwarded to IP address “192.168.2.13”
To enable for traffic which is input to interface “dp0s6”
To make settings for accepting all communications forwarded to destination IP addresses other than “192.168.2.13”
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address '192.168.2.13'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
security {
firewall {
name test_rule {
default-action accept
rule 10 {
action drop
destination {
address 192.168.2.13
}
}
}
}
}
Operation check result
#192.168.2.12 -> OK
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12: icmp_seq=1 ttl=63 time=2.84 ms
64 bytes from 192.168.2.12: icmp_seq=2 ttl=63 time=1.72 ms
64 bytes from 192.168.2.12: icmp_seq=3 ttl=63 time=1.32 ms
64 bytes from 192.168.2.12: icmp_seq=4 ttl=63 time=1.62 ms
^C
--- 192.168.2.12 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.320/1.878/2.844/0.579 ms
#192.168.2.13 -> NG
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6040ms
Setting for accepting communications originated from a specific destination IP address¶
Presumed case for sample setting
To accept and forward only communications forwarded to destination IP address “192.168.2.13”
To enable for traffic which is input to interface “dp0s6”
To reject and stop all communications forwarded to destination IP addresses other than “192.168.2.13”
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.13'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
security {
firewall {
name test_rule {
default-action drop
rule 10 {
action accept
destination {
address 192.168.2.13
}
}
}
}
}
Operation check result
#192.168.2.12 -> NG
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
#192.168.2.13 -> OK
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
64 bytes from 192.168.2.13: icmp_seq=1 ttl=63 time=4.63 ms
64 bytes from 192.168.2.13: icmp_seq=2 ttl=63 time=2.73 ms
64 bytes from 192.168.2.13: icmp_seq=3 ttl=63 time=2.63 ms
64 bytes from 192.168.2.13: icmp_seq=4 ttl=63 time=3.58 ms
^C
--- 192.168.2.13 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 2.638/3.399/4.638/0.806 ms
rejecting communications forwarded to other IP addresses through use of destination IP addresses (range specification)¶
Presumed case for sample setting
To reject communications forwarded to destination IP address “192.168.2.12/30”
To enable for traffic which is input to interface “dp0s6”
To forward all communications forwarded to destination IP addresses other than “192.168.2.4/30”
Note
The hosts in the range of “192.168.2.12/30” are those having the following four IP address: “192.168.2.12”, “192.168.2.13”, “192.168.2.14”, and “192.168.2.15”.
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address '192.168.2.12/30'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
security {
firewall {
name test_rule {
default-action accept
rule 10 {
action drop
destination {
address 192.168.2.12/30
}
}
}
}
}
Operation check result
#192.168.2.6 -> OK
test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.35 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.72 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.22 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.43 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.19 ms
^C
--- 192.168.2.6 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.193/1.695/3.352/0.762 ms
#192.168.2.12 -> NG
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6046ms
#192.168.2.13 -> NG
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5040ms
through use of destination IP addresses (range specification) for “192.168.2.12/30”¶
Presumed case for sample setting
for communications forwarded to other IP addresses, to forward only communications forwarded to “192.168.2.4/30”
To enable for traffic which is input to interface “dp0s6”
To reject all communications forwarded to destination IP addresses other than “192.168.2.4/30”
Note
The hosts in the range of “192.168.2.4/30” are those having the following four IP address: “192.168.2.4”, “192.168.2.5”, “192.168.2.6”, and “192.168.2.7”.
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.4/30'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
security {
firewall {
name test_rule {
default-action drop
rule 10 {
action accept
destination {
address 192.168.2.4/30
}
}
}
}
}
Operation check result
#192.168.2.6 -> OK
test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.33 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.65 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.77 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.66 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.66 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.88 ms
64 bytes from 192.168.2.6: icmp_seq=7 ttl=63 time=2.07 ms
^C
--- 192.168.2.6 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6010ms
rtt min/avg/max/mdev = 1.655/2.008/3.339/0.564 ms
#192.168.2.12 -> NG
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6047ms
#192.168.2.13-> NG
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8064ms
through use of destination IP addresses (address group) for addresses other than “192.168.2.4/30”¶
Note
The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.
Presumed case for sample setting
To reject communications forwarded to IP addresses “192.168.2.12” and “192.168.2.13”
To set the addresses above as an address group
To enable for traffic which is input to interface “dp0s5”
To forward all communications forwarded to destination IP addresses other than those registered in an address group
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.12
set resources group address-group g1 address 192.168.2.13
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address 'g1'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
resources {
group {
address-group g1 {
address 192.168.2.12
address 192.168.2.13
}
}
}
security {
firewall {
name test_rule {
default-action accept
rule 10 {
action drop
destination {
address g1
}
}
}
}
}
Operation check result
#192.168.2.6 -> OK
itest@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.20 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.42 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.43 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.18 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.26 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.31 ms
^C
--- 192.168.2.6 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.186/1.638/3.204/0.706 ms
#192.168.2.12 -> NG
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms
#192.168.2.13 -> NG
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
through use of destination IP addresses (address group) for address group g1¶
Note
The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.
Presumed case for sample setting
to forward only communications forwarded to “192.168.2.6” and “192.168.2.12”.
To set the addresses above as an address group
To enable for traffic which is input to interface “dp0s6”
To reject all communications forwarded to destination IP addresses other than those registered in an address group
Setting flow in a presumed case
Command to be entered with CLI
set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.6
set resources group address-group g1 address 192.168.2.12
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address 'g1'
Note
To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.
interfaces {
dataplane dp0s4 {
address 192.168.1.50/24
}
dataplane dp0s5 {
address 192.168.2.50/24
}
dataplane dp0s6 {
address 192.168.3.5/24
firewall {
in test_rule
}
}
}
resources {
group {
address-group g1 {
address 192.168.2.6
address 192.168.2.12
}
}
}
security {
firewall {
name test_rule {
default-action drop
rule 10 {
action accept
destination {
address g1
}
}
}
}
}
Operation check result
#192.168.2.6 -> OK
test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=15.8 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=2.21 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.79 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.52 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.45 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.88 ms
64 bytes from 192.168.2.6: icmp_seq=7 ttl=63 time=1.32 ms
^C
--- 192.168.2.6 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 1.327/3.726/15.885/4.971 ms
#192.168.2.12 -> OK
test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12: icmp_seq=1 ttl=63 time=2.95 ms
64 bytes from 192.168.2.12: icmp_seq=2 ttl=63 time=1.77 ms
64 bytes from 192.168.2.12: icmp_seq=3 ttl=63 time=1.77 ms
64 bytes from 192.168.2.12: icmp_seq=4 ttl=63 time=1.76 ms
64 bytes from 192.168.2.12: icmp_seq=5 ttl=63 time=1.91 ms
64 bytes from 192.168.2.12: icmp_seq=6 ttl=63 time=1.62 ms
^C
--- 192.168.2.12 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.621/1.965/2.950/0.452 ms
#192.168.2.13 -> NG
test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms