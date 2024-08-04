IP table filtering is a mechanism that allows the user to apply actions to a specific control packet flow identified by a certain flow key.

This mechanism is used in order to protect switch control traffic against attacks. For example, it could allow traffic coming from a specific trusted management subnet only, block the SNMP UDP port from receiving traffic, and force ping rate to be lower than a specific threshold.

Each IP table rule is defined by key, priority, and action:

Key—the key is a combination of physical port and layer 3 parameters (e.g. SIP, DIP, SPORT, DPORT, etc.), and other fields. Each part of the key, can be set to a specific value or masked.

Priority—each rule in the IP table is assigned a priority, and the rule with the highest priority whose key matches the packet executes the action.

Action—the action describes the behavior of packets which match the key. The action type may be drop, accept, rate limit, etc.

An IP-table rule is bound to an IP interface that can be a management out-of-band interface, VLAN interface, or router port interface. Once bound, all traffic received (ingress rule) or transmitted (egress rule) in this direction is being verified with all bounded rules.

Once a match was found, the rule action is executed. If no match is found, the default policy of the chain shall apply.

Note IP table rules get a lower priority than ACL mechanism.

Note In the rare case that IP filter is used while the input policy is "drop" (i.e., ip filter chain input policy drop) and an NTP server or is used, then the following rule needs to be added that allows src-ip 127.0.0.1 (which is a requirement for any clustered application and NTP): ip filter chain input rule append tail target accept dup-delete source-addr 127.0.0.1 /32

Prerequisite for IPv6:

Copy Copied! gateway (config) # ipv6 enable

To configure IPv4 table filtering:

Select the policy that applies to the input/output chain (default is “accept”). Copy Copied! gateway (config)# ip filter chain input policy drop gateway (config)# ip filter chain output policy accept Append filtering rules to the list or set a specific rule number, select a target, and (optional) any additional filter conditions. For example: Copy Copied! gateway (config) # ip filter chain input rule append tail target rate-limit 2 protocol udp gateway (config) # ip filter chain input rule set 2 target drop protocol icmp in-intf mgmt1 gateway (config) # ip filter chain output rule append tail target drop protocol icmp Enable IP table filtering. Copy Copied! gateway (config) # ip filter enable Verify IP table filtering configuration. Collapse Source Copy Copied! gateway (config) # show ip filter configured Packet filtering for IPv4: enabled IPv4 configuration: Chain 'input' Policy 'accept' : Rule 1 : Target : rate-limit 2 pps Protocol : udp Source : all Destination : all Interface : all State : any Other Filter: - Rule 2 : Target : drop Protocol : icmp Source : all Destination : all Interface : mgmt1 (ingress) State : any Other Filter: - Chain 'output' Policy 'accept' : Rule 1 : Target : drop Protocol : icmp Source : all Destination : all Interface : all State : any Other Filter: -

To modify IP table filtering configuration:

Copy Copied! gateway (config) # ip filter chain input rule modify 3 target reject-with icmp6-adm-prohibited source-addr 10 :: 0 / 126

To delete an existing IP table filtering rule:

Copy Copied! gateway (config) # no ip filter chain input rule 2

To delete all existing IP table filtering rules:

Copy Copied! gateway (config) # no ip filter chain output rule all

To insert an IP table filtering rule in a chain:

Copy Copied! gateway (config) # ip filter chain input rule 2 set target drop protocol tcp dest-port 22 in-intf mgmt1

Using a rate-limit target allows to create a rule to limit the rate of certain traffic types. The limit is specified in packets per second (pps) and can be anywhere between 1-1000 pps. When enabled, the system takes the user specified rate and converts it into units of 1/10000 of a second. Therefore, any value greater than 100 can have a slight difference when the rule is displayed using the show command.

Rate limits can be set using the parameter "rate-limit-above" in order to drop packets whenever traffic is above the set limit. For example: ip filter chain input rule append tail target drop rate-limit-above 1/second source-addr 1.1.1.1 /32.

Another option is to use the parameter "rate-limit". This should be followed by a rule that drops additional packets of the same “type”. Alternatively, this can be implicitly achieved by setting the chain policy to “drop” so that it drops packets not processed by matching rules. Otherwise, no effect of the rule is observed as the remaining traffic simply gets accepted.

Note Rate-limit is implemented with an average rate and a burst-limit. Rate values are specified in pps and take a range from 1-1000 pps. For rate values in the range 1-100, the burst value is set equal to the rate value. For rate values in the range 101-1000, the burst limit is set to 100.





IP table filtering is enabled and Firewall default IP filter rules are applied.

To reset/apply default rules on system, run the command “ip filter reset-to-default-rules ”

To enable IP Filter, run the command “ip filter enable”

To list the default firewall rules, run the command “show ip filter”

Note when touching a default rule (delete/move/modify) all IP Filter rules will be reflected on “show running-config”, to restore default rules, run the command “ip filter reset-to-default-rules”

Restoring factory default configuration will reset the default rules and enable the feature