Configuring Keychains - Nokia 7302 Basics, Management And Oam Manual

Intelligent services access manager/fttn/fx, fd 100/320gbps nt and fx nt ihub system

Hide thumbs Also See for 7302:

Manual (626 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

page of 222

/ 222
Contents
Table of Contents
Bookmarks

Table of Contents

Security

----------------------------------------------

A:ALA-49>configure>sys>sec>cpm>ipv6-filter#

The following displays an IP/IPV6 CPU filter port and mask calculation example:

TCP port number-2 bytes

UDP port number-2 bytes

This section describes the use of L4 mask and gives some examples on L4 masks.

The way that L4 masks work is similar to IP subnet masks. The L4 mask is a 2-byte

hexadecimal number.

Applying an L4 mask to a UDP/TCP port allows identification of the constant and

variable parts of the port number. The constant bits are represented by the 1s in the

mask, and the variable bits are represented by the 0s. Performing a bitwise logical

AND operation between the port number and the L4 mask results in the first port

number of the range.

For example, if the port is 2000 and the mask is 65532, 2000 = 0000011111010000

and FFFC = 1111111111111100. The result after an AND operation is

0000011111010000, and the last two bits can be stripped off, resulting in a range of

00000111 11010011. So, 2000 - 2003 will be the range allowed with port number

2000 and mask 65532.

As noticed, the match on the above range causes variation of only the last 2 bits in

the entire number. The first bits always stay the same. If your range is continuous

(that is.without "holes" in it), and this is exactly the case - such a range must be

aligned so that the start has (N) least significant 0s and the end has (N) least

significant 1s.

The size of the range (R) must be of the form 2^N (to guarantee trailing 0s). In this

example, 2003 - 2000 + 1 = 4[*] which is 2^2.

4.2.1.3

The following shows a keychain configuration.

A:ALA-1>configure>system>security# info

----------------------------------------------

...

entry 10 create

action drop

description "CPU-Filter 2001::1/64 #101"

exit

entry 20 create

no action

description "CPU-Filter 2010::1/64 #201"

exit

no shutdown