Configuring ip filtering – Brocade Mobility 7131 Access Point Product Reference Guide (Supporting software release 4.4.0.0 and later) User Manual

Brocade Mobility 7131 Access Point Product Reference Guide

181

53-1002517-01

5

Configuring IP Filtering

Use the access point’s IP filtering functionality to determine which IP packets are processed
normally by the access point and which are discarded. If discarded, a packet is deleted and ignored
(as if never received). The allow/deny mechanism used by IP filtering makes it similar to an access
control list (ACL).

IP filtering supports the creation of up to 20 filter rules enforced at layer 3. Once defined (using the
access point’s SNMP, GUI or CLI), filtering rules can be enforced on the access point’s LAN1 or
LAN2 interfaces and within any of the 16 access point WLANs. An additional default action is also
available denying traffic when filter rules fail. Lastly, imported and exported configurations retain
their defined IP filtering configurations.

IP filtering is a network layer facility. The IP filtering mechanism does not know anything about the
application using the network connections, only the connections themselves. For example, you can
deny user access to an internal network on the default telnet port, but if you rely on IP filtering
alone, you cannot stop people from using the telnet program with a port you allow to pass through
your firewall.

There are a couple of important rules a packet adheres to when its compared with the filter policy
list:

•

Packets are always filtered in sequential order (filtering always begins with the first filter policy
displayed in the IP Filtering screen, then the second, third, and so on). The IP Filtering screen is
invoked for LANs within the LAN1 or LAN2 screen and for WLANs within the New WLAN or Edit
WLAN screen. It’s from this screen that allow or deny designations are set for IP filtering.

•

Packets are compared with lines of the filter policy list until a match is made. Once a packet
matches a line of the list, it's acted upon, and no further comparisons take place. If inspected
packets are determined to not be IP packets, it permitted by the access point for its inbound or
outbound destination.

Once you create a filter policy, apply it to an interface in either an incoming or outgoing direction.

•

Traffic entering the access point’s LAN1, LAN2 or WLAN (1-16) from a client is classified as
Incoming traffic.

•

Traffic leaving the access point’s LAN1, LAN2 or WLAN (1-16) in route to a client is classified as
Outgoing traffic.

For additional examples of how to configure IP Filter policies for both an access point WLAN and
LAN, see IP Filter Configuration - Example on page 5-184.

To filter packets against undesired data traffic:

1. Select Network Configuration -> IP Filtering from the Mobility 7131 Access Point menu tree.