Defining Static Filters
Applying a filter to an interface
MAX 6000/3000 Network Configuration Guide 15-27
Answer As Default parameter is set to Yes, filters applied in the Answer profile are applied to
the authenticated connection.
Examples of applying a data filter to a WAN interface
When you apply a data filter, its forwarding action (forward or drop) affects the actual data
stream by preventing certain packets from reaching the Ethernet from the W AN, or vice vers a.
Data filters do not affect the idle timer, and a data filter applied to a Connection profile does
not affect the answering process. In the following examples, the MAX unit supports the
following Filter profile, IP Spoof:
Following is an example of applying a data filter:
Ethernet
Connections
Connection profile
Session Options...
Data Filter=IP Spoof
Following is a comparable RADIUS profile:
tlynch Password="secret"
Service-Type=Framed-User,
Framed-Protocol=MPP,
Framed-IP-Address=10.10.10.64,
Framed-IP-Netmask=255.255.255.0,
Filter-Id="ip-spoof"
The following RADIUS profile references both local filters:
tlynch Password="secret"
Service-Type=Framed-User,
Framed-Protocol=MPP,
Framed-IP-Address=10.10.10.64,
Framed-IP-Netmask=255.255.255.0,
Filter-Id="ip-spoof",
Filter-Id="web-access"
As is always the case with filters, the order in which they are applied within the user profile is
significant. If the MAX unit supports multiple Filter profiles with similar names, it attempts to
match the first Filter profile to the characters specified in the user profile.
Following is an example of defining an antispoofing filter within the users RADIUS profile:
tlynch Password="secret"
Service-Type=Framed-User,
Framed-Protocol=MPP,
Framed-IP-Address=10.10.10.64,
Framed-IP-Netmask=255.255.255.0,
Ascend-Data Filter="ip in drop srcip 10.100.50.128/26"
Ascend-Data Filter="ip in drop srcip 127.0.0.0/8"
Ascend-Data Filter="ip in forward"
Ascend-Data Filter="ip out forward srcip 10.100.50.128/26"