net packet-filter-trusted
net packet-filter-trusted(1) BIG-IP TMSH Manual net packet-filter-trusted(1)
NAME
packet-filter-trusted - Modifies or displays trusted allow lists for
packet filters.
MODULE
net
SYNTAX
Configure the packet-filter-trusted component within the net module
using the syntax in the following sections.
MODIFY
modify packet-filter-trusted
options:
description [string]
ip-addresses none
ip-addresses
[add | delete | replace-all-with] {
[ip address ... ]
}
mac-addresses none
mac-addresses
[ add | delete | replace-all-with] ] {
[MAC address ...]
}
vlans none
vlans
[add | delete | replace-all-with] ] {
[vlan name ... ]
}
edit packet-filter-trusted
DISPLAY
list packet-filter-trusted
show running-config packet-filter-trusted
options:
all-properties
non-default-properties
one-line
DESCRIPTION
Use the packet-filter-trusted component to create a layer of security
for the traffic management system using trusted allow lists.
Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs
that are exempt from packet filter rules.
Important: By default, packet filtering is disabled. You must enable
packet filtering using the Configuration utility. For more information,
see the TMOS(r) Management Guide for BIG-IP(r) Systems.
EXAMPLE
Creates a trusted allow list that allows anything listed to bypass the
packet filter.
In the following example, you have an administrative laptop that you
want to have unrestricted access to the traffic management system. This
is a laptop, and therefore it might have a different IP address from
time to time. One way to solve the problem is to add a trusted MAC
address. This trusted allow list example shows the laptop MAC address
as 00:02:3F:3E:2F:FE. Now the laptop can access the traffic management
system regardless of what address it boots with or to which VLAN it is
connected, as long as it is on the same physical segment as the traffic
management system.
Also in this example, the traffic management system is configured for
basic firewalling of the private/internal network. This example shows a
way to filter incoming traffic and allow outgoing traffic to be
unrestricted. To do this, you add trusted VLANs that represent all
traffic that originated on the internal network. Another way to do this
is to use trusted IP addresses instead, for example, 192.168.26.0/24.
modify packet-filter-trusted {
vlans add { internal1 internal2 }
mac-addresses add { 00:02:3F:3E:2F:FE }
}
OPTIONS
description
User defined description.
ip-addresses
Specifies a list of source IP addresses. Any traffic matching a
source IP address in the list is automatically allowed. This
simplifies configuration of the packet filter to allow trusted
internal traffic to be passed from VLAN to VLAN without a filter
rule, including out to the Internet. Processing of traffic by this
option occurs before rule list evaluation, making it impossible to
override this option and mask out (block) certain types of traffic
with a packet filter rule. This option is empty by default.
mac-addresses
Specifies a list of MAC addresses. The system allows any traffic
matching a MAC address in the source address list. This simplifies
configuration of the packet filter to allow trusted internal
traffic to be passed from VLAN to VLAN without a filter rule,
including out to the Internet. Processing of traffic by this
option occurs before rule list evaluation, making it impossible to
override this option and mask out (block) certain types of traffic
with a packet filter rule. This option is empty by default.
vlans
Specifies a list of ingress VLANs. Any traffic received on a VLAN
that is on the ingress VLAN list is automatically allowed. This
simplifies configuration of the packet filter to allow trusted
internal traffic to be passed from VLAN to VLAN without a filter
rule, including out to the Internet. Processing of traffic by this
option occurs before rule list evaluation, making it impossible to
override this option and mask out (block) certain types of traffic
with a packet filter rule. This option is empty by default.
SEE ALSO
edit, list, ltm virtual, modify, net packet-filter, net vlan, net vlan-
group, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013, 2016. All
rights reserved.
BIG-IP 2016-03-14 net packet-filter-trusted(1)