net packet-filter-trusted
net packet-filter-trusted(1) BIG-IP TMSH Manual net packet-filter-trusted(1)
NAME
packet-filter-trusted - Modifies or displays trusted allow lists for packet filters.
MODULE
net
SYNTAX
Configure the packet-filter-trusted component within the net module using the syntax in the following
sections.
MODIFY
modify packet-filter-trusted
options:
description [string]
ip-addresses none
ip-addresses
[add | delete | replace-all-with] {
[ip address ... ]
}
mac-addresses none
mac-addresses
[ add | delete | replace-all-with] ] {
[MAC address ...]
}
vlans none
vlans
[add | delete | replace-all-with] ] {
[vlan name ... ]
}
edit packet-filter-trusted
DISPLAY
list packet-filter-trusted
show running-config packet-filter-trusted
options:
all-properties
non-default-properties
one-line
DESCRIPTION
Use the packet-filter-trusted component to create a layer of security for the traffic management system using
trusted allow lists.
Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs that are exempt from packet filter
rules.
Important: By default, packet filtering is disabled. You must enable packet filtering using the Configuration
utility. For more information, see the TMOS(r) Management Guide for BIG-IP(r) Systems.
EXAMPLE
Creates a trusted allow list that allows anything listed to bypass the packet filter.
In the following example, you have an administrative laptop that you want to have unrestricted access to the
traffic management system. This is a laptop, and therefore it might have a different IP address from time to
time. One way to solve the problem is to add a trusted MAC address. This trusted allow list example shows the
laptop MAC address as 00:02:3F:3E:2F:FE. Now the laptop can access the traffic management system regardless of
what address it boots with or to which VLAN it is connected, as long as it is on the same physical segment as
the traffic management system.
Also in this example, the traffic management system is configured for basic firewalling of the
private/internal network. This example shows a way to filter incoming traffic and allow outgoing traffic to be
unrestricted. To do this, you add trusted VLANs that represent all traffic that originated on the internal
network. Another way to do this is to use trusted IP addresses instead, for example, 192.168.26.0/24.
modify packet-filter-trusted {
vlans add { internal1 internal2 }
mac-addresses add { 00:02:3F:3E:2F:FE }
}
OPTIONS
description
User defined description.
ip-addresses
Specifies a list of source IP addresses. Any traffic matching a source IP address in the list is
automatically allowed. This simplifies configuration of the packet filter to allow trusted internal
traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing
of traffic by this option occurs before rule list evaluation, making it impossible to override this
option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by
default.
mac-addresses
Specifies a list of MAC addresses. The system allows any traffic matching a MAC address in the source
address list. This simplifies configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing of traffic by
this option occurs before rule list evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is empty by default.
vlans
Specifies a list of ingress VLANs. Any traffic received on a VLAN that is on the ingress VLAN list is
automatically allowed. This simplifies configuration of the packet filter to allow trusted internal
traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing
of traffic by this option occurs before rule list evaluation, making it impossible to override this
option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by
default.
SEE ALSO
edit, list, ltm virtual, modify, net packet-filter, net vlan, net vlan-group, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013, 2016. All rights reserved.
BIG-IP 2016-03-14 net packet-filter-trusted(1)