Configuring Filters

PNNI software allows the configuration of call filters. These filters are similar to access lists (ACLs) in Cisco IOS Software both in functionality and provisioning sequence.

Configurable filters include address filters to reject or allow (deny or permit) specific calling or called parties in the setup message, or a combination of calling and called parties. Calling parties, called parties, or combinations can be rejected or allowed based on a beginning or ending set of digits in each field.

Each address filter can contain multiple entries sorted by an index, so a single address filter can contain numerous rules permitting or denying complete and partial addresses.

Finally, these filters are applied to pnports in either the ingress or egress direction.

You can configure an example of address filtering. In this example, you allow SVCs to be set up from one CPE but not from the other.

You start by creating the address filter in the MGX-8850, called Filter_test (see Example 10-76). The default absent action is permit. In this filter, you deny the Cisco 7507 AESA as a calling AESA in a setup message.

Example 10-76. Creating a Filter in a PNNI Node

 m8850-7a.7.PXM.a > addfltset Filter_test m8850-7a.7.PXM.a > cnffltset Filter_test -address   47.000000000000010001008600.00000c750701.01 -length 160 -list calling   -accessMode deny m8850-7a.7.PXM.a > dspfltset -name Filter_test FilterName: Filter_test Index: 1 Address: 4700000000000001000100860000000c75070101 AddrLen: 160 bits AddrPlan: Nsap AccessMode: Deny AddrList: Calling Party List --------------------------------------- m8850-7a.7.PXM.a > 

For partial address matches, you can use the parameter -address. The parameter address can be followed by these:

• Digits before three periods An address beginning with those digits (such as -address 470091...)

• Digits after three periods An address ending with those digits (such as -address ...75070101).

You now apply the filter to pnport 2:1.1:1 connected to the Cisco 7505 router in the outbound direction, as shown in Example 10-77.

Example 10-77. Applying the Access Filter to a PnPort

 m8850-7a.7.PXM.a > cnfpnportacc 2:1.1:1 -out Filter_test m8850-7a.7.PXM.a > 

You try to set up a connection from the Cisco 7507. That setup message has the Cisco 7507 AESA as the calling party and is rejected in the MGX-8850 at port 2:1.1:1. See Example 10-78.

Example 10-78. Verifying the Deny Filter Functionality

 C7507-1a#ping 172.18.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.18.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) C7507-1a# 

This behavior is shown in Figure 10-17.

An ATM signaling debug in the Cisco 7507 router shows how the call is not completed. Note that the calling party address corresponds to the Cisco 7507 AESA router connected to the BPX-SES PNNI node. See Example 10-79.

Example 10-79. ATM Signaling Debug Showing the Call Released

 17:43:13: ATMSIG(ATM6/0 0,0 - 0022/00): (vcnum:0) API - alloc_connection_id 16 17:43:13: ATMSIG: Called Party Addr:   47.000000000000010002008850.00000C750501.01 17:43:13: ATMSIG: Calling Party Addr:   47.000000000000010001008600.00000C750701.01 17:43:13: ATMSIG(ATM6/0 0,0 - 0022/00): (vcnum:29) Null(U0) -> Call Initiated(U1) 17:43:13: ATMSIG(ATM6/0 0,0 - 0022/00): (vcnum:29) Input event: Rcvd Call   Proceeding in Call Initiated(U1) 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Connection Identifier IE:   associated sig = 88   vpi = 0   vci = 56 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Call Initiated(U1)   -> Outgoing Call Proceeding(U3) 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Input event: Rcvd Release in    Outgoing Call Proceeding(U3) 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29)cause = temporary failure,    location = Private Network 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Outgoing Call Proceeding(U3)   -> Release Indication(U12) ATMAPI: (c<-s): RELEASEv2 ci: 0x16, cause: 0x29 17:43:13: ATMAPI: (c->s): RELEASE_COMPv2 ci: 0x16 cause: 0x29 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) building cause code - cause =   (0x1B)destination out of order, IE_cause = (0x1B)destination out of   order, location = User 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Output Release Complete msg,   Release Indication(U12) state 17:43:13: ATMSIG(ATM6/0 0,56 - 0022/00): (vcnum:29) Release Indication(U12) ->   Dead 

However, if the call is initiated from the Cisco 7505 router, it is successful. In this case, the calling party address matches the Cisco 7505 AESA connected to the MGX-8850 PNNI node. See Example 10-80.

Example 10-80. Initiating the Call from the 7505 Router

 ATMSIG_API: Called Party Addr:   47.000000000000010001008600.00000C750701.01 ATMSIG_API: Calling Party Addr:   47.000000000000010002008850.00000C750501.01 ATMSIG_API:(ATM0/0 0,0 - 0004/00): (vcnum:9) Null(U0) -> Call Initiated(U1) ATMSIG_API:(ATM0/0 0,0 - 0004/00): (vcnum:9) Input event : Rcvd Call Proceeding   in Call Initiated(U1) ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Connection Identifier IE:   associated sig = 88   vpi = 0   vci = 54 ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Call Initiated(U1) -> Outgoing Call   Proceeding(U3) ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Input event : Rcvd Connect in   Outgoing Call Proceeding(U3) 12:46:31: ProcessBLLI: IE length = 1. ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Connection Identifier IE: associated   sig = 88   vpi = 0   vci = 54 ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Input event : Req Connect Ack in   Outgoing Call Proceeding(U3) ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Output Connect Ack msg, Outgoing   Call Proceeding(U3) state ATMSIG_API:(ATM0/0 0,54 - 0004/00): (vcnum:9) Outgoing Call Proceeding(U3) ->   Active(U10) 12:46:31: ATMAPI: (c<-s): CONNECTv2 ci: 0x4 ei: 0xFFFFFFFF 

You delete the filter assignment to port 1:1.2:2, and you are back to normal. See Example 10-81.

Example 10-81. Deleting a PnPort Access Filter

 m8850-7a.7.PXM.a > delpnportacc 2:1.1:1 out m8850-7a.7.PXM.a >