Lucent Technologies 6000 User Manual

MAX 6000/3000 Network Configuration Guide

 15-27

Answer As Default parameter is set to Yes, filters applied in the Answer profile are applied to 
the authenticated connection.

When you apply a data filter, its forwarding action (forward or drop) affects the actual data 
stream by preventing certain packets from reaching the Ethernet from the WAN, or vice versa. 
Data filters do not affect the idle timer, and a data filter applied to a Connection profile does 
not affect the answering process. In the following examples, the MAX unit supports the 
following Filter profile, IP Spoof:

Following is an example of applying a data filter:

Ethernet

Connections

Session Options...

Data Filter=IP Spoof

Following is a comparable RADIUS profile:

tlynch Password="secret"

    Service-Type=Framed-User, 

    Framed-Protocol=MPP,

    Framed-IP-Address=10.10.10.64,

    Framed-IP-Netmask=255.255.255.0,

    Filter-Id="ip-spoof"

The following RADIUS profile references both local filters:

tlynch Password="secret"

    Service-Type=Framed-User, 

    Framed-Protocol=MPP,

    Framed-IP-Address=10.10.10.64,

    Framed-IP-Netmask=255.255.255.0,

    Filter-Id="ip-spoof",

    Filter-Id="web-access"

As is always the case with filters, the order in which they are applied within the user profile is 
significant. If the MAX unit supports multiple Filter profiles with similar names, it attempts to 
match the first Filter profile to the characters specified in the user profile. 

Following is an example of defining an antispoofing filter within the user’s RADIUS profile:

tlynch Password="secret"

    Service-Type=Framed-User, 

    Framed-Protocol=MPP,

    Framed-IP-Address=10.10.10.64,

    Framed-IP-Netmask=255.255.255.0,

    Ascend-Data Filter="ip in drop srcip 10.100.50.128/26"

    Ascend-Data Filter="ip in drop srcip 127.0.0.0/8"

    Ascend-Data Filter="ip in forward"

    Ascend-Data Filter="ip out forward srcip 10.100.50.128/26"