Creating Policy Rules For Acls - Alcatel OmniSwitch 6800 Series Network Configuration Manual

Configuring ACLs

Creating Policy Rules for ACLs

A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP
addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action
keywords. The precedence keyword is optional. By default rules have a precedence of 0. See
dence" on page 22-5
-> policy condition c3 source ip 10.10.4.8
-> policy action a1 accept
-> policy rule rule7 precedence 65535 condition c3 action a1
In this example, any traffic matching condition c3 will match rule7; rule7 is configured with the highest
precedence value. If any other rules are configured for traffic with a source address of 10.10.4.8, rule7
will take precedence over the other rules only if one of the following is true:
A conflict exists with another rule and rule7 has a higher precedence.
•
A conflict exists with another rule that has the same precedence value, but rule7 was created first.
•
If there are no conflicts between rule7 and other rules, then all rules are applied to the flow. (For more
information about precedence, see
a1, allows traffic from 10.10.4.8, so the flow will be accepted on the switch.
The rule will not be used to classify traffic or enforce the policy until the qos apply command is entered.
For information about applying policy parameters, see
Chapter 21, "Configuring QoS."
Layer 2 ACLs
Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
MAC address or MAC group
•
Source VLAN
•
Physical slot/port or port group
•
The switch classifies the MAC address as both source and destination. .
The following policy condition keywords are used for Layer 2 ACLs:
Layer 2 ACL Condition Keywords
source mac
source mac group
source vlan
source port
source port group
A group and an individual item cannot be specified in the same condition. For example, a source MAC
address and a source MAC group cannot be specified in the same condition.
Note that combining Layer 2 and Layer 3 conditions in the same policy is supported. Refer to
Combinations" on page 21-6
page 22-10
for more information about precedence.
"Rule Precedence" on page
destination mac
destination mac group
destination port
destination port group
ethertype
and "Action Combinations" on page 21-7
OmniSwitch 6800 Series Network Configuration Guide
22-5.) The action configured for the rule,
"Applying the Configuration" on page 21-46
in Chapter 21, "Configuring QoS."
Configuring ACLs
"Rule Prece-
in
"Condition
November 2004