Configuring ACLs
Layer 2 ACL Example
In this example, the default bridged disposition is accept (the default). Since the default is accept, the qos
default bridged disposition command would only need to be entered if the disposition had previously
been set to deny. The command is shown here for completeness.
-> qos default bridged disposition accept
-> policy condition Address1 source mac 080020:112233 source vlan 5
-> policy action BlockTraffic disposition deny
-> policy rule FilterA condition Address1 action BlockTraffic
In this scenario, traffic with a source MAC address of 08:00:20:11:22:33 coming in on VLAN 5 would
match condition Address1, which is a condition for a policy rule called FilterA. FilterA is then applied to
the flow. Since FilterA has an action (BlockTraffic) that is set to deny traffic, the flow would be denied
on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
Layer 3 ACLs
The QoS software in the switch filters routed and bridged traffic at Layer 3.
For Layer 3 filtering, the QoS software in the switch classifies traffic based on:
Source IP address or source network group
•
Destination IP address or destination network group
•
IP protocol
•
Source TCP/UDP port
•
Destination TCP/UDP port or service or service group
•
Destination slot/port or destination port group
•
The following policy condition keywords are used for Layer 3 ACLs:
Layer 3/4 ACL Condition Keywords
source ip
source network group
destination ip
destination network group
source ip port
destination ip port
service
service group
ip protocol
destination port
destination port group
icmptype
icmpcode
Note that combining Layer 2 and Layer 3 conditions in the same policy is supported. Refer to
Combinations" on page 21-6
OmniSwitch 6800 Series Network Configuration Guide
and
"Action Combinations" on page 21-7
November 2004
Configuring ACLs
"Condition
in
Chapter 21, "Configuring QoS."
page 22-11