How Precedence Is Determined; Rule Precedence; Interaction With Other Features; Valid Combinations - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual

ACL Overview

Rule Precedence

The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule
with the highest precedence will be applied to the flow. This is true even if the flow matches more than
one rule.

How Precedence is Determined

When there is a conflict between rules, precedence is determined using one of the following methods:
•
Precedence value—Each policy has a precedence value. The value may be user-configured through
the policy rule command in the range from 0 (lowest) to 65535 (highest). (The range 30000 to 65535 is
typically reserved for PolicyView.) By default, a policy rule has a precedence of 0.
•
Configured rule order—If a flow matches more than one rule and both rules have the same prece-
dence value, the rule that was configured first in the list will take precedence.

Interaction With Other Features

•
Routing Protocols—Layer 3 filtering is compatible with routing protocols on the switch, including
RIP and OSPF. If VRRP is also running, all VRRP routers on the LAN must be configured with the
same filtering rules; otherwise, the security of the network will be compromised. For more information
about VRRP, see
•
Bridging—Layer 2 and Layer 3 ACLs are supported for bridged and routed traffic. For information
about classifying Layer 3 information in bridged frames, see
on page 40-22 in

Valid Combinations

There are limitations to the types of conditions that may be combined in a single rule. A brief overview of
these limitations is listed here:
•
The 802.1p and source VLAN conditions are the only Layer 2 conditions allowed in combination with
Layer 4 conditions.
•
Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions.
•
In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action.
•
The Layer 1 destination port condition only applies to bridged traffic, not routed traffic. This restric-
tion does not apply to the OmniSwitch 6800.
•
The IP multicast condition works in combination with Layer 1, Layer 2, and Layer 3 destination condi-
tions only if these conditions specify the device that sends the IGMP report packet.
•
IPv6 conditions are not supported on the OmniSwitch 6800. For more information about IPv6 policies,
see "IPv6 ACLs" on page
•
Individual items and their corresponding groups cannot be combined in the same condition. For exam-
ple, a source IP address cannot be included in a condition with a source IP network group.
•
Layer 2 and Layer 3 rules are always effected on bridged and routed traffic. As a result, combining
source or destination TCP/UDP port and IP protocol in a condition is allowed.
page 41-6
Chapter 32, "Configuring VRRP."
Chapter 40, "Configuring QoS."
41-13.
OmniSwitch AOS Release 6 Network Configuration Guide
"Classifying Bridged Traffic as Layer 3"
Configuring ACLs
September 2009