Creating Policy Rules For Acls; Layer 2 Acls - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual

Configuring ACLs

Creating Policy Rules for ACLs

A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP
addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action
keywords. The precedence keyword is optional. By default rules have a precedence of 0. See
Precedence" on page 41-6
-> policy condition c3 source ip 10.10.4.8
-> policy action a1 accept
-> policy rule rule7 precedence 65535 condition c3 action a1
In this example, any traffic matching condition c3 will match rule7; rule7 is configured with the highest
precedence value. If any other rules are configured for traffic with a source address of 10.10.4.8, rule7
will take precedence over the other rules only if one of the following is true:
•
A conflict exists with another rule and rule7 has a higher precedence.
•
A conflict exists with another rule that has the same precedence value, but rule7 was created first.
The action configured for the rule, a1, allows traffic from 10.10.4.8, so the flow will be accepted on the
switch.
The rule will not be used to classify traffic or enforce the policy until the qos apply command is entered.
For information about applying policy parameters, see
Chapter 40, "Configuring QoS."

Layer 2 ACLs

Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
•
MAC address or MAC group
•
Source VLAN
•
Physical slot/port or port group
The switch classifies the MAC address as both source and destination.
The following policy condition keywords are used for Layer 2 ACLs:
Layer 2 ACL Condition Keywords
source mac
source mac group
source vlan
source port
source port group
ethertype
A group and an individual item cannot be specified in the same condition. For example, a source MAC
address and a source MAC group cannot be specified in the same condition.
Note that combining Layer 2 and Layer 3 conditions in the same policy is supported. Refer to
Combinations" on page 40-6
OmniSwitch AOS Release 6 Network Configuration Guide
for more information about precedence.
802.1p
destination mac
destination mac group
destination port
destination port group
and "Action Combinations" on page 40-8
"Applying the Configuration" on page 40-54
in Chapter 40, "Configuring QoS."
September 2009
Configuring ACLs
"Rule
in
"Condition
page 41-11