Using Acl Security Features - Alcatel-Lucent OmniSwitch AOS Release 7 Manual

For multicast filtering, the switch classifies traffic based on the multicast IP address or multicast network
group and any destination parameters. Note that the destination parameters are used for the client from
which the switch receives the IGMP request.
The multicast ip or multicast network group keyword is required in the condition configured for a
multicast ACL.
The following keywords can be used in the condition to indicate the client parameters:
Multicast ACL Keywords
destination ip
destination vlan
destination port
destination port group
destination mac
destination mac group
If a destination group is specified, the corresponding single value keyword cannot be combined in the
same condition. For example, if a destination port is specified, a destination port group cannot be speci-
fied in the same condition.
To filter multicast clients, specify the multicast IP address, which is the address of the multicast group or
stream, and specify the client IP address, VLAN, MAC address, or slot/port. For example:
-> qos default multicast disposition deny
-> policy condition Mclient1 multicast ip 224.0.1.2 destination vlan 5
-> policy action ok disposition accept
-> policy rule Mrule condition Mclient1 action ok
In this example, any traffic coming in on VLAN 5 requesting membership to the 224.0.1.2 multicast group
is allowed to pass through.

Using ACL Security Features

The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
•
UserPorts—A port group that identifies its members as user ports to prevent source address spoofing
of IP and ARP traffic (per RFC 2267). When a port is configured as a member of this group, packets
received on the port are dropped if they contain a source IP address that does not match the IP subnet
for the port. It is also possible to configure a UserPorts profile to specify other types of traffic to moni-
tor on user ports. See
•
ICMP drop rules—Allows condition combinations in policies that prevent user pings, thus reducing
DoS exposure from pings. Two condition parameters are also available to provide more granular filter-
ing of ICMP packets: icmptype and icmpcode. See
•
TCP connection rules—Allows the determination of an established TCP connection by examining
TCP flags found in the TCP header of the packet. Two condition parameters are available for defining
a TCP connection ACL: established and tcpflags. See
page 21-65.
•
Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
OmniSwitch AOS Release 7 Network Configuration Guide
"Configuring a UserPorts Group" on page 21-64.
"Configuring ICMP Drop Rules" on page
"Configuring TCP Connection Rules" on
March 2011
21-64.
page 21-63