Layer 3 Acl: Example 1; Layer 3 Acl: Example 2; Ipv6 Acls - Alcatel-Lucent OmniSwitch 6800 Series Network Configuration Manual

Configuring ACLs

Layer 3 ACL: Example 1

In this example, the default routed disposition is accept (the default). Since the default is accept, the qos
default routed disposition command would only need to be entered if the disposition had previously been
set to deny. The command is shown here for completeness.
-> qos default routed disposition accept
-> policy condition addr2 source ip 192.68.82.0 source ip port 23 ip protocol 6
-> policy action Block disposition deny
-> policy rule FilterL31 condition addr2 action Block
Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6, will match condi-
tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will
be dropped on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.

Layer 3 ACL: Example 2

This example uses condition groups to combine multiple IP addresses in a single condition. The default
disposition is set to deny.
-> qos default routed disposition deny
-> policy network group GroupA 192.60.22.1 192.60.22.2 192.60.22.0
-> policy condition cond7 destination network group GroupA
-> policy action Ok disposition accept
-> policy rule FilterL32 condition cond7 action Ok
In this example, a network group, GroupA, is configured with three IP addresses. Condition cond7
includes GroupA as a destination group. Flows coming into the switch destined for any of the specified IP
addresses in the group will match rule FilterL32. FilterL32 is configured with an action (Ok) to allow the
traffic on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.

IPv6 ACLs

An ACL is considered an IPv6 ACL if the ipv6 keyword and/or any of the following specific policy
condition keywords are used in the ACL to classify/filter IPv6 traffic:
IPv6 ACL Keywords
source ipv6
destination ipv6
source tcp port
destination port
source udp port
destination udp port
ipv6
nh (next header)
flow-label
Note that IPv6 ACLs are effected only on IPv6 traffic. All other ACLs/policies with IP conditions that do
not use the IPv6 keyword are effected only on IPv4 traffic. For example:
-> policy condition c1 tos 7
OmniSwitch 6800/6850/9000 Network Configuration Guide March 2008
Configuring ACLs
page 31-13