OmniSwitch os6900 Network Configuration Manual page 689

Configuring QoS
In this scenario, traffic from the firewall is sent back to the switch to be re-routed. But because the traffic
re-enters the switch through a port that is not in the Slot01 port group, the traffic does not match the
Redirect_All policy and is routed normally through the switch.
-> policy condition Traffic3 source ip 10.3.0.0 mask 255.255.0.0 source port
group Slot01
-> policy action Firewall permanent gateway ip 173.5.1.254
-> policy rule Redirect_All condition Traffic3 action Firewall
Make sure to enter the qos apply command to activate the policy rule on the switch. Otherwise the rule is
saved as part of the pending configuration, but is not active.
Non-Contiguous Masks
Non-contiguous masks expand the accepted inputs for the Access Control List (ACL) netmask to facili-
tate load distribution through Policy Based Routing (PBR). The feature allows masks consisting of any
combination of zeros (0) and ones (1). Previously only traditional netmasks were supported and only
allowed up to eight bits of zeros to be sparsely distributed in the mask. Traditional netmasks begin with
ones followed by a contiguous sequence of zeros (for example, 255.255.255.0). The non-contiguous mask
feature supports IPv4 and IPv6 address masks in policy condition statements that contain any sequence of
zeros and ones.
The following example illustrates how ACLs can be used to select a subset of the source IP address to be
matched and then routed to various gateway-IP addresses using conditions, actions, and rules. The next-
hop gateway-IP address should be on a subnet that the router has a directly connected interface for.
Non-contiguous mask examples
A network administrator wishes to distribute IPv4 traffic from the 12.0.0.0 network to a group of servers.
In this example there are eight servers that can perform the requested service and the traffic can be distrib-
uted depending on the source IP address. These servers reside at addresses 10.0.0.1, 10.0.0.2, 10.0.0.3,
10.0.0.4, 10.0.0.5, 10.0.0.6, 10.0.0.7 and 10.0.0.8.
The policy condition commands define a condition that will match one of eight large sets of source IPv4
addresses. The zeros in the mask define don't care or any value matches. The ones in the mask define the
care bits that must match the portion of the address defined by the source IP portion of the command. The
first condition command matches the source IP address set described as follows:
•
12.any.any.0
•
12.any.any.8
•
12.any.any.16
•
12.any.any.(0+(n*8))
The policy action commands direct the set of source addresses to a specific IP address. The policy rule
commands combine the condition and action to form the specific behavior.
-> policy condition c1 source ip 12.0.0.0 mask 255.0.0.7
-> policy action a1 permanent gateway-ip 10.0.0.1
-> policy rule r1 condition c1 action a1
! route 1,9,17,33,(1+(n*8))
-> policy condition c2 source ip 12.0.0.1 mask 255.0.0.7
-> policy action a2 permanent gateway-ip 10.0.0.2
-> policy rule r2 condition c2 action a2
OmniSwitch AOS Release 7 Network Configuration Guide June 2013
Policy Applications
page 25-81