Table of Contents
Advertisement
•
ARP ACLs—It is also possible to create an ACL that examines the source IP address in the header of
ARP packets. This is done by specifying the ARP ethertype (0x0806) and source IP address.
Configuring a UserPorts Group
To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called
UserPorts and add the ports to that group. For example, the following
ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.
Configuring UserPort Traffic Types and Port Behavior
In addition to spoofed traffic, it is also possible to configure QoS to look for BPDU, RIP, OSPF, BGP,
VRRP, and/or DHCP server packets on user ports. When the specified type of traffic is encountered, the
user port can either filter the traffic or administratively shutdown to block all traffic.
By default spoofed traffic is filtered on user ports. To specify additional types of traffic to look for on
these ports and select how the port deals with such traffic, use the
UserPorts profile. For example, the following command specifies that user ports must filter BPDU pack-
ets:
-> qos user-port filter spoof
To specify multiple types of traffic on the same command line, enter each type separated by a space. For
example:
-> qos user-port filter ospf bgp rip
Note that a slot and port is not required with the qos user-port command. This is because the command
applies to all ports that are members of the UserPorts group.
The following qos user-port command example uses the shutdown option to administratively disable the
user port if the specified type of traffic is received on that port:
-> qos user-port shutdown bpdu
Note that an SNMP trap is sent whenever a user port shutdown occurs. To enable a port disabled by a user
port shutdown operation, use the
and reconnect the port cable.
To disable the filter or shutdown function, use the no form of the qos user-port command. For example,
the following command disables the filtering operation for all user ports:
-> qos no user-port filter
Note that any changes to the UserPorts profile (e.g., adding or removing a traffic type) are not made until
the
qos apply
command is performed.
Configuring ICMP Drop Rules
Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. In
addition, two new condition parameters are available to provide more granular filtering of ICMP packets:
page 21-64
interfaces
command to administratively enable the port or disconnect
OmniSwitch AOS Release 7 Network Configuration Guide
policy port group
command adds
qos user-port
command to configure a
March 2011
Advertisement
Table of Contents
