Table of Contents
Advertisement
Configuring ACLs
Using ACL Security Features
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic. When
•
a port is configured as a member of this group, packets received on the port are dropped if they contain
a source IP network address that does not match the IP subnet for the port. See
Ports Group" on page
DisablePorts—An action that will disable switch ports when they receive spoofed IP traffic. See
•
"Configuring a DisablePorts ACL" on page
DropServices—A service group that improves the performance of ACLs that are intended to deny
•
packets destined for specific TCP/UDP ports. Using the DropServices group for this function mini-
mizes processing overhead, which otherwise could lead to a DoS condition for other applications
trying to use the switch. See
ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-
•
ing DoS exposure from pings. See
BPDUShutdownPorts—A port group that identifies its members as ports that should not receive
•
BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. See
"Configuring a BPDUShutdownPorts Group" on page
Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
•
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
Configuring a UserPorts Group
To prevent IP address spoofing, add ports to a port group called UserPorts. For example, the following
policy port group command adds ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group only applies to routed traffic and it is not necessary to include the User-
Ports group in a condition and/or rule for the group to take effect. Once ports are designated as members
of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port. In addition, the
UserPorts group must be specified using the exact capitalization shown here and in the above example.
OmniSwitch 6600 Family Network Configuration Guide
25-17.
25-18.
"Configuring a DropServices Group ACL" on page
"Configuring ICMP Drop Rules" on page
25-21.
April 2006
Using ACL Security Features
"Configuring a User-
25-19.
25-21.
page 25-17
Hide quick links:
Advertisement
Table of Contents
