Rule Precedence; Example: Rule Type; Example: Rule Order - Alcatel OmniSwitch 6624 Network Configuration Manual

Configuring ACLs

Rule Precedence

The switch attempts to classify flows coming into the switch according to precedence. For Layer 2 flows,
the rule with the highest precedence will be applied to the flow. For Layer 3 flows, all rules that match the
flow will be applied unless the rules are in conflict; if rules are in conflict, the rule with the higher prece-
dence will be used. (This functionality is different from the OmniSwitch 7700/7800/8800, which will
always apply the rule with the highest precedence.)
Precedence is determined by the following:
The type of QoS rule (Layer 2 source, Layer 2 destination, or Layer 3)—When a flow comes into the
•
switch, the Layer 2 source rules are examined first for a match. If no match is found, the Layer 2 desti-
nation rules are examined. If no match is found, the Layer 3 rules are examined.
Precedence value—Each policy has a precedence value. The value may be user-configured through
•
the policy rule command in the range from 0 (lowest) to 65535 (highest). (The range 30000 to 65535
is typically reserved for PolicyView.) By default, a policy rule has a precedence of 0.
Configured rule order—If a flow matches more than one rule in a particular precedence list (for
•
example, the Layer 2 source list), and both rules have the same precedence value, the rule that was
configured first in the list will take precedence.
Note. If you configure bridged traffic to be classified as Layer 3 (through the qos classifyl3 bridged
command), Layer 2 ACL rules are effectively disabled for IP traffic.

Example: Rule Type

In the following example, two rules (SourceRule and DestRule) are created to deny Layer 2 traffic with
action a1. Two separate conditions are set up for the source and destination parameters (L2source and
L2dest).
-> policy action a1 disposition deny
-> policy condition L2source source vlan 3
-> policy condition L2dest destination mac 00:20:da:05:f6:23
-> policy rule SourceRule condition L2source action a1
-> policy rule DestRule condition L2dest action a1 precedence 200
In this scenario, if traffic comes into the switch on VLAN 3 and is destined for MAC address
00:20:da:05:f6:23, the flow will match SourceRule, despite the higher precedence setting configured for
DestRule. (SourceRule is using the default precedence setting, since it is not specified. The default is
100.) Layer 2 source rules always take precedence.

Example: Rule Order

If a policy is configured with the same precedence value as another policy of the same type with the same
condition, the policy that was created first has the higher precedence. The new policy is considered lower
priority.
In this example, two Layer 2 destination policy rules are created. Both policy rules have the same prece-
dence value.
-> policy rule r1 precedence 100 condition c1 action a1
-> policy rule r2 precedence 100 condition c1 action a2
When traffic comes into the switch that matches c1, the switch will use rule r1.
OmniSwitch 6624/6648 Network Configuration Guide April 2004
ACL Overview
page 22-5