Configuring ACLs
Layer 3 ACLs
The QoS software in the switch filters routed traffic at Layer 3. For Layer 3 filters, typically IP routing
must be enabled; however, the switch may be configured to filter Layer 3 headers in bridged traffic. Use
the qos classifyl3 bridged command to filter Layer 3 headers for bridged traffic. For more information,
see
"Classifying Bridged Traffic as Layer 3" on page
For Layer 3 filtering, the QoS software in the switch classifies traffic based on:
Source IP address or source network group
•
Destination IP address or destination network group
•
IP protocol
•
Source TCP/UDP port
•
Destination TCP/UDP port or service or service group
•
Destination slot/port or destination port group
•
Destination interface type
•
The following policy condition keywords are used for Layer 3 ACLs:
Layer 3/4 ACL Condition Keywords
source ip
source network group
destination ip
destination network group
source ip port
destination ip port
service
service group
ip protocol
destination port
destination port group
destination interface type
Layer 3 ACL: Example 1
In this example, the default routed disposition is accept (the default). Since the default is accept, the qos
default routed disposition command would only need to be entered if the disposition had previously been
set to deny. The command is shown here for completeness.
-> qos default routed disposition accept
-> policy condition addr2 source ip 192.68.82.0 source ip port 23 ip protocol 6
-> policy action Block disposition deny
-> policy rule FilterL31 condition addr2 action Block
Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6, will match condi-
tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will
be dropped on the switch.
page 22-14
21-18.
OmniSwitch 6624/6648 Network Configuration Guide
Configuring ACLs
April 2004