Specifications
Alcatel-Lucent Page 24
OmniSwitch 6850 Series
Access Control Lists (ACLs)
Performance: Wire-speed
ACLs are sometimes referred to as filtering lists.
Access Control Lists are Quality of Service policies used to control whether or not packets are allowed
or denied at the switch or router interface. ACLs are distinguished by the kind of traffic they filter. In
a QoS policy rule, the type of traffic is specified in the policy condition. The policy action determines
whether the traffic is allowed or denied. In general, the types of ACLs include:
• Layer 2 ACLs—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups
for filtering. Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both
bridged and routed packets. As MAC addresses are learned on the switch, QoS classifies the traffic
based on:
• MAC address or MAC group
• Source VLAN
• Physical slot/port or port group
The switch classifies the MAC address as both source and destination.
• Layer 3/4 ACLs—for filtering traffic at the network layer. Typically uses IP addresses or IP ports for
filtering. The QoS software in the switch filters routed and bridged traffic at Layer 3. For Layer 3/4
filtering, the QoS software in the switch classifies traffic based on:
• Source IP address or source network group
• Destination IP address or destination network group
• IP protocol
• Source TCP/UDP port
• Destination TCP/UDP port or service or service group
• Destination slot/port or destination port group
• Multicast ACLs—for filtering IGMP traffic
Multicast filtering may be set up to filter clients requesting group membership via the Internet Group
Management Protocol (IGMP). IGMP is used to track multicast group membership. The IP Multicast
Switching (IPMS) function in the switch optimizes the delivery of IP multicast traffic by sending
packets only to those stations that request it. Potential multicast group members may be filtered out so
that IPMS does not send multicast packets to those stations. Multicast traffic has its own global
disposition. By default, the global disposition is accept. For multicast filtering, the switch classifies
traffic based on the multicast IP address or multicast network group and any destination parameters.
ACL Specifications:
Maximum number of policy rules: 1024
Maximum number of policy rules per Ethernet port: 101
Maximum number of policy rules per 10-Gigabit Ethernet port: 997
Maximum number of policy conditions: 2048
Maximum number of policy actions: 2048
Maximum number of policy services: 256
Maximum number of groups (Network, MAC, service, port): 1024
Maximum number of group entries: 512 per group
The following additional ACL features are available for improving network security and preventing
malicious activity on the network:
• UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic.
When a port is configured as a member of this group, packets received on the port are dropped if they
Contain a source IP network address that does not match the IP subnet for the port.
• DropServices—A service group that improves the performance of ACLs that are intended to
deny packets destined for specific TCP/UDP ports. Using the DropServices group for this function
minimizes processing overhead, which otherwise could lead to a DoS condition for other applications
trying to use the switch.
• ICMP drop rules—Allows condition combinations in policies that will prevent user pings,
Thus reducing DoS exposure from pings. Two condition parameters are also available to
provide
more granular filtering of ICMP packets: icmptype and icmpcode.
See “Configuring ICMP Drop Rules” in the network configuration Guide.
• BPDUShutdownPorts (Close user ports upon receipt of BPDU)—A port group that identifies
its members as ports that should not receive BPDUs. If a BPDU is received on one of these ports,
The port is administratively disabled. In other words, this allows network administrators to prevent the
connection of devices that can support bridging functionality to ports designated as user ports.
See “Configuring a BPDUShutdownPorts Group” in the network configuration Guide.
• TCP connection rules—Allows the determination of an established TCP connection by
examining TCP flags found in the TCP header of the packet.
Two condition parameters are available for defining a TCP connection ACL: established and tcpflags.
See “Configuring a BPDUShutdownPorts Group” in the network configuration Guide.
• Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing
overhead and exposure to ARP DoS attacks. No configuration is required to use this feature;
It is always available and active on the switch. Note that ARPs intended for use by a l
ocal subnet, AVLAN,
VRRP, and Local Proxy ARP are not discarded.