Manualshelf

User guide

ManualsBrandsAlcatel ManualsComputer equipmentOS6855-24
21222324252627282930
September 2009
Page 24 of 79 OmniSwitch 6400/6850/6855/9000/9000E—Release 6.4.2.R01
UNP then determines what network access resources are available to a group of users, regardless of
source subnet, VLAN or other characteristics.
A UNP is a configurable option of Access Guardian device classification policies and consists of the
following attributes:
UNP Name. The UNP name is obtained from the RADIUS server and mapped to the same
profile name configured on the switch. The switch profile then identifies three attribute values:
VLAN ID, Host Integrity Check (HIC) status, and a QoS policy list name.
VLAN ID. All members of the profile group are assigned to the VLAN ID specified by the
profile.
Host Integrity Check (HIC). Enables or disables device integrity verification for all members
of the profile group.
QoS Policy List Name. Specifies the name of an existing list of QoS policy rules. The rules
within the list are applied to all members of the profile group to enforce access to network
resources. Only one policy list is allowed per profile, but multiple profiles may use the same
policy list.
A UNP is a configurable option of Access Guardian device classification policies. A policy may also
include 802.1X, MAC, or Captive Portal (Web-based) authentication to provide more granular control
of the profile.
One of the attributes of a User Network Profile (UNP) specifies the name of a list of QoS policy rules.
This list is applied to a user device when the device is assigned to the user profile. Using policy lists
allows the administrator to associate a group of users to a set of QoS policy rules.
A default policy list exists in the switch configuration. Rules are automatically added to this list when
the rule is created. A rule can belong to multiple policy lists. As a result, the rule remains a member a
of the default list even when it is subsequently assigned to additional lists. The user does have the
option to exclude the rule from the default list to preserve system resources.
Up to 13 policy lists (including the default list) are supported per switch. Only one policy list per UNP
is allowed, but a policy list can be associated with multiple profiles.
Access Control Lists (ACLs)
Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not
packets are allowed or denied at the switch or router interface. ACLs are sometimes referred to as
filtering lists. ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of
traffic is specified in the policy condition. The policy action determines whether the traffic is allowed
or denied.
In general, the types of ACLs include:
Layer 2 ACLs—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC
groups for filtering.
Layer 3/4 ACLs—for filtering traffic at the network layer. Typically uses IP addresses or IP
ports for filtering; note that IPX filtering is not supported.
Multicast ACLs—for filtering IGMP traffic.
ICMP drop rules—Allows condition combinations in policies that will prevent user pings,
thus reducing DoS exposure from pings. Two condition parameters are also available to
provide more granular filtering of ICMP packets: icmptype and icmpcode.