Manualshelf

User guide

ManualsBrandsAlcatel ManualsComputer equipmentOS6855-24
21222324252627282930
September 2009
OmniSwitch 6400/6850/6855/9000/9000E------ Release 6.4.2.R01 Page 25 of 79
TCP connection rules—Allows the determination of an established TCP connection by
examining TCP flags found in the TCP header of the packet. Two condition parameters are
available for defining a TCP connection ACL: established and tcpflags.
Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing
overhead and exposure to ARP DoS attacks. No configuration is required to use this feature, it
is always available and active on the switch. Note that ARPs intended for use by a local
subnet, AVLAN, and VRRP are not discarded.
UserPorts—A port group that identifies its members as user ports to prevent spoofed IP
traffic. When a port is configured as a member of this group, packets received on the port are
dropped if they contain a source IP network address that does not match the IP subnet for the
port.
UserPorts Profile—In addition to spoofed traffic, it is also possible to configure a global
UserPorts profile to specify additional types of traffic, such as BPDU, RIP, OSPF, DVMRP,
PIM, IS-IS, DHCP server response packets, DNS and/or BGP, to monitor on user ports. The
UserPorts profile also determines whether user ports will filter the unwanted traffic or will
administratively shutdown when the traffic is received. Note that this profile only applies to
those ports that are designated as members of the UserPorts port group.
DropServices—A service group that improves the performance of ACLs that are intended to
deny packets destined for specific TCP/UDP ports. This group only applies to ports that are
members of the UserPorts group. Using the DropServices group for this function minimizes
processing overhead, which otherwise could lead to a DoS condition for other applications
trying to use the switch.
Access Control Lists (ACLs) for IPv6
Support for IPv6 ACLs on the OmniSwitch available. The following QoS policy conditions are
available for configuring ACLs to filter IPv6 traffic:
source ipv6
destination ipv6
ipv6
nh (next header)
flow-label
source tcp port
destination tcp port
source udp port
destination udp port
Note the following when using IPv6 ACLs:
Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic.
IPv6 policies do not support the use of network groups, service groups, map groups, or MAC
groups.
IPv6 multicast policies are not supported.
Anti-spoofing and other UserPorts profiles/filters do not support IPv6.
The default (built-in) network group, “Switch”, only applies to IPv4 interfaces. There is no
such group for IPv6 interfaces.
IPv6 ACLs are not supported on A1 NI modules. Use the show ni command to verify the version of the
NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards.