Alcatel-Lucent 6600 Switch User Manual


 
Creating Condition Groups For ACLs Configuring ACLs
page 25-10 OmniSwitch 6600 Family Network Configuration Guide April 2006
Creating Condition Groups For ACLs
Condition groups for ACLs are made up of multiple IP addresses, MAC addresses, services, or IP ports to
which you want to apply the same disposition. Instead of creating a separate condition for each policy rule,
create a condition group and associate the group with the condition. This reduces the number of rules you
would have to configure (one for each address, service, or port).
The commands used for creating condition groups include:
policy network group
policy mac group
policy service
policy service group
policy port group
For example:
-> policy network group netgroup2 10.10.5.1 10.10.5.2 10.10.5.3
-> policy condition cond2 source network group netgroup2
This command configures a network group (netgroup2) of three IP addresses. The network group is then
configured as part of a policy condition (cond2). The condition specifies that the addresses in the group
are source addresses. (For all condition groups except service groups, the policy condition specifies
whether the condition group is a source or destination group.)
If a network group was not used, a separate condition would have to be created for each IP address. Subse-
quently, a corresponding rule would have to be created for each condition. Using a network group reduces
the number of rules required.
For more details about using groups in policy conditions, see “Using Condition Groups in Policies” on
page 24-34 in Chapter 24, “Configuring QoS.”
Configuring ACLs
This section describes in detail the procedures for configuring ACLs. For more information about how to
configure policies in general, see Chapter 24, “Configuring QoS.” Command syntax is described in detail
in the OmniSwitch CLI Reference Guide.
The basic commands for configuring ACL rules are the same as those for configuring policy rules:
policy condition
policy action
policy rule
Creating Policy Conditions For ACLs
A policy condition for IP filtering may include a particular source IP address, destination IP address,
source IP port, or destination IP port. Or, the condition may simply refer to the network group, MAC
group, port group, or service group. Typically ACLs use group keywords in policy conditions. A single
rule, therefore, filters traffic for multiple addresses or ports.