Alcatel-Lucent 6600 Switch User Manual


 
Configuring ACLs Configuring ACLs
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 25-11
For example:
-> policy port group pgroup1 3/1-2 4/3 5/4
-> policy condition c2 source port group pgroup1
In this example, a Layer 2 condition (c2) specifies that traffic matches the ports included of the pgroup1
port group. The condition also specifies that the port group is a source group. Any traffic coming in on
ports 1 or 2 on slot 3, port 3 on slot 4, or port 4 on slot 5 will match condition c2.
For more information about condition groups, see “Creating Condition Groups For ACLs” on page 25-10.
The following table lists the keywords for the policy condition command that are typically used for the
different types of ACLs:
Note that the individual address, service, or port cannot be used in conjunction with the same type of
condition group. For example, you cannot specify in the same rule both a source MAC address and a
source MAC group.
Creating Policy Actions For ACLs
A policy action for IP filtering specifies a disposition, that is, whether the flow is accepted or denied on
the switch. To create a policy action, use the policy action command. Use the disposition keyword to
define whether the flow is accepted (accept) or denied (deny). For example:
-> policy action a1 disposition accept
If you do not specify a disposition for the policy action, the default (accept) will be used.
Creating Policy Rules for ACLs
A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP
addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action
keywords. The precedence keyword is optional. By default rules have a precedence of 0. See “Rule
Precedence” on page 25-5 for more information about precedence.
-> policy condition c3 source ip 10.10.4.8
-> policy action a1 accept
-> policy rule rule7 precedence 65535 condition c3 action a1
In this example, any traffic matching condition c3 will match rule7; rule7 is configured with the highest
precedence value. If any other Layer 3 rules are configured for traffic with a source address of 10.10.4.8,
Layer 2 ACL Condition
Keywords
Layer 3/4 ACL Condition
Keywords
Multicast ACL Condition
Keywords
source mac
source mac group
destination mac
destination mac group
source vlan
destination vlan
source port
source port group
destination port
destination port group
source interface type
destination interface type
source ip
source network group
destination ip
destination network group
source ip port
destination ip port
service
service group
ip protocol
destination port
destination port group
destination interface type
multicast ip
multicast network group
destination ip
destination vlan
destination port
destination port group
destination mac
destination mac group