Alcatel-Lucent 6600 Switch User Manual


 
Configuring ACLs Using ACL Security Features
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 25-17
Using ACL Security Features
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic. When
a port is configured as a member of this group, packets received on the port are dropped if they contain
a source IP network address that does not match the IP subnet for the port. See “Configuring a User-
Ports Group” on page 25-17.
DisablePorts—An action that will disable switch ports when they receive spoofed IP traffic. See
“Configuring a DisablePorts ACL” on page 25-18.
DropServices—A service group that improves the performance of ACLs that are intended to deny
packets destined for specific TCP/UDP ports. Using the DropServices group for this function mini-
mizes processing overhead, which otherwise could lead to a DoS condition for other applications
trying to use the switch. See “Configuring a DropServices Group ACL” on page 25-19.
ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-
ing DoS exposure from pings. See “Configuring ICMP Drop Rules” on page 25-21.
BPDUShutdownPorts—A port group that identifies its members as ports that should not receive
BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. See
“Configuring a BPDUShutdownPorts Group” on page 25-21.
Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
Configuring a UserPorts Group
To prevent IP address spoofing, add ports to a port group called UserPorts. For example, the following
policy port group command adds ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group only applies to routed traffic and it is not necessary to include the User-
Ports group in a condition and/or rule for the group to take effect. Once ports are designated as members
of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port. In addition, the
UserPorts group must be specified using the exact capitalization shown here and in the above example.