Configuring ACLs Using ACL Security Features
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 25-19
5 Create a rule that denies all source IP addresses received on the port group defined in Step 1 and spec-
ify a precedence for this rule. For example:
-> policy rule noSpoof condition denyip action badDisablePorts precedence 10
6 Create a rule that accepts all packets with source IP addresses defined in Step 3 that are received on the
port group defined in Step 1. This rule should be configured with a higher precedence value than the
previous rule configured in Step 5 so that the desired traffic is accepted. For example:
-> policy rule r1 condition allowip action PASS precedence 100
7 Apply the ACL configuration using the qos apply command.
-> qos apply
The steps above result in an example ACL that disables ports within a specified group of ports that receive
packets containing source IP addresses that do not fall within the 198.18.1.0 subnet. The following shows
what this example ACL looks like in its entirety:
-> policy port group edgePorts 1/1-24 2/1-24
-> policy condition denyip source ip address 0.0.0.0 mask 0.0.0.0 source port
group edgePorts
-> policy condition allowip source ip address 198.18.1.0 mask 255.255.255.0
source port group edgePorts
-> policy action badDisablePorts
-> policy action PASS disposition accept
-> policy rule noSpoof condition denyip action badDisablePorts precedence 10
-> policy rule r1 condition allowip action PASS precedence 100
-> qos apply
Configuring a DropServices Group ACL
To drop packets destined to specific TCP and UDP ports using minimal switch resources, create an ACL
using the DropServices group. This group can be used with two types of conditions: one based on physi-
cal source ports and one based on source VLANs. If a source VLAN condition is used, then packets
received on ports associated with that VLAN are not blocked if they are destined for any of the services in
the DropServices group.
Note that if a source port group condition is used, only a drop action is allowed. If a source VLAN condi-
tion is used, only an accept action is allowed.
Use the following steps to configure a DropServices ACL that includes a condition for source ports and a
condition for an exception VLAN:
1 Create destination port services for the TCP/UDP traffic that you want dropped using the policy
service command. For example, the following commands create port services for TCP ports 135 and 445
and UDP ports 137, 138, and 445:
-> policy service tcp135 destination tcp port 135
-> policy service tcp445 destination tcp port 445
-> policy service udp137 destination udp port 137
-> policy service udp138 destination udp port 138
-> policy service udp445 destination udp port 445