Software Supported
page 16
OmniSwitch 6800/6850/9000—Release 6.1.3.R01
Access Control Lists (ACLs)
Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets
are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists.
ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is speci-
fied in the policy condition. The policy action determines whether the traffic is allowed or denied.
In general, the types of ACLs include:
•
Layer 2 ACLs
—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for
filtering.
•
Layer 3/4 ACLs
—for filtering traffic at the network layer. Typically uses IP addresses or IP ports for
filtering; note that IPX filtering is not supported.
•
Multicast ACLs
—for filtering IGMP traffic.
Access Control Lists (ACLs) for IPv6
The 6.1.3.R01 release provides support for IPv6 ACLs on the OmniSwitch 6850 Series and OmniSwitch
9000 Series. The following QoS policy conditions are now available for configuring ACLs to filter IPv6
traffic:
Note the following when using IPv6 ACLs:
•
Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic.
•
IPv6 policies do not support the use of network groups, service groups, map groups, or MAC groups.
•
IPv6 multicast policies are not supported.
•
Anti-spoofing and other UserPorts profiles/filters do not support IPv6.
•
The default (built-in) network group, “Switch”, only applies to IPv4 interfaces. There is no such group
for IPv6 interfaces.
Note.
IPv6 ACLs are not supported on A1 NI modules. Use the
show ni
command to verify the version of
the NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards.
ACL & Layer 3 Security
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
•
ICMP drop rules
—Allows condition combinations in policies that will prevent user pings, thus reduc-
ing DoS exposure from pings. Two condition parameters are also available to provide more granular
filtering of ICMP packets:
icmptype
and
icmpcode
.
source ipv6
destination ipv6
ipv6
nh (next header)
flow-label