Alcatel-Lucent 6850-48 Network Guide
Configuring ACLs
Using ACL Security Features
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 41-17
The UserPorts group is also used in conjunction with the DropServices group. If a flow received on a port
that is a member of the UserPorts group is destined for a TCP or UDP port (service) specified in the
DropServices group, the flow is dropped. See
that is a member of the UserPorts group is destined for a TCP or UDP port (service) specified in the
DropServices group, the flow is dropped. See
more information.
Configuring UserPort Traffic Types and Port Behavior
In addition to spoofed traffic, it is also possible to configure QoS to look for BPDU, RIP, OSPF, BGP,
VRRP, and/or DHCP server packets on user ports. When the specified type of traffic is encountered, the
user port can either filter the traffic or administratively shutdown to block all traffic.
VRRP, and/or DHCP server packets on user ports. When the specified type of traffic is encountered, the
user port can either filter the traffic or administratively shutdown to block all traffic.
By default spoofed traffic is filtered on user ports. To specify additional types of traffic to look for on
these ports and select how the port will deal with such traffic, use the
these ports and select how the port will deal with such traffic, use the
command to config-
ure a UserPorts profile. For example, the following command specifies that user ports should filter BPDU
packets:
packets:
-> qos user-port filter spoof
To specify multiple types of traffic on the same command line, enter each type separated by a space. For
example:
example:
-> qos user-port filter ospf bgp rip
Note that a slot and port is not required with the qos user-port command. This is because the command
applies to all ports that are members of the UserPorts group.
applies to all ports that are members of the UserPorts group.
The following qos user-port command example uses the shutdown option to administratively disable the
user port if the specified type of traffic is received on that port:
user port if the specified type of traffic is received on that port:
-> qos user-port shutdown bpdu
Note that an SNMP trap is sent whenever a user port shutdown occurs. To enable a port disabled by a user
port shutdown operation, use the
port shutdown operation, use the
disconnect and reconnect the port cable.
To disable the filter or shutdown function, use the no form of the qos user-port command. For example,
the following command disables the filtering operation for all user ports:
the following command disables the filtering operation for all user ports:
-> qos no user-port filter
Note that any changes to the UserPorts profile (e.g., adding or removing a traffic type) are not made until
the
the
command is performed.
Configuring a DropServices Group
To drop packets destined for specific TCP and UDP ports using minimal switch resources, configure a
services group called DropServices with a list of previously defined TCP/UDP services. The DropSer-
vices group is used in conjunction with the UserPorts group. TCP/UDP services that belong to the DropS-
ervices group are only filtered on ports that belong to the UserPorts group.
services group called DropServices with a list of previously defined TCP/UDP services. The DropSer-
vices group is used in conjunction with the UserPorts group. TCP/UDP services that belong to the DropS-
ervices group are only filtered on ports that belong to the UserPorts group.
Note that it is not necessary to include the DropServices group in an ACL for the group to take effect.
DropServices is a reserved group that is active once TCP/UDP services are added to the group and ports
are added to the reserved UserPorts group and the QoS configuration is applied. For example:
DropServices is a reserved group that is active once TCP/UDP services are added to the group and ports
are added to the reserved UserPorts group and the QoS configuration is applied. For example:
1 Create destination port services for the TCP/UDP traffic that you want dropped using the
command, as shown below: