Alcatel-Lucent 6850-48 Network Guide
Configuring ACLs
Using ACL Security Features
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 41-19
Configuring ICMP Drop Rules
Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. In
addition, two new condition parameters are available to provide more granular filtering of ICMP packets:
icmptype and icmpcode. Use these two conditions together in a policy to block ICMP echo request and
reply packets without impacting switch performance.
addition, two new condition parameters are available to provide more granular filtering of ICMP packets:
icmptype and icmpcode. Use these two conditions together in a policy to block ICMP echo request and
reply packets without impacting switch performance.
The following example defines an ACL policy that prevents users from pinging by dropping echo request
ICMP packets at the source port:
ICMP packets at the source port:
-> policy condition pingEchoRequest source vlan 10 icmptype 8
-> policy action drop disposition drop
-> policy rule noping10 condition pingEchoRequest action drop
-> qos apply
Note that the above policy only blocks ICMP echo traffic, all other ICMP traffic is still allowed.
Configuring TCP Connection Rules
Two condition parameters are available for defining a TCP connection ACL policy: established and
tcpflags. An ACL can be defined using the established parameter to identify packets that are part of an
established TCP connection and allow forwarding of the packets to continue. When this parameter is
invoked, TCP header information is examined to determine if the ack or rst flag bit is set. If this condi-
tion is true, then the connection is considered established.
tcpflags. An ACL can be defined using the established parameter to identify packets that are part of an
established TCP connection and allow forwarding of the packets to continue. When this parameter is
invoked, TCP header information is examined to determine if the ack or rst flag bit is set. If this condi-
tion is true, then the connection is considered established.
The following is an example ACL policy using the established condition parameter:
policy condition c destination ip 192.168.10.0 mask 255.255.255.0 established
policy condition c1 destination ip 192.168.10.0 mask 255.255.255.0
policy action drop disposition drop
policy action allow
policy rule r condition c action allow
policy rule r1 condition c1 action drop
qos apply
This example ACL policy will prevent any TCP connection from being initiated to the 192.168.10.0
network and all other IP traffic to the 192.168.10.0 network. Only TCP connections initiated from the
192.168.10.0 network are allowed.
network and all other IP traffic to the 192.168.10.0 network. Only TCP connections initiated from the
192.168.10.0 network are allowed.
Note that the above example ACL would prevent FTP sessions. See the
command page in the OmniSwitch CLI Reference Guide for more information.
An ACL can also be defined using the tcpflags parameter to examine and qualify specific TCP flags indi-
vidually or in combination with other flags. This parameter can be used to prevent specific DOS attacks,
such as the christmas tree.
vidually or in combination with other flags. This parameter can be used to prevent specific DOS attacks,
such as the christmas tree.
The following example use the tcpflags condition parameter to determine if the F (fin) and S (syn) TCP
flag bits are set to one and the A (ack) bit is set to zero:
flag bits are set to one and the A (ack) bit is set to zero:
-> policy condition c1 tcpflags all f s mask f s a
In this example, a match must occur on all the flags or the packet is not allowed. If the optional command
keyword any was used, then a match need only occur on any one of the flags. For example, the following
condition specifies that either the A (ack) bit or the R (rst) bit must equal one:
keyword any was used, then a match need only occur on any one of the flags. For example, the following
condition specifies that either the A (ack) bit or the R (rst) bit must equal one:
-> policy condition c1 tcpflags any a r mask a r