Alcatel-Lucent omnistack 6300 Guía Del Usuario
♦ 1 Ingress IP ACL
♦ 1 Ingress MAC ACL
♦ 1 Egress IP ACL
♦ 1 Egress MAC ACL
Precedence
An ACL can have multiple rules to match multiple flows.
The order the rules are interpreted is NOT defined by the order you created the rules.
When a packet could match multiple rules, the switch will use the ACL masks to know what rule has to be
analyzed first.
The precedence of the rules is based on the order you created the ACL masks
The order the rules are interpreted is NOT defined by the order you created the rules.
When a packet could match multiple rules, the switch will use the ACL masks to know what rule has to be
analyzed first.
The precedence of the rules is based on the order you created the ACL masks
ACL masks
Within an ACL, a rule defines what bits are expected to be seen in the packet.
That does not tell the switch what are the bits to read inside the packets.
You need to tell the switch what are the bits you want to check when analyzing the packets.
This is the meaning of an ACL mask.
Then, once the switch knows what to analyze, it uses the ACL rules to compare to read bits with the expected
values.
You will have to define 4 ACL masks:
That does not tell the switch what are the bits to read inside the packets.
You need to tell the switch what are the bits you want to check when analyzing the packets.
This is the meaning of an ACL mask.
Then, once the switch knows what to analyze, it uses the ACL rules to compare to read bits with the expected
values.
You will have to define 4 ACL masks:
♦ IP ACL mask in : to know how to analyze incoming packet using ip ACLs
♦ IP ACL mask out : to know how to analyze outgoing packet using ip ACLs
♦ MAC ACL mask in : to know how to analyze incoming packet using mac ACLs
♦ MAC ACL mask out : to know how to analyze outgoing packet using mac ACLs
The mask simply defines «the type of the rule »
If a rule defines a source ip host 2.0.0.1, the type is « source ip host » and you need to configure a source ip
host mask.
If a second rule defines a second ip host 2.0.0.2, the type is also « source ip host »
There is no need to create a second mask; both rules have the same type.
They both use the same mask.
You need to create a mask for every «type of rule » you created.
The order you created the mask define the order the switch has to analyze the rules within an ACL.
Example:
Create an ACL to deny incoming traffic from subnet 2.0.0.0/8 and going to host 3.0.0.1 with ip dscp 56 source
tcp port 3000 and destination tcp port 80
To create the ACL
Console(config)# access-list ip extended ACL_IN
Console(config-ext-acl)# deny tcp 2.0.0.0 255.0.0.0 host 3.0.0.1 dscp 56 source-port 3000
destination-port 80
Console(config-ext-acl)# exit
Console(config-ext-acl)# deny tcp 2.0.0.0 255.0.0.0 host 3.0.0.1 dscp 56 source-port 3000
destination-port 80
Console(config-ext-acl)# exit
To create the mask (since we wanted to filter incoming traffic we need to set a ip mask in)
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)# mask protocol 255.0.0.0 host dscp source-port 65535 destination-port
65535
Console(config-ip-mask-acl)#exit
Console(config-ip-mask-acl)# mask protocol 255.0.0.0 host dscp source-port 65535 destination-port
65535
Console(config-ip-mask-acl)#exit
The different options means:
Protocol: need to check to protocol header in L3 header
255.0.0.0: need to check only the first byte of the source ip address in the L3 header, since we
255.0.0.0: need to check only the first byte of the source ip address in the L3 header, since we
define a class A mask in the rule
host: need to check the full destination ip address in the L3 header
dscp: need to check the IP dscp in the L3 header
source-port 65535: need to check the 2 bytes of the source port in the L4 header. 65535 means all
dscp: need to check the IP dscp in the L3 header
source-port 65535: need to check the 2 bytes of the source port in the L4 header. 65535 means all
bits have to be checked.
destination-port 65535: need to check the 2 bytes of the destination port in the L4 header