Alcatel-Lucent omnistack 6300 Guía Del Usuario
Note
♦ The “show access-list” command always displays the rule in the precedence order, not the order they were
created.
♦ Extended IP ACLs do support dscp even if user manual still says “ACL DSPC not supported”.
Limitations
♦ Up to 32 ACLs
♦ Up to 32 rules per ACL, however it is recommended not to exceed 20 rules
♦ Up to 7 entries per ACL mask
♦ Masks are shared among all interfaces
♦ Masks have to be defined before binding an ACL to an interface
♦ The order in which the mask are entered defines the precedence of the rules
♦ For egress ACL, all rules have to be “deny”
♦ Egress ACLs do not support the explicit “deny any any”
♦ MAC ACL always checked first. If a packet match both MAC ACL and IP ACL, only the MAC ACL will be
executed
Interoperability with OmniSwitch 6624/6648 7700/7800 8800
ACLs are fully compliant with the “policy condition” configured on the OmniSwitches.
They both define the conditions a packet has to match.
However, an ACL is always attached to an interface whereas a “policy” is chassis wide.
Also, ACLs have more options such as frame type, tcp control flag or masks.
OmniSwitch 6624/6648 7700/7800 8800 can support up to 2048 policies.
OmniSwitch 6300 does not need a “qos apply” (that flushes the mac and arp tables) after creating a new ACL.
ACLs are enforced to a dedicated filtering hardware that does not interact with “source learning”.
ACLs always work at “wire speed”, there is no software processing at all.
They both define the conditions a packet has to match.
However, an ACL is always attached to an interface whereas a “policy” is chassis wide.
Also, ACLs have more options such as frame type, tcp control flag or masks.
OmniSwitch 6624/6648 7700/7800 8800 can support up to 2048 policies.
OmniSwitch 6300 does not need a “qos apply” (that flushes the mac and arp tables) after creating a new ACL.
ACLs are enforced to a dedicated filtering hardware that does not interact with “source learning”.
ACLs always work at “wire speed”, there is no software processing at all.
5.1 Ip Standard ACL
Console(config)# access-list ip standard IN
Console(config-std-acl)# permit 2.0.0.0 255.255.255.0
Console(config-std-acl)# deny host 2.0.0.2
Console(config-std-acl)# exit
Console(config)# access-list ip standard OUT
Console(config-std-acl)# deny host 2.0.0.3
Console(config-std-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host
Console(config-ip-mask-acl)#mask 255.255.255.0
Console(config-ip-mask-acl)#exit
Console(config)# access-list ip mask-precedence out
Console(config-ip-mask-acl)#mask host
Console(config-ip-mask-acl)#exit
Console(config)# interface ethernet 1/3
Console(config-if)#ip access-group IN in
Console(config-if)#ip access-group OUT out
Console(config-if)#exit
You can verify the precedence order with the show command.
Because of the mask order, ACL IN first analyses the full ip address, then analyses the subnet.
Packet with source ip 2.0.0.2 will be denied because it first matches “deny host 2.0.0.2”.
Console#show access-list
IP standard access-list IN:
deny host 2.0.0.2
permit 2.0.0.0 255.255.255.0
Console(config-std-acl)# permit 2.0.0.0 255.255.255.0
Console(config-std-acl)# deny host 2.0.0.2
Console(config-std-acl)# exit
Console(config)# access-list ip standard OUT
Console(config-std-acl)# deny host 2.0.0.3
Console(config-std-acl)# exit
Console(config)# access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host
Console(config-ip-mask-acl)#mask 255.255.255.0
Console(config-ip-mask-acl)#exit
Console(config)# access-list ip mask-precedence out
Console(config-ip-mask-acl)#mask host
Console(config-ip-mask-acl)#exit
Console(config)# interface ethernet 1/3
Console(config-if)#ip access-group IN in
Console(config-if)#ip access-group OUT out
Console(config-if)#exit
You can verify the precedence order with the show command.
Because of the mask order, ACL IN first analyses the full ip address, then analyses the subnet.
Packet with source ip 2.0.0.2 will be denied because it first matches “deny host 2.0.0.2”.
Console#show access-list
IP standard access-list IN:
deny host 2.0.0.2
permit 2.0.0.0 255.255.255.0