Alcatel-Lucent 6850-48 ネットワークガイド
Creating Condition Groups For ACLs
Configuring ACLs
page 41-8
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
For more information about the global disposition commands, see
OmniSwitch CLI Reference Guide.
Important. If you set the global bridged disposition (using the qos default bridged disposition
command) to deny or drop, it will result in dropping all Layer 2 traffic from the switch that does not
match any policy to accept traffic. You must create policies (one for source and one for destination) to
allow traffic on the switch.
command) to deny or drop, it will result in dropping all Layer 2 traffic from the switch that does not
match any policy to accept traffic. You must create policies (one for source and one for destination) to
allow traffic on the switch.
If you set the bridged disposition to deny or drop, and you configure Layer 2 ACLs, you will need two
rules for each type of filter. For more information, see
rules for each type of filter. For more information, see
.
Creating Condition Groups For ACLs
Condition groups for ACLs are made up of multiple IP addresses (IPv4 only; IPv6 not supported with
condition groups), MAC addresses, services, or IP ports to which you want to apply the same disposition.
Instead of creating a separate condition for each policy rule, create a condition group and associate the
group with the condition. This reduces the number of rules you would have to configure (one for each
address, service, or port). The commands used for creating condition groups include:
condition groups), MAC addresses, services, or IP ports to which you want to apply the same disposition.
Instead of creating a separate condition for each policy rule, create a condition group and associate the
group with the condition. This reduces the number of rules you would have to configure (one for each
address, service, or port). The commands used for creating condition groups include:
For example:
-> policy network group netgroup2 10.10.5.1 10.10.5.2 10.10.5.3
-> policy condition cond2 source network group netgroup2
This command configures a network group (netgroup2) of three IP addresses. The network group is then
configured as part of a policy condition (cond2). The condition specifies that the addresses in the group
are source addresses. (For all condition groups except service groups, the policy condition specifies
whether the condition group is a source or destination group.)
configured as part of a policy condition (cond2). The condition specifies that the addresses in the group
are source addresses. (For all condition groups except service groups, the policy condition specifies
whether the condition group is a source or destination group.)
If a network group was not used, a separate condition would have to be created for each IP address. Subse-
quently, a corresponding rule would have to be created for each condition. Using a network group reduces
the number of rules required.
quently, a corresponding rule would have to be created for each condition. Using a network group reduces
the number of rules required.
For more details about using groups in policy conditions, see
in