Alcatel-Lucent 6850-48 ネットワークガイド
Configuring ACLs
Configuring ACLs
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 41-13
Layer 3 ACL: Example 1
In this example, the default routed disposition is accept (the default). Since the default is accept, the qos
default routed disposition command would only need to be entered if the disposition had previously been
set to deny. The command is shown here for completeness.
default routed disposition command would only need to be entered if the disposition had previously been
set to deny. The command is shown here for completeness.
-> qos default routed disposition accept
-> policy condition addr2 source ip 192.68.82.0 source ip port 23 ip protocol 6
-> policy action Block disposition deny
-> policy rule FilterL31 condition addr2 action Block
Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6, will match condi-
tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will
be dropped on the switch.
tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will
be dropped on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
Layer 3 conditions in the same policy.
Layer 3 ACL: Example 2
This example uses condition groups to combine multiple IP addresses in a single condition. The default
disposition is set to deny.
disposition is set to deny.
-> qos default routed disposition deny
-> policy network group GroupA 192.60.22.1 192.60.22.2 192.60.22.0
-> policy condition cond7 destination network group GroupA
-> policy action Ok disposition accept
-> policy rule FilterL32 condition cond7 action Ok
In this example, a network group, GroupA, is configured with three IP addresses. Condition cond7
includes GroupA as a destination group. Flows coming into the switch destined for any of the specified IP
addresses in the group will match rule FilterL32. FilterL32 is configured with an action (Ok) to allow the
traffic on the switch.
includes GroupA as a destination group. Flows coming into the switch destined for any of the specified IP
addresses in the group will match rule FilterL32. FilterL32 is configured with an action (Ok) to allow the
traffic on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
Layer 3 conditions in the same policy.
IPv6 ACLs
An ACL is considered an IPv6 ACL if the ipv6 keyword and/or any of the following specific policy
condition keywords are used in the ACL to classify/filter IPv6 traffic:
condition keywords are used in the ACL to classify/filter IPv6 traffic:
Note that IPv6 ACLs are effected only on IPv6 traffic. All other ACLs/policies with IP conditions that do
not use the IPv6 keyword are effected only on IPv4 traffic. For example:
not use the IPv6 keyword are effected only on IPv4 traffic. For example:
-> policy condition c1 tos 7
IPv6 ACL Keywords
source ipv6
destination ipv6
source tcp port
destination port
source udp port
destination udp port
ipv6
nh (next header)
flow-label
destination ipv6
source tcp port
destination port
source udp port
destination udp port
ipv6
nh (next header)
flow-label