Alcatel-Lucent 6850-48 ネットワークガイド
Using ACL Security Features
Configuring ACLs
page 41-16
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Using ACL Security Features
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
cious activity on the network:
• UserPorts—A port group that identifies its members as user ports to prevent source address spoofing
of IP and ARP traffic (per RFC 2267). When a port is configured as a member of this group, packets
received on the port are dropped if they contain a source IP address that does not match the IP subnet
for the port. It is also possible to configure a UserPorts profile to specify other types of traffic to moni-
tor on user ports. See
received on the port are dropped if they contain a source IP address that does not match the IP subnet
for the port. It is also possible to configure a UserPorts profile to specify other types of traffic to moni-
tor on user ports. See
. Note that this group and config-
uring a UseerPorts profile is not supported on the OmniSwitch 6800.
• DropServices—A service group that improves the performance of ACLs that are intended to deny
packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the
UserPorts group. Using the DropServices group for this function minimizes processing overhead,
which otherwise could lead to a DoS condition for other applications trying to use the switch. See
UserPorts group. Using the DropServices group for this function minimizes processing overhead,
which otherwise could lead to a DoS condition for other applications trying to use the switch. See
. Note that this group is not supported on the
OmniSwitch 6800.
• BPDUShutdownPorts—A port group that identifies its members as ports that should not receive
BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. Note that
this group is not supported on the OmniSwitch 6400, 6850, 6855, and 9000. See
this group is not supported on the OmniSwitch 6400, 6850, 6855, and 9000. See
• ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-
ing DoS exposure from pings. Two condition parameters are also available to provide more granular
filtering of ICMP packets: icmptype and icmpcode. See
filtering of ICMP packets: icmptype and icmpcode. See
• TCP connection rules—Allows the determination of an established TCP connection by examining
TCP flags found in the TCP header of the packet. Two condition parameters are available for defining
a TCP connection ACL: established and tcpflags. See
a TCP connection ACL: established and tcpflags. See
• Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
• ARP ACLs—It is also possible to create an ACL that will examine the source IP address in the header
of ARP packets. This is done by specifying the ARP ethertype (0x0806) and source IP address. Note
that this type of ACL is not supported on the OmniSwitch 6800.
that this type of ACL is not supported on the OmniSwitch 6800.
Configuring a UserPorts Group
To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called
UserPorts and add the ports to that group. For example, the following
UserPorts and add the ports to that group. For example, the following
command adds
ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.