Alcatel-Lucent 6850-48 网络指南
Configuring ACLs
Configuring ACLs
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 41-11
Creating Policy Rules for ACLs
A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP
addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action
keywords. The precedence keyword is optional. By default rules have a precedence of 0. See
addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action
keywords. The precedence keyword is optional. By default rules have a precedence of 0. See
for more information about precedence.
-> policy condition c3 source ip 10.10.4.8
-> policy action a1 accept
-> policy rule rule7 precedence 65535 condition c3 action a1
In this example, any traffic matching condition c3 will match rule7; rule7 is configured with the highest
precedence value. If any other rules are configured for traffic with a source address of 10.10.4.8, rule7
will take precedence over the other rules only if one of the following is true:
precedence value. If any other rules are configured for traffic with a source address of 10.10.4.8, rule7
will take precedence over the other rules only if one of the following is true:
• A conflict exists with another rule and rule7 has a higher precedence.
• A conflict exists with another rule that has the same precedence value, but rule7 was created first.
The action configured for the rule, a1, allows traffic from 10.10.4.8, so the flow will be accepted on the
switch.
switch.
The rule will not be used to classify traffic or enforce the policy until the qos apply command is entered.
For information about applying policy parameters, see
For information about applying policy parameters, see
in
Layer 2 ACLs
Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
• MAC address or MAC group
• Source VLAN
• Physical slot/port or port group
The switch classifies the MAC address as both source and destination.
The following policy condition keywords are used for Layer 2 ACLs:
A group and an individual item cannot be specified in the same condition. For example, a source MAC
address and a source MAC group cannot be specified in the same condition.
address and a source MAC group cannot be specified in the same condition.
Layer 2 ACL Condition Keywords
source mac
source mac group
source vlan
source port
source port group
ethertype
source mac group
source vlan
source port
source port group
ethertype
802.1p
destination mac
destination mac group
destination port
destination port group
destination mac
destination mac group
destination port
destination port group