Alcatel-Lucent 6850-48 网络指南

Using ACL Security Features

Configuring ACLs

page 41-16

OmniSwitch AOS Release 6 Network Configuration Guide

The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:

• UserPorts—A port group that identifies its members as user ports to prevent source address spoofing 

of IP and ARP traffic (per RFC 2267). When a port is configured as a member of this group, packets 
received on the port are dropped if they contain a source IP address that does not match the IP subnet 
for the port. It is also possible to configure a UserPorts profile to specify other types of traffic to moni-
tor on user ports. See 

. Note that this group and config-

uring a UseerPorts profile is not supported on the OmniSwitch 6800.

• DropServices—A service group that improves the performance of ACLs that are intended to deny 

packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the 
UserPorts group. Using the DropServices group for this function minimizes processing overhead, 
which otherwise could lead to a DoS condition for other applications trying to use the switch. See 

. Note that this group is not supported on the 

OmniSwitch 6800. 

• BPDUShutdownPorts—A port group that identifies its members as ports that should not receive 

BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. Note that 
this group is not supported on the OmniSwitch 6400, 6850, 6855, and 9000. See 

• ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-

ing DoS exposure from pings. Two condition parameters are also available to provide more granular 
filtering of ICMP packets: icmptype and icmpcode. See 

• TCP connection rules—Allows the determination of an established TCP connection by examining 

TCP flags found in the TCP header of the packet. Two condition parameters are available for defining 
a TCP connection ACL: established and tcpflags. See 

• Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-

head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always 
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP, 
and Local Proxy ARP are not discarded. 

• ARP ACLs—It is also possible to create an ACL that will examine the source IP address in the header 

of ARP packets. This is done by specifying the ARP ethertype (0x0806) and source IP address. Note 
that this type of ACL is not supported on the OmniSwitch 6800.

To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called 
UserPorts and add the ports to that group. For example, the following 

 command adds 

ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:

-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1

-> qos apply

Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include 
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as 
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.