Alcatel-Lucent 6800, 9000, 6850 Access Control Lists ACLs for IPv6, ACL & Layer 3 Security

Page 16

Software Supported

Access Control Lists (ACLs)

Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists.

ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is speci- fied in the policy condition. The policy action determines whether the traffic is allowed or denied.

In general, the types of ACLs include:

•Layer 2 ACLs—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for filtering.

•Layer 3/4 ACLs—for filtering traffic at the network layer. Typically uses IP addresses or IP ports for filtering; note that IPX filtering is not supported.

•Multicast ACLs—for filtering IGMP traffic.

Access Control Lists (ACLs) for IPv6

The 6.1.3.R01 release provides support for IPv6 ACLs on the OmniSwitch 6850 Series and OmniSwitch 9000 Series. The following QoS policy conditions are now available for configuring ACLs to filter IPv6 traffic:

source ipv6 destination ipv6 ipv6

nh (next header) flow-label

Note the following when using IPv6 ACLs:

•Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic.

•IPv6 policies do not support the use of network groups, service groups, map groups, or MAC groups.

•IPv6 multicast policies are not supported.

•Anti-spoofing and other UserPorts profiles/filters do not support IPv6.

•The default (built-in) network group, “Switch”, only applies to IPv4 interfaces. There is no such group for IPv6 interfaces.

Note. IPv6 ACLs are not supported on A1 NI modules. Use the show ni command to verify the version of the NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards.

ACL & Layer 3 Security

The following additional ACL features are available for improving network security and preventing mali- cious activity on the network:

•ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc- ing DoS exposure from pings. Two condition parameters are also available to provide more granular filtering of ICMP packets: icmptype and icmpcode.

page 16

OmniSwitch 6800/6850/9000—Release 6.1.3.R01

Image 16

Contents Page OmniSwitch 6800 Series Getting Started guide Related DocumentationUpgrade Instructions for 6.1.3.R01 OmniSwitch 6800 Series OmniSwitch 6850 SeriesOmniSwitch 9000 Series Memory RequirementsNew Hardware Supported New Chassis Management Module CMM OS9800-CMMOmniSwitch 9000 OS-IP-SHELF PoE Power Shelf OmniSwitch 9600 Support for PS-510W AC/PS-360W ACGigabit Ethernet Transceiver SFP MSA Dual Speed Ethernet Transceivers100FX Ethernet Transceivers Module Type Part Number Supported Hardware/Software Combinations3.R01 Asic Physical New Software Features Feature Platform Software PackageVlan Range Support Software Supported BGP4PIM-SM 802.1W Rstp Default 802.1x Device Classification Access Guardian802.1Q 802.1Q 2005 MstpAccess Control Lists ACLs Access Control Lists ACLs for IPv6ACL & Layer 3 Security Source ipv6 destination ipv6 ipv6 Nh next header flow-labelACL Manager Authenticated VLANs Authenticated Switch AccessAutomatic Vlan Containment AVC Basic IPv4 Routing BGP Graceful RestartCommand Line Interface CLI Bpdu Shutdown PortsDhcp Relay Dhcp Option-82 Relay Agent Information OptionDynamic Vlan Assignment Mobility DNS ClientEnd User Partitioning Eupm HTTP/HTTPS Port Configuration Ethernet InterfacesGeneric UDP Relay Health StatisticsIP Multicast Switching Ipms Interswitch Protocol AmapIP DoS Enhancements IP Route Map Redistribution IP Multicast Switching Ipms ProxyingIPv6 NPD IPX Routing L2 Dhcp SnoopingL2 MAC Address Table Size Enhancement L2 Static Multicast AddressesLink Aggregation static & 802.3ad Learned Port Security LPSMulticast Routing NTP Client MultinettingOSPFv2/OSPFv3 Partitioned Switch Management Policy Based Routing Permanent ModePer-VLAN Dhcp Relay Policy Server ManagementPower over Ethernet PoE Quality of Service QoSPort Mapping Port MirroringRouter Discovery Protocol RDP Redirect Policies Port and Link AggregateRouting Protocol Preference Secure Shell SSH Public Key Authentication Secure Copy SCPSecure Shell SSH SSH Software Supported Operating SystemsSmart Continuous Switching OmniSwitch 6800/OmniSwitch Smart Continuous Switching OmniSwitchServer Load Balancing SLB SFlowSource Learning Software RollbackSwitch Logging Text File ConfigurationSpanning Tree Syslog to Multiple HostsUser Definable Loopback Interface Vlan Range SupportVlan Stacking and Translation VRRPv2/VRRPv3Web-Based Management WebView Supported Traps Trap Name Platforms DescriptionTrap Name Platforms Description Sion which was active on a slot cannot Trap Name Platforms Description Table gets dropped due to the overload Unsupported CLI Commands Unsupported Software FeaturesSoftware Feature Unsupported CLI Commands RIP Unsupported MIBs MIB Name Unsupported MIB variables Alcatel IND1AAAAlcatel IND1Bgp Alcatel IND1LAGMIB Name Unsupported MIB variables AlcatelIND1QoS AlcatelIND1SlbMIB Name Unsupported MIB variables AlcatelIND1VlanManagerIetfsnmp Command Line Interface CLI Open Problem Reports and Feature ExceptionsProblem Reports Rmon SFlowFeature Exceptions Web-Based Management WebViewOpen Problem Reports and Feature Exceptions Open Problem Reports and Feature Exceptions Layer AutonegotiationBridging Ethernet Interfaces Open Problem Reports and Feature Exceptions IP Multicast Switching Ipms Group MobilityLink Aggregation Port Mirroring/MonitoringSource Learning Open Problem Reports and Feature Exceptions Open Problem Reports and Feature Exceptions Spanning Tree Open Problem Reports and Feature Exceptions Vlan Stacking Basic IP Routing Dhcp SnoopingIPv6 Open Problem Reports and Feature Exceptions Server Load Balancing SLB UDP RelayAdvanced Routing Dvmrp OSPFv3PIM Quality of Service includes ACLs GeneralPolicy Manager Security 802.1x Authenticated Switch Access Authenticated VLANs Policy Server ManagementSystem Open Problem Reports and Feature Exceptions Chassis Supervision Open Problem Reports and Feature Exceptions Power Over Ethernet Open Problem Reports and Feature Exceptions Hot Swap Time Limitations for OmniSwitch Redundancy / Hot SwapOpen Problem Reports and Feature Exceptions Technical Support Region Phone Number