Manuals / Alcatel-Lucent / Computer Equipment / Switch

Alcatel-Lucent 6800, 9000, 6850 Access Control Lists ACLs for IPv6, ACL & Layer 3 Security

Models: 9000 6800 6850

1 86
Download 86 pages 52.98 Kb
Page 16
Image 16

Software Supported

Access Control Lists (ACLs)

Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists.

ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is speci- fied in the policy condition. The policy action determines whether the traffic is allowed or denied.

In general, the types of ACLs include:

Layer 2 ACLs—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for filtering.

Layer 3/4 ACLs—for filtering traffic at the network layer. Typically uses IP addresses or IP ports for filtering; note that IPX filtering is not supported.

Multicast ACLs—for filtering IGMP traffic.

Access Control Lists (ACLs) for IPv6

The 6.1.3.R01 release provides support for IPv6 ACLs on the OmniSwitch 6850 Series and OmniSwitch 9000 Series. The following QoS policy conditions are now available for configuring ACLs to filter IPv6 traffic:

source ipv6 destination ipv6 ipv6

nh (next header) flow-label

Note the following when using IPv6 ACLs:

Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic.

IPv6 policies do not support the use of network groups, service groups, map groups, or MAC groups.

IPv6 multicast policies are not supported.

Anti-spoofing and other UserPorts profiles/filters do not support IPv6.

The default (built-in) network group, “Switch”, only applies to IPv4 interfaces. There is no such group for IPv6 interfaces.

Note. IPv6 ACLs are not supported on A1 NI modules. Use the show ni command to verify the version of the NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards.

ACL & Layer 3 Security

The following additional ACL features are available for improving network security and preventing mali- cious activity on the network:

ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc- ing DoS exposure from pings. Two condition parameters are also available to provide more granular filtering of ICMP packets: icmptype and icmpcode.

page 16

OmniSwitch 6800/6850/9000—Release 6.1.3.R01

Page 15 Page 17
Page 16
Image 16
Alcatel-Lucent 6800, 9000, 6850 user manual Access Control Lists ACLs for IPv6, ACL & Layer 3 Security
Page 15 Page 17