Configuring ACLs
ACL Overview
OmniSwitch 6624/6648 Network Configuration Guide
April 2004
page 22-5
Rule Precedence
The switch attempts to classify flows coming into the switch according to precedence. For Layer 2 flows,
the rule with the highest precedence will be applied to the flow. For Layer 3 flows, all rules that match the
flow will be applied unless the rules are in conflict; if rules are in conflict, the rule with the higher prece-
dence will be used. (
This functionality is different from the OmniSwitch 7700/7800/8800, which will
always apply the rule with the highest precedence.
)
Precedence is determined by the following:
•
The type of QoS rule
(Layer 2 source, Layer 2 destination, or Layer 3)—When a flow comes into the
switch, the Layer 2 source rules are examined first for a match. If no match is found, the Layer 2 desti-
nation rules are examined. If no match is found, the Layer 3 rules are examined.
•
Precedence value
—Each policy has a precedence value. The value may be user-configured through
the
policy rule
command in the range from 0 (lowest) to 65535 (highest). (The range 30000 to 65535
is typically reserved for PolicyView.) By default, a policy rule has a precedence of 0.
•
Configured rule order
—If a flow matches more than one rule in a particular precedence list (for
example, the Layer 2 source list), and both rules have the same precedence value, the rule that was
configured first
in the list will take precedence.
Note.
If you configure bridged traffic to be classified as Layer 3 (through the
qos classifyl3 bridged
command), Layer 2 ACL rules are effectively disabled for IP traffic.
Example: Rule Type
In the following example, two rules (
SourceRule
and
DestRule
) are created to deny Layer 2 traffic with
action
a1
. Two separate conditions are set up for the source and destination parameters (
L2source
and
L2dest
).
-> policy action a1 disposition deny
-> policy condition L2source source vlan 3
-> policy condition L2dest destination mac 00:20:da:05:f6:23
-> policy rule SourceRule condition L2source action a1
-> policy rule DestRule condition L2dest action a1 precedence 200
In this scenario, if traffic comes into the switch on VLAN 3 and is destined for MAC address
00:20:da:05:f6:23, the flow will match
SourceRule
, despite the higher precedence setting configured for
DestRule
. (
SourceRule
is using the default precedence setting, since it is not specified. The default is
100.) Layer 2 source rules always take precedence.
Example: Rule Order
If a policy is configured with the same precedence value as another policy of the same type with the same
condition, the policy that was created first has the higher precedence. The new policy is considered lower
priority.
In this example, two
Layer 2 destination
policy rules are created. Both policy rules have the same prece-
dence value.
-> policy rule r1 precedence 100 condition c1 action a1
-> policy rule r2 precedence 100 condition c1 action a2
When traffic comes into the switch that matches
c1
, the switch will use rule
r1
.