Software Supported
OmniSwitch 6800/6850/9000—Release 6.1.3.R01
page 17
•
TCP connection rules
—Allows the determination of an
established
TCP connection by examining
TCP flags found in the TCP header of the packet. Two condition parameters are available for defining
a TCP connection ACL:
established
and
tcpflags
.
•
Early ARP discard
—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, and
VRRP are
not
discarded.
•
UserPorts
—A port group that identifies its members as user ports to prevent spoofed IP traffic. When
a port is configured as a member of this group, packets received on the port are dropped if they contain
a source IP network address that does not match the IP subnet for the port.
•
UserPorts Profile
—In addition to spoofed traffic, it is also possible to configure a global UserPorts
profile to specify additional types of traffic, such as BPDU, RIP, OSPF, and/or BGP, to monitor on
user ports. The UserPorts profile also determines whether user ports will filter the unwanted traffic or
will administratively shutdown when the traffic is received. Note that this profile only applies to those
ports that are designated as members of the UserPorts port group.
•
DropServices
—A service group that improves the performance of ACLs that are intended to deny
packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the
UserPorts group. Using the DropServices group for this function minimizes processing overhead,
which otherwise could lead to a DoS condition for other applications trying to use the switch.
ACL Manager
The Access Control List Manager (ACLMAN) is a function of the Quality of Service (QoS) application
that provides an interactive shell for using common industry syntax to create ACLs. Commands entered
using the ACLMAN shell are interpreted and converted to Alcatel CLI syntax that is used for creating
QoS filtering policies.
This implementation of ACLMAN also provides the following features:
•
Importing of text files that contain common industry ACL syntax.
•
Support for both standard and extended ACLs.
•
Creating ACLs on a single command line.
•
The ability to assign a name, instead of a number, to an ACL or a group of ACL entries.
•
Sequence numbers for named ACL statements.
•
Modifying specific ACL entries without having to enter the entire ACL each time to make a change.
•
The ability to add and display ACL comments.
•
ACL logging extensions to display Layer 2 through 4 packet information associated with an ACL.
ACLMAN is supported on the OmniSwitch 6850 Series. The 6.1.3.R01 release provides support for this
feature on the OmniSwitch 9000 Series.