Using ACL Security Features Configuring ACLs
page 31-16 OmniSwitch 6800/6850/9000 Network Configuration Guide March 2008
Using ACL Security Features
The following additional ACL features are available for improving network security and preventing mali-
cious activity on the network:
• UserPorts—A port group that identifies its members as user ports to prevent source address spoofing
of IP and ARP traffic (per RFC 2267). When a port is configured as a member of this group, packets
received on the port are dropped if they contain a source IP address that does not match the IP subnet
for the port. It is also possible to configure a UserPorts profile to specify other types of traffic to moni-
tor on user ports. See “Configuring a UserPorts Group” on page 31-16. Note that this group and config-
uring a UseerPorts profile is not supported on the OmniSwitch 6800.
• DropServices—A service group that improves the performance of ACLs that are intended to deny
packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the
UserPorts group. Using the DropServices group for this function minimizes processing overhead,
which otherwise could lead to a DoS condition for other applications trying to use the switch. See
“Configuring a DropServices Group” on page 31-17. Note that this group is not supported on the
OmniSwitch 6800.
• BPDUShutdownPorts—A port group that identifies its members as ports that should not receive
BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. Note that
this group is not supported on the OmniSwitch 6850 or the OmniSwitch 9000. See “Configuring a
BPDUShutdownPorts Group” on page 31-18.
• ICMP drop rules—Allows condition combinations in policies that will prevent user pings, thus reduc-
ing DoS exposure from pings. Two condition parameters are also available to provide more granular
filtering of ICMP packets: icmptype and icmpcode. See “Configuring ICMP Drop Rules” on
page 31-19.
• TCP connection rules—Allows the determination of an established TCP connection by examining
TCP flags found in the TCP header of the packet. Two condition parameters are available for defining
a TCP connection ACL: established and tcpflags. See “Configuring TCP Connection Rules” on
page 31-19.
• Early ARP discard—ARP packets destined for other hosts are discarded to reduce processing over-
head and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always
available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP,
and Local Proxy ARP are not discarded.
• ARP ACLs—It is also possible to create an ACL that will examine the source IP address in the header
of ARP packets. This is done by specifying the ARP ethertype (0x0806) and source IP address. Note
that this type of ACL is only supported on the OmniSwitch 9700 and OmniSwitch 6850.
Configuring a UserPorts Group
To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called
UserPorts and add the ports to that group. For example, the following policy port group command adds
ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:
-> policy port group UserPorts 1/1-24 2/1-24 3/1 4/1
-> qos apply
Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.
To Next Page
Loading...
