Configuring QoS Using Access Control Lists
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 26-63
Using Access Control Lists
Access Control Lists (ACLs) are QoS policies used to control whether or not packet flows are allowed or
denied at the switch or router interface. ACLs are sometimes referred to as filtering lists.
ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is
specified in the policy condition. The policy action determines whether the traffic is allowed or denied.
For detailed descriptions about configuring policy rules, see “QoS Policy Overview” on page 26-28 and
“Creating Policies” on page 26-42.
In general, the types of ACLs include:
• Layer 2 ACLs—for filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for
filtering.
• Layer 3/4 ACLs—for filtering traffic at the network layer. Typically uses IP addresses or IP ports for
filtering; note that IPX filtering is not supported.
• Multicast ACLs—for filtering IGMP traffic.
• Security ACLs—for improving network security. These ACLs utilize specific security features, such as
UserPorts groups to prevent source IP address spoofing, ICMP drop rules, and TCP connection rules.
Layer 2 ACLs
Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering can be done for both bridged and routed
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
• MAC address or MAC group
• Source VLAN
• Physical slot/port or port group
The switch classifies the MAC address as both source and destination.
Layer 2 ACL: Example 1
In this example, the default bridged disposition is accept (the default). Since the default is accept, the qos
default bridged disposition command would only need to be entered if the disposition had previously
been set to deny. The command is shown here for completeness.
-> qos default bridged disposition accept
-> policy condition Address1 source mac 080020:112233 source vlan 5
-> policy action BlockTraffic disposition deny
-> policy rule FilterA condition Address1 action BlockTraffic
In this scenario, traffic with a source MAC address of 08:00:20:11:22:33 coming in on VLAN 5 would
match condition Address1, which is a condition for a policy rule called FilterA. FilterA is then applied to
the flow. Since FilterA has an action (BlockTraffic) that is set to deny traffic, the flow would be denied
on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
To Next Page
Loading...
