Configuring QoS Using Access Control Lists
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 26-69
-> qos user-port filter spoof bpdu rip
In the above command example, if spoof and bpdu were not specified, then the switch would only filter
RIP traffic.
The following qos user-port command example uses the shutdown option to administratively disable the
user port if the specified type of traffic is received on that port:
-> qos user-port shutdown bpdu
To disable the filter or shutdown function, use the no form of the qos user-port command. For example,
the following command disables the filtering operation for all user ports:
-> qos no user-port filter
Use the show qos config command to display the qos user-port command settings.
Configuring ICMP Drop Rules
Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. In
addition, two new condition parameters are available to provide more granular filtering of ICMP packets:
icmptype and icmpcode. Use these two conditions together in a policy to block ICMP echo request and
reply packets without impacting switch performance.
The following example defines an ACL policy that prevents users from pinging by dropping echo request
ICMP packets at the source port:
-> policy condition pingEchoRequest source vlan 10 icmptype 8
-> policy action drop disposition drop
-> policy rule noping10 condition pingEchoRequest action drop
-> qos apply
Note that the above policy only blocks ICMP echo traffic, all other ICMP traffic is still allowed.
Configuring TCP Connection Rules
Two condition parameters are available for defining a TCP connection ACL policy: established and
tcpflags. An ACL can be defined using the established parameter to identify packets that are part of an
established TCP connection and allow forwarding of the packets to continue. When this parameter is
invoked, TCP header information is examined to determine if the ack or rst flag bit is set. If this condition
is true, then the connection is considered established.
The following is an example ACL policy using the established condition parameter:
policy condition c destination ip 192.168.10.0 mask 255.255.255.0 established
policy condition c1 destination ip 192.168.10.0 mask 255.255.255.0
policy action drop disposition drop
policy action allow
policy rule r condition c action allow
policy rule r1 condition c1 action drop
qos apply
This example ACL policy prevents any TCP connection from being initiated to the 192.168.10.0 network
and all other IP traffic to the 192.168.10.0 network. Only TCP connections initiated from the 192.168.10.0
network are allowed.
Note that the above example ACL would prevent FTP sessions. See the policy condition established
command page in the OmniSwitch AOS Release 8 CLI Reference Guide for more information.
To Next Page
Loading...
Need help?
General
