Hello!
I have a question about configuring of Access Lists on 6850. Our network consists of few 6850 and each 6850 has a few rings of 6224 connected. My task is to create an ACL that isolates the certain subnetwork (/24) from other networks. Users of this subnetwork connected to different 6224 that connected to different 6850. There is an opportunity to create an ACL on each 6224, but I want to have more "global" variant of resolving this task. I read CLI manual on 6850, but didn't found ACL rules like 6224 has:
deny-udp any 1900 any any
deny-udp any 67 any any
deny any any 10.32.0.0 0.0.255.255
Anybody knows a dicision of this trouble?
P.S. We use OSPF between 6850 so variant to use different VLANs didn't help becouse all vlans of 6224 we terminate on 6850 and all traffic forward using same vrf.
configuring ACL on 6850
Re: configuring ACL on 6850
You read the documentation and did not find any ACL support?
OmniSwitch 6800/6850/9000 Network Configuration Guide -> page 31-1 "31 Configuring ACLs"
-benny
OmniSwitch 6800/6850/9000 Network Configuration Guide -> page 31-1 "31 Configuring ACLs"
-benny
Regards,
Benny
Benny
Re: configuring ACL on 6850
Sorry, I didn't read this document. Tank's a lot!I think, I've found needed information.
Re: configuring ACL on 6850
Syntax is quite different from Cisco approach but powerful. I personally like it.
There are some techtips available on the AlcaLu BPWS how to design your ACLs properly to avoid huge QOS slice consumption.
Consider reading them as well.
-benny
There are some techtips available on the AlcaLu BPWS how to design your ACLs properly to avoid huge QOS slice consumption.
Consider reading them as well.
-benny
Regards,
Benny
Benny
Re: configuring ACL on 6850
You meaned official Alcatel-Lucent site?Would you be so kind to give me direct link tj this documents, because the official site of Alcatel-Lucent is not very suitable for searching. I've tried, but with no result.
Re: configuring ACL on 6850
I have some troubles creating or better to say applying policy rules. I've created the list of policy rules(conditions and network groups too):
policy network group ZHEK 10.32.51.0 mask 255.255.255.0
policy network group VPN 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.9
policy network group ANY 0.0.0.0 mask 128.0.0.0
policy condition Zhek_network source network group ZHEK destination network group ZHEK
policy condition ZHEK_to_Any source network group ZHEK destination network group ANY
policy condition Any_to_ZHEK source network group ANY destination network group ZHEK
policy condition ZHEK_to_VPN source ip 10.32.51.0 mask 255.255.255.248 destination network group VPN
policy condition VPN_to_ZHEK source network group VPN destination ip 10.32.51.0 mask 255.255.255.248
policy action Block disposition deny
policy action Allow disposition accept
policy rule Filter1 condition Zhek_network action Allow
policy rule Filter2 condition ZHEK_to_Any action Block
policy rule Filter3 condition Any_to_ZHEK action Block
policy rule Filter4 condition ZHEK_to_VPN action Allow
policy rule Filter5 condition VPN_to_ZHEK action Allow
qos apply
But, I've noticed that when I applying this, correctly works only Filter1 rule. I've tried to use different precedence level,but with no result. If there is a situation when network groups are crossed, then only one rule works. Is there a way to make all rules work simultaneously?
policy network group ZHEK 10.32.51.0 mask 255.255.255.0
policy network group VPN 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.9
policy network group ANY 0.0.0.0 mask 128.0.0.0
policy condition Zhek_network source network group ZHEK destination network group ZHEK
policy condition ZHEK_to_Any source network group ZHEK destination network group ANY
policy condition Any_to_ZHEK source network group ANY destination network group ZHEK
policy condition ZHEK_to_VPN source ip 10.32.51.0 mask 255.255.255.248 destination network group VPN
policy condition VPN_to_ZHEK source network group VPN destination ip 10.32.51.0 mask 255.255.255.248
policy action Block disposition deny
policy action Allow disposition accept
policy rule Filter1 condition Zhek_network action Allow
policy rule Filter2 condition ZHEK_to_Any action Block
policy rule Filter3 condition Any_to_ZHEK action Block
policy rule Filter4 condition ZHEK_to_VPN action Allow
policy rule Filter5 condition VPN_to_ZHEK action Allow
qos apply
But, I've noticed that when I applying this, correctly works only Filter1 rule. I've tried to use different precedence level,but with no result. If there is a situation when network groups are crossed, then only one rule works. Is there a way to make all rules work simultaneously?
