Allied Telesis x908 User Manual

Page 4 | AlliedWare Plus™ OS How To Note

Creating hardware ACLs

IP packets

You can filter IP packets on the basis of their source and/or destination IP addresses. The
command syntax is:

awplus(config)#access-list <3000-3699> <action> ip <source-ip-address>

<destination-ip-address>

The source and destination IP addresses can be any of the following:

z

a subnet. To specify this, enter the address and mask. You can specify the mask in slash
notation or with a wildcard (reverse) mask:

awplus(config)#access-list 3000 permit ip 192.168.0.0/16 ...

awplus(config)#access-list 3000 permit ip 192.168.0.0 0.0.255.255 ...

z

a single host. To specify this, enter the keyword host and then the address:

awplus(config)#access-list 3000 permit ip host 192.168.0.1 ...

z

all source IPs or all destination IPs. To specify this, enter the keyword any:

awplus(config)#access-list 3000 permit ip any ...

ICMP packets

You can filter ICMP messages on the basis of:

z

source IP address and/or destination IP address (using the same syntax as when filtering IP
packets)

z

ICMP message type, by specifying a type number. Popular types to filter include Echo Reply
(0), Echo Request (8), Redirect (5), Destination Unreachable (3), Traceroute (30), and
Time Exceeded (11)

The command syntax is:

awplus(config)#access-list <3000-3699> <action> icmp

<source-ip-address> <destination-ip-address> [icmp-type <value>]

For example, the following ACL matches on all ICMP messages from 192.168.0.0/16:

awplus(config)#access-list 3000 permit icmp 192.168.0.0/16 any

For example, the following ACL matches on ICMP redirect messages to and from any
address:

awplus(config)#access-list 3000 permit icmp any any icmp-type 5