Making filters by applying hardware acls to ports – Allied Telesis x908 User Manual

Page 7 | AlliedWare Plus™ OS How To Note

Making filters by applying hardware ACLs to ports

Making filters by applying hardware ACLs to ports

You can create a filter by simply applying one or more ACLs to a port, as long as you can
select the matching traffic through hardware ACL keywords, as described above.

ACLs can be applied to switch ports and static channel groups. To apply an ACL to a dynamic
(LACP) channel group, apply the ACL to all ports that can be in the channel group.

The hardware filters act on incoming traffic, so apply them to the ingress ports.

Attaching

ACLs

To apply ACLs to ports, enter interface mode for the port or ports you want to attach the
ACL to, and then use one of the following commands:

For IP hardware ACLs:

ip access-group <ip-acl-number>

For MAC hardware ACLs:

mac access-group <mac-acl-number>

If you have multiple ACLs on a port, attach them to the port in the order in which you want
the switch to check them—see

“The logic of the operation of the hardware filters” on

page 13

. You can alternate IP and MAC ACLs, like in the following example:

awplus(config-if)#ip access-group 3200

awplus(config-if)#ip access-group 3100

awplus(config-if)#mac access-group 4300

awplus(config-if)#ip access-group 3150

awplus(config-if)#mac access-group 4350

Viewing port

information

To see a list of the ACLs that are directly attached to a port, use the following command:

awplus#show interface <range> access-group

Changing

ACL order

It is not possible to change the order of ACLs once you have attached them to a port.
Instead, remove ACLs from the port by entering interface mode for the port and using the
commands:

no ip access-group <ip-acl-number>

no mac access-group <mac-acl-number>

Then re-enter them in the desired order.