beautypg.com

Defining hardware ip acls – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 830

background image

Access Control Lists Introduction

Software Reference for x310 Series Switches

33.6

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Example

To permit packets coming from a specific MAC address of 0030.841A.1234 and with any
destination address:

Defining Hardware IP ACLs

These are used to filter traffic based on specific source or destination IP addresses
contained within the data frames. They can be applied to ports in the form of access
groups.

An IP access list requires the following components:

an ACL number in the range 3000-3699

an action, see

“Actions for Hardware ACLs” on page 33.7

a packet type:

«

IP: This matches any type of IP packet. A source and destination address must also
be specified, although they can be “any”.

«

ICMP: This matches ICMP packets. A source and destination address must also be
specified, although they can be “any”. An ICMP type can optionally be specified
after the destination address.

«

TCP: This matches TCP packets. A source and destination address must also be
specified, although they can be “any”. After the source address, a source port can
optionally be specified and after the destination address a destination port can
optionally be specified. The port matching can be done using eq (equal to), gt
(greater than), lt (less than), ne (not equal to), or range (for a range of ports, which
requires a start port and an end port).

«

UDP: This matches UDP packets and has the same options as TCP.

«

proto: This allows any IP protocol type to be specified. A source and destination
address must be also specified, although they can be “any”.

For example, to match (and permit) any type of IP packet containing a destination address
of 192.168.1.1

To match (and permit) an ICMP packet with a source address of 192.168.x.x and an ICMP
code of 4

To match a TCP packet with a source address of 192.168.x.x, source port of 80 and a
destination port from 100 to 150:

awplus#

configure terminal

awplus(config)#

access-list 4000 permit 0030.841A.1234
0000.0000.0000 any

awplus(config)#

access-list 3000 permit ip any 192.168.1.1/32

awplus(config)#

access-list 3001 permit icmp 192.168.0.0/16
any icmp-type 4

awplus(config)#

access-list 3002 permit tcp 192.168.0.0/16 eq
80 any range 100 150

See also other documents in the category Allied Telesis Computer hardware: