Actions for hardware acls, Attaching hardware acls to interfaces – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 831
Access Control Lists Introduction
Software Reference for x310 Series Switches
C613-50046-01 REV A
AlliedWare Plus
TM
Operating System - Version 5.4.4C
33.7
To match a UDP packet with a source address of 192.168.x.x, a destination address of
192.168.1.x, and a destination port greater than 80:
Note that an IP address mask can be specified using either of the following notations:
■
“A.B.C.D/M”: This is the most common; e.g. 192.168.1.0/24
■
“A.B.C.D A.B.C.D”: 192.168.1.1 0.0.0.0 is the same as 192.168.1.1/32 and 192.168.1.1
255.255.255.255 is the same as “any”
■
“host A.B.C.D”: This is the same as A.B.C.D/32
Actions for Hardware ACLs
The following actions are available for Hardware ACLs:
■
deny: Discard
the
packet.
■
permit:
Allow the packet.
■
copy-to-cpu:
Send a copy of the packet to the CPU and forward it as well.
This is the same as copy,forward in AW hardware filters.
■
send-to-cpu:
Send the packet to the CPU and do not forward it.
This is the same as copy, discard in AlliedWare hardware filters.
■
send-to-mirror:
Send the packet to the mirror port so packets are not switched
■
copy-to-mirror:
Send a copy of the packet to the mirror port and forward it as well.
Attaching hardware ACLs to interfaces
A hardware ACL is attached directly to a switchport using the
command.
For example, to permit traffic from 192.168.1.x, but discard from 192.168.x.x:
awplus(config)#
access-list 3003 permit udp 192.168.0.0/16
192.168.1.0/24 gt 80
awplus#
configure terminal
awplus(config)#
access-list 3000 permit ip 192.168.1.0/24
any
awplus(config)#
access-list 3001 deny ip 192.168.0.0/24 any
awplus(config)#
interface port1.0.1
awplus(config-if)#
access-group 3000
awplus(config-if)#
access-group 3001