Filtering hardware acls with qos, Step 5: add policy-maps to ports – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Access Control Lists Introduction

Software Reference for x310 Series Switches

C613-50046-01 REV A

AlliedWare Plus

TM

Operating System - Version 5.4.4C

33.11

Step 5:

Add policy-maps to ports

Add policy-map pmap1 to port1.0.1:

Note that multiple interface ACLs can be attached to the same port, or either type and can
be interleaved. The order of matching is based on the order in which the ACLs were
attached to the port. Only one ACL can be attached to a class-map, but multiple class-
maps can be attached to a policy-map. Interface ACLs can be attached to the same port as
a QoS policy, with the interface ACLs being matched first as described at the beginning of
the Classification section.

Filtering hardware ACLs with QoS

Another reason for using QoS rather than interface ACLs is that QoS provides a lot more
fields on which to match. These are accessed through the match commands in config-
cmap mode.

Config-cmap mode describes the fields that can be matched on. Only one of each type
can be matched, with the exception of tcp-flags (see below for classification). If multiple
matches are specified, they are ANDed together.

The following example shows how you can match a packet on vlan 2, that has a source IP
address of 192.168.x.x and a DSCP of 12:

Create ACL 3000 to permit all packets from the 192.168 subnet.:

Apply ACL 3000 to the class-map cmap1 and add the matching criteria of vlan 2 and DSCP
12:

awplus(config)#

interface port1.0.1

awplus(config-if)#

service-policy input pmap1

awplus#

configure terminal

awplus(config)#

access-list 3000 permit ip 192.168.0.0/16 any

awplus(config)#

class-map cmap1

awplus(config-cmap)#

match access-group 3000

awplus(config-cmap)#

match vlan 2

awplus(config-cmap)#

match dscp 12

awplus(config-cmap)#

exit