beautypg.com

Allied Telesis AT-8100 Series User Manual

Page 1534

background image

Chapter 98: Advanced Access Control Lists (ACLs)

1534

Numbered IPv4 ACL with Protocol Packets Example

This is the command format for creating Numbered IPv4 ACLs that filter
packets of the specified protocol based on source and destination IPv4
addresses:

access-list

id_number action

proto

protocol_number

src_ipaddress dst_ipaddress

[vlan

vid

]

The ID_NUMBER parameter assigns the ACL a unique ID number in the
range of 3000 to 3699. Within this range, you can number ACLs in any
order.

The ACTION parameter specifies the action that the port performs on
packets matching the filtering criteria of the ACL. Here are the possible
actions:

permit— Forwards all ingress packets that match the ACL. Ports,
by default, accept all ingress packets. Consequently, a permit ACL
is only necessary when you want a port to forward a subset of
packets that are otherwise discarded.

deny— Discards all ingress packets that match the ACL.

copy-to-mirror— Copies all ingress packets that match the ACL to
the destination port of the mirror port. This action must be used
together with the port mirror feature, explained in Chapter 27, “Port
Mirror” on page 465.

The protocol_number parameter specifies a protocol number. You can
specify one protocol number per command. Refer to Table 191, “Protocol
Numbers” on page 1581 fo
r the list of protocol numbers.

The SRC_IPADDRESS and DST_IPADDRESS parameters specify the
source and destination IP addresses. Choose from the following options:

any— Matches any IPv4 address.

ipaddress/mask— Matches packets that have an IPv4 address of a
subnet or an end node. The mask is a decimal number that
represents the number of bits in the address, from left to right, that
constitute the network portion of the address. For example, the
subnet address 149.11.11.0/24 has a mask of “24” for the first
twenty-four bits of the network portion of the address. The IPv4
address and the mask are separated by a slash (/); for example,
“149.11.11.0/24.”

host ipaddress— Matches packets with a specified IPv4 address
and is an alternative to the IPADRESS/MASK variable for
addresses of end nodes. The HOST keyword indicates that the
IPv4 address is assigned to a specific end node and that no mask
is required.