Allied Telesis X900-12XT/S, x908 manual Blocking all multicast traffic except one address

Page 15

Examples

Blocking all multicast traffic except one address

This example uses two interface ACLs, one with an action of permit and one with an action of deny.

Use this type of configuration when you want to discard a wide range of traffic but want to forward a subset of traffic within that range.

Consider a situation where you want to prevent the forwarding of multicast traffic in general, but wish to support an application that needs to send packets to one particular multicast address (236.5.8.213 in this example). To configure this:

1.Create an ACL to match and permit packets with the multicast destination address 236.5.8.213. To do this, enter global configuration mode and use the command:

awplus(config)#access-list 3050 permit ip any 236.5.8.213/32

2.Create an ACL to match and deny all packets with a multicast destination address. To do this, use the command:

awplus(config)#access-list 3100 deny ip any 224.0.0.0/4

3.Attach the ACLs to the port (for example, 1.0.10). You must first attach the permit ACL, then the deny ACL. To do this, use the commands:

awplus(config)#interface port1.0.10

awplus(config-if)#ip access-group 3050

awplus(config-if)#ip access-group 3100

Mirroring HTTP and SMTP traffic

This example uses two interface ACLs with actions of copy-to-mirror.

Use this type of configuration when you want to mirror a subset of the incoming traffic on a port, instead of mirroring all incoming traffic.

Consider a situation where you want to capture the HTTP (TCP port 80) and SMTP (TCP port 25) traffic coming to users who are connected to ports 1.0.1-1.0.2. To configure this:

1.Set port 1.0.20 as the mirror port. To do this, enter global configuration mode and use the commands:

awplus(config)#interface port1.0.20

awplus(config-if)#mirror interface none direction both

2.Create ACLs to match HTTP and SMTP traffic. To do this, return to global configuration mode and use the commands:

awplus(config)#access-list 3100 copy-to-mirror tcp any any eq 25

awplus(config)#access-list 3200 copy-to-mirror tcp any any eq 80

3.Attach the ACLs to ports 1.0.1-1.0.2. To do this, use the commands:

awplus(config)#interface port1.0.1-1.0.2

awplus(config-if)#ip access-group 3100

awplus(config-if)#ip access-group 3200

Page 15 AlliedWare Plus™ OS How To Note

Page 14 Page 16
Image 15
Page 14 Page 16
Contents AlliedWare PlusTM OS Which products and software version does this Note apply to? Creating IP hardware ACLs Creating hardware ACLsDestination-ip-address TCP and UDP You can filter TCP and UDP packets on the basis Creating MAC address hardware ACLs Effects of the action keywords in ACLsACLs Making filters by applying hardware ACLs to portsMaking filters by using QoS class-maps Specifying what the class-map will match on Creating a class-mapMatching on inner keywords for nested VLANs Matching on TCP flag So will the following single match command Applying the class-maps to a policy-map Applying the policy-map to ports Matching on eth-format and protocol Combining interface ACLs and QoS class-maps Logic of the operation of the hardware filtersBlocking all multicast traffic ExamplesMirroring Http and Smtp traffic Blocking all multicast traffic except one addressMirroring ARP packets This example uses two QoS class-maps Blocking TCP sessions in one directionFilter rules table How many filters can you create?Profile mask Are there enough bytes for your set of filters? Some protocols also use filters, so use some of the length
Related manuals
Manual 8 pages 39.31 Kb Manual 52 pages 56.44 Kb
Top Page Image Contents