Allied Telesis x908 Effects of the action keywords in ACLs, Creating MAC address hardware ACLs

Page 6

The effects of the action keywords in ACLs

Creating MAC address hardware ACLs

MAC address hardware ACLs filter packets on the basis of their source or destination MAC address.

The command syntax is:

awplus(config)#access-list <4000-4699> <action> <source-mac-address>

<destination-mac-address>

The source and destination MAC addresses can be any of the following:

za range of MAC addresses. To specify this, enter a MAC address and the mask. Specify the mask as a wildcard mask:

awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.000f

...

(this example selects MAC addresses from 1234.1234.1230 to 1234.1234.123f)

za single MAC address. To specify this, enter the MAC address and a mask of 0000.0000.0000:

awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.0000

...

zall MAC addresses. To specify this, enter the keyword any:

awplus(config)#access-list 4000 permit any ...

The effects of the action keywords in ACLs

Let us consider the effect of each the possible action keywords.

Action

What it does

When do you need this action?

deny

Drops the traffic.

Use this when the filtering policy is to disallow certain

 

 

traffic flows.

 

 

 

permit

Forwards the traffic normally.

Use this when you want to:

 

 

z discard a wide range of traffic, but still forward some

 

 

small subset of traffic within that range.

 

 

z use the ACL in a QoS class-map to select traffic for the

 

 

switch to apply QoS settings to (like queue shaping).

 

 

 

copy-to-cpu

Forwards the traffic normally, and

Use this when you want software monitoring of a certain

 

also sends a copy of each packet to

packet flow. If you want to log, or count, or output debug

 

the CPU.

pertaining to a certain stream, then create an ACL that

 

 

matches the packets in the stream, and specify the copy-

 

 

to-cpu action.

send-to-cpu

Drops the traffic, but also sends a

 

copy of each packet to the CPU.

Use this when you want software monitoring of a certain packet flow that is being dropped. If you want to log, count, or output debug pertaining to a certain disallowed stream, then create an ACL that matches the packets in the stream, and specify the send-to-cpu action.

copy-to-mirror

Forwards the traffic normally, and

 

also sends a copy of each packet to

 

the mirror port.

Use this when you want to mirror only a certain stream, instead of mirroring all traffic on a port.

Page 6 AlliedWare Plus™ OS How To Note

Page 5 Page 7
Image 6
Page 5 Page 7
Contents AlliedWare PlusTM OS Which products and software version does this Note apply to? Creating hardware ACLs Creating IP hardware ACLsDestination-ip-address TCP and UDP You can filter TCP and UDP packets on the basis Effects of the action keywords in ACLs Creating MAC address hardware ACLsMaking filters by applying hardware ACLs to ports ACLsMaking filters by using QoS class-maps Creating a class-map Specifying what the class-map will match onMatching on inner keywords for nested VLANs So will the following single match command Matching on TCP flagApplying the class-maps to a policy-map Applying the policy-map to portsMatching on eth-format and protocol Logic of the operation of the hardware filters Combining interface ACLs and QoS class-mapsExamples Blocking all multicast trafficBlocking all multicast traffic except one address Mirroring Http and Smtp trafficMirroring ARP packets Blocking TCP sessions in one direction This example uses two QoS class-mapsHow many filters can you create? Filter rules tableProfile mask Are there enough bytes for your set of filters? Some protocols also use filters, so use some of the length
Related manuals
Manual 8 pages 39.31 Kb Manual 52 pages 56.44 Kb
Top Page Image Contents