Allied Telesis x908, X900-12XT/S Blocking all multicast traffic except one address, Mirroring HTTP and SMTP traffic

Page 15 | AlliedWare Plus™ OS How To Note

Examples

Blocking all multicast traffic except one address

This example uses two interface ACLs, one with an action of permit and one with an action

of deny.

Use this type of configuration when you want to discard a wide range of traffic but want to

forward a subset of traffic within that range.

Consider a situation where you want to prevent the forwarding of multicast traffic in general,

but wish to support an application that needs to send packets to one particular multicast

address (236.5.8.213 in this example). To configure this:

1. Create an ACL to match and permit packets with the multicast destination address

236.5.8.213. To do this, enter global configuration mode and use the command:

awplus(config)#access-list 3050 permit ip any 236.5.8.213/32

2. Create an ACL to match and deny all packets with a multicast destination address. To do

this, use the command:

awplus(config)#access-list 3100 deny ip any 224.0.0.0/4

3. Attach the ACLs to the port (for example, 1.0.10). You must first attach the permit ACL,

then the deny ACL. To do this, use the commands:

awplus(config)#interface port1.0.10

awplus(config-if)#ip access-group 3050

awplus(config-if)#ip access-group 3100

Mirroring HTTP and SMTP traffic

This example uses two interface ACLs with actions of copy-to-mirror.

Use this type of configuration when you want to mirror a subset of the incoming traffic on a

port, instead of mirroring all incoming traffic.

Consider a situation where you want to capture the HTTP (TCP port 80) and SMTP (TCP

port 25) traffic coming to users who are connected to ports 1.0.1-1.0.2. To configure this:

1. Set port 1.0.20 as the mirror port. To do this, enter global configuration mode and use the

commands:

awplus(config)#interface port1.0.20

awplus(config-if)#mirror interface none direction both

2. Create ACLs to match HTTP and SMTP traffic. To do this, return to global configuration

mode and use the commands:

awplus(config)#access-list 3100 copy-to-mirror tcp any any eq 25

awplus(config)#access-list 3200 copy-to-mirror tcp any any eq 80

3. Attach the ACLs to ports 1.0.1-1.0.2. To do this, use the commands:

awplus(config)#interface port1.0.1-1.0.2

awplus(config-if)#ip access-group 3100

awplus(config-if)#ip access-group 3200