Page 4 | AlliedWare Plus™ OS How To Note
Creating hardware ACLs
IP packets You can filter IP packets on the basis of their source and/or destination IP addresses. The
command syntax is:
awplus(config)#access-list <3000-3699> <action> ip <source-ip-address>
<destination-ip-address>
The source and destination IP addresses can be any of the following:
za subnet. To specify this, enter the address and mask. You can specify the mask in slash
notation or with a wildcard (reverse) mask:
awplus(config)#access-list 3000 permit ip 192.168.0.0/16 ...
awplus(config)#access-list 3000 permit ip 192.168.0.0 0.0.255.255 ...
za single host. To specify this, enter the keyword host and then the address:
awplus(config)#access-list 3000 permit ip host 192.168.0.1 ...
zall source IPs or all destination IPs. To specify this, enter the keyword any:
awplus(config)#access-list 3000 permit ip any ...
ICMP packets You can filter ICMP messages on the basis of:
zsource IP address and/or destination IP address (using the same syntax as when filtering IP
packets)
zICMP message type, by specifying a type number. Popular types to filter include Echo Reply
(0), Echo Request (8), Redirect (5), Destination Unreachable (3), Traceroute (30), and
Time Exceeded (11)
The command syntax is:
awplus(config)#access-list <3000-3699> <action> icmp
<source-ip-address> <destination-ip-address> [icmp-type <value>]
For example, the following ACL matches on all ICMP messages from 192.168.0.0/16:
awplus(config)#access-list 3000 permit icmp 192.168.0.0/16 any
For example, the following ACL matches on ICMP redirect messages to and from any
address:
awplus(config)#access-list 3000 permit icmp any any icmp-type 5