Page 5 | AlliedWare Plus™ OS How To Note
Creating hardware ACLs
TCP and UDP
packets
You can filter TCP and UDP packets on the basis of:zsource IP address and/or destination IP address (using the same syntax as when filtering IP
packets)zsource and/or destination TCP/UDP ports.
The command syntax is: awplus(config)#access-list <3000-3699> <action> {tcp|udp}
<source-ip-address>
[{eq|gt|lt|ne|range} <source-port> [<source-port>]]
<destination-ip-address>
[{eq|gt|lt|ne|range} <dest-port> [<dest-port>]]
To determine which ports to filter, use the following keywords:Keyword Selects Example
no keyword All ports For example, to match packets that use any TCP source or
destination port:
access-list 3000 permit tcp any any
eq A single port Specify a single port number. For example, to match packets
from any IP address that use TCP source port 5100:
access-list 3000 permit tcp any eq 5100 any
Note that the TCP port parameter is optional. In this
example, the keyword any indicates that the ACL matches
on any source and destination IP address. The absence of a
port at the end of the command indicates that it matches on
any destination port.
gt All ports higher than the
specified port number
Specify a single port number. For example, to match packets
that use a source TCP port of 5100 or higher:
access-list 3000 permit tcp any gt 5099 any
lt All ports lower than the
specified port number
Specify a single port number. For example, to match packets
that use a source TCP port of 5100 or lower:
access-list 3000 permit tcp any lt 5101 any
ne All ports except the specified
port
Specify a single port number. For example, to match packets
that use any source TCP port except port 5100:
access-list 3000 permit tcp any ne 5100 any
range A contiguous range of ports Specify the lowest and highest numbers in the range,
separated by a space. For example, to match packets that use
TCP source ports 5100 to 5200 inclusive:
access-list 3000 permit tcp any range 5100 5200 any