Allied Telesis x908, X900-12XT/S The effects of the action keywords in ACLs

Page 6 | AlliedWare Plus™ OS How To Note

The effects of the action keywords in ACLs

Creating MAC address hardware ACLs

MAC address hardware ACLs filter packets on the basis of their source or destination MAC

address.

The command syntax is:

awplus(config)#access-list <4000-4699> <action> <source-mac-address>

<destination-mac-address>

The source and destination MAC addresses can be any of the following:

za range of MAC addresses. To specify this, enter a MAC address and the mask. Specify the

mask as a wildcard mask:

awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.000f

...

(this example selects MAC addresses from 1234.1234.1230 to 1234.1234.123f)

za single MAC address. To specify this, enter the MAC address and a mask of

0000.0000.0000:

awplus(config)#access-list 4000 permit 1234.1234.1234 0000.0000.0000

...

zall MAC addresses. To specify this, enter the keyword any:

awplus(config)#access-list 4000 permit any ...

The effects of the action keywords in ACLs

Let us consider the effect of each the possible action keywords.

Action What it does When do you need this action?

deny Drops the traffic. Use this when the filtering policy is to disallow certain

traffic flows.

permit Forwards the traffic normally. Use this when you want to:

zdiscard a wide range of traffic, but still forward some

small subset of traffic within that range.

zuse the ACL in a QoS class-map to select traffic for the

switch to apply QoS settings to (like queue shaping).

copy-to-cpu Forwards the traffic normally, and

also sends a copy of each packet to

the CPU.

Use this when you want software monitoring of a certain

packet flow. If you want to log, or count, or output debug

pertaining to a certain stream, then create an ACL that

matches the packets in the stream, and specify the copy-

to-cpu action.

send-to-cpu Drops the traffic, but also sends a

copy of each packet to the CPU.

Use this when you want software monitoring of a certain

packet flow that is being dropped. If you want to log,

count, or output debug pertaining to a certain disallowed

stream, then create an ACL that matches the packets in

the stream, and specify the send-to-cpu action.

copy-to-mirror Forwards the traffic normally, and

also sends a copy of each packet to

the mirror port.

Use this when you want to mirror only a certain stream,

instead of mirroring all traffic on a port.