Page 7 | AlliedWare Plus™ OS How To Note
Making filters by applying hardware ACLs to ports
Making filters by applying hardware ACLs to portsYou can create a filter by simply applying one or more ACLs to a port, as long as you can
select the matching traffic through hardware ACL keywords, as described above.
ACLs can be applied to switch ports and static channel groups. To apply an ACL to a dynamic
(LACP) channel group, apply the ACL to all ports that can be in the channel group.
The hardware filters act on incoming traffic, so apply them to the ingress ports.
Attaching
ACLs
To apply ACLs to ports, enter interface mode for the port or ports you want to attach the
ACL to, and then use one of the following commands:
For IP hardware ACLs:
ip access-group <ip-acl-number>
For MAC hardware ACLs:
mac access-group <mac-acl-number>
If you have multiple ACLs on a port, attach them to the port in the order in which you want
the switch to check them—see “The logic of the operation of the hardware filters” on
page 13. You can alternate IP and MAC ACLs, like in the following example:
awplus(config-if)#ip access-group 3200
awplus(config-if)#ip access-group 3100
awplus(config-if)#mac access-group 4300
awplus(config-if)#ip access-group 3150
awplus(config-if)#mac access-group 4350
Viewing port
information
To see a list of the ACLs that are directly attached to a port, use the following command:
awplus#show interface <range> access-group
Changing
ACL order
It is not possible to change the order of ACLs once you have attached them to a port.
Instead, remove ACLs from the port by entering interface mode for the port and using the
commands:
no ip access-group <ip-acl-number>
no mac access-group <mac-acl-number>
Then re-enter them in the desired order.