C613-50631-01 Rev A Command Reference for IE340 Series 1982
AlliedWare Plus™ Operating System - Version 5.5.3-0.x
IPV4 HARDWARE ACCESS CONTROL LIST (ACL) COMMANDS
(NAMED HARDWARE ACL ENTRY FOR IP PROTOCOLS)
(named hardware ACL entry for IP protocols)
Overview Use this command to add an IP protocol type filter entry to the current hardware
access-list. The filter will match on IP packets that have the specified IP protocol
number, and the specified IP and/or MAC addresses. You can use the value any
instead of source or destination IP or MAC address if an address does not matter.
If you specify a sequence number, the switch inserts the new filter at the specified
location. Otherwise, the switch adds the new filter to the end of the access-list.
The no variant of this command removes a filter entry from the current hardware
access-list. You can specify the filter entry for removal by entering either its
sequence number (e.g. no 100), or by entering its filter profile without specifying
its sequence number (e.g. no deny proto 2 192.168.0.0/16 any).
You can find the sequence number by running the show access-list (IPv4 Hardware
ACLs) command.
Hardware ACLs will permit access unless explicitly denied by an ACL action.
CAUTION: Specifying a “send” action enables you to use ACLs to redirect packets from
their original destination. Use such ACLs with caution. They could prevent control
packets from reaching the correct destination, such as EPSR healthcheck messages
and AMF messages.
Syntax
[<sequence-number>] <action> proto <1-255> <source-ip>
<dest-ip> [<source-mac> <dest-mac>] [vlan <1-4094>]
no <sequence-number>
no <action> proto <1-255> <source-ip> <dest-ip> [<source-mac>
<dest-mac>] [vlan <1-4094>]
The following actions are available for hardware ACLs:
V
alues for the <action> parameter
deny Reject packets that match the source and destination
filtering specified with this command.
permit Permit packets that match the source and destination
filtering specified with this command.
copy-to-cpu Send a copy of matching packets to the CPU.
copy-to-mirror Send a copy of matching packets to the mirror port.
Use the mirror interface command to configure the mirror
port.
send-to-mirror Send matching packets to the mirror port.
Use the mirror interface command to configure the mirror
port.
send-to-vlan-port
vlan <vid> port
<port-number>
Send matching packets to the specified port, tagged with
the specified VLAN. The specified port must belong to the
specified VLAN.
send-to-cpu Send matching packets to the CPU.
To Next Page
Loading...
Need help?
General
