Allied Telesis x908 User Manual
Page 5
Page 5 | AlliedWare Plus™ OS How To Note
Creating hardware ACLs
TCP and UDP
packets
You can filter TCP and UDP packets on the basis of:
z
source IP address and/or destination IP address (using the same syntax as when filtering IP
packets)
z
source and/or destination TCP/UDP ports.
The command syntax is:
awplus(config)#access-list <3000-3699> <action> {tcp|udp}
<source-ip-address>
[{eq|gt|lt|ne|range} <source-port> [<source-port>]]
<destination-ip-address>
[{eq|gt|lt|ne|range} <dest-port> [<dest-port>]]
To determine which ports to filter, use the following keywords:
Keyword
Selects
Example
no keyword
All ports
For example, to match packets that use any TCP source or
destination port:
access-list 3000 permit tcp any any
eq
A single port
Specify a single port number. For example, to match packets
from any IP address that use TCP source port 5100:
access-list 3000 permit tcp any eq 5100 any
Note that the TCP port parameter is optional. In this
example, the keyword any indicates that the ACL matches
on any source and destination IP address. The absence of a
port at the end of the command indicates that it matches on
any destination port.
gt
All ports higher than the
specified port number
Specify a single port number. For example, to match packets
that use a source TCP port of 5100 or higher:
access-list 3000 permit tcp any gt 5099 any
lt
All ports lower than the
specified port number
Specify a single port number. For example, to match packets
that use a source TCP port of 5100 or lower:
access-list 3000 permit tcp any lt 5101 any
ne
All ports except the specified
port
Specify a single port number. For example, to match packets
that use any source TCP port except port 5100:
access-list 3000 permit tcp any ne 5100 any
range
A contiguous range of ports
Specify the lowest and highest numbers in the range,
separated by a space. For example, to match packets that use
TCP source ports 5100 to 5200 inclusive:
access-list 3000 permit tcp any range 5100 5200 any