Allied Telesis AT-DC2552XS User Manual

Chapter 20: ACL Commands

456

Section V: Security and Traffic Control

Description

Use this command to add a deny statement to the hardware ACL or
modify an existing deny statement. When a packet matches a deny
statement, the switch discards the packet. You can add up to 256
statements to one hardware ACL.

The hardware ACL is a sequential collection of permit, deny, or copy-to-
mirror statements. The switch evaluates a packet against the statement
one by one from the smallest sequence number to the largest. When a
packet matches the statement, the switch permits, denies, or copies to
mirror the packet and skips the rest of the statements. If a packet does not
match any statements, the switch forwards the packet.

To add or modify a permit or copy-to-mirror statement, see “PERMIT” on
page 469 or “COPY-TO-MIRROR” on page 448

Confirmation Command

“SHOW ACCESS-LIST” on page 474

Examples

This example creates a new hardware ACL named “acl_1” and adds a
statement to discard packets when the prefix of a source MAC address in
the packets is “ec:cd:6d”:

awplus> enable
awplus# configure terminal
awplus(config)# access-list hardware acl_1
awplus(config-ip-hw-acl)# deny mac ec:cd:6d:00:00:00
00:00:00:ff:ff:ff any

This example selects a new hardware ACL named “acl_2” and adds a
statement at the end of “acl_2” to discard IP packets that have destination
IP addresses of 192.168.1.0./24 and belong to VLAN 10:

awplus> enable
awplus# configure terminal
awplus(config)# access-list hardware acl_2
awplus(config-ip-hw-acl)# deny ip any 192.168.1.0/24 vlan 10

This example creates a new hardware access list named “acl_3” and adds
a statement to discard packets that have a protocol type of TCP, a source
IP address of 192.168.10.5, and a TCP port number of 80:

awplus> enable
awplus# configure terminal
awplus(config)# access-list hardware acl_3
awplus(config-ip-hw-acl)# deny tcp host 192.168.10.5 any eq
80