ACL command mode - Configuration mode - Command Line Interface (CLI)

2. Command Line Interface (CLI)

2.6 Configuration mode

2.6.1 ACL command mode

Prompt Command & Parameter Description

SWH(config-acl)# action <port_list> <permit | deny> To permit or deny traffic of the specified port numbers.

<port_list>: Specify a port number or multiple port numbers with the format 5, 7, 8, 9, 12 or 5, 7-9, 12

<permit | deny>: To permit or deny the action.

For example:

SWH(config-acl)# action 1-4, 10-15, 18, 19 permit

policy <port_list> <policy> To specify a policy ID to a port or a group of

ports.

<port_list>: Specify a port number or multiple port numbers with the format 5, 7, 8, 9, 12 or 5, 7-9, 12

<policy>: Specify a policy ID between 1 and 8.

For example:

SWH(config-acl)# policy 1-4, 10-15, 18, 19 8 port-copy <port_list> <disable |

1-24>

Send a copy of packets to the specified ports.

<port_list>: Specify a port number or multiple port numbers with the format 5, 7, 8, 9, 12 or 5, 7-9, 12

<disable | 1-24>: To disable port copy function of the specified ports or send a copy of packets to the specified port.

For example:

SWH(config-acl)# port-copy 1-4,10-15,18,19 disable

rate-lim <port_list> <disable | 1-14>

To enable or disable rate-limiter of the

specified ports and specify a rate-limiter ID to the specified ports.

<port_list>: Specify a port number or multiple port numbers with the format 5, 7, 8, 9, 12 or 5, 7-9, 12

<disable | 1-14>: Disable rate limiter function or specify a rate limiter ID.

For example: 15:32Kpps 16:64Kpps 17:128Kpps

18:256Kpps 19:512pps 20:1024Kpps Specify “0” to denote 1pps and so on.

For example:

<port_list>: Specify a port number or multiple port numbers with the format 5, 7, 8, 9, 12 or 5, 7-9, 12

<enable | disable>: To enable or disable shutdown function.

For example:

enable add <acl_id> <any | policy1-8 |

port1-24>

To add an ACL configuration rule. The total ACL rule that can be created is 110.

<acl_id>: Specify an ACL ID from 1 to 110.

NOTE: The ACL ID is used for reference only.

Each ID number can only be used once. The lookup process will check the entry that you enter first regardless of its ACL ID. For example, if the ACL rule with ACL ID 5 is entered before the ACL rule with ACL ID 3 is entered, then the ACL rule with ACL ID 5 will be looked up first before ACL ID 3.

<any | policy 1-8 | port1-24>: Specify “Any”

to use any port as the Ingress port. Specify a policy ID to designate a port or a group of ports as the Ingress port. Specify a port as the Ingress port.

For example:

SWH(config-acl)#add 110 policy8 delete <acl_id>

To delete an ACL configuration rule.

<acl_id>: Specify an ACL ID from 1 to 110.

For example:

SWH(config-acl)#delete 110

show Show current ACL settings.

SWH(config-acl_ACL ID)# Edit details of an ACL configuration rule.

If you would like to modify an existing ACL rule, you can enter acl ACL ID after SWH(config)#. For example, enter SWH(config)#acl 110 to modify the details of ACL 110 rule.

action <permit | deny> To permit or deny an ACL configuration rule.

frame-type etype <source_mac>

<dest_mac> <ether_type> Configure the Ethernet frame type settings.

<source_mac>: Specify “Any” to apply ACL rule to any source MAC addresses. Or, enter the specific source MAC address.

<dest_mac>: Specify “Any” to apply ACL rule to any destination MAC addresses. Specify

“uc” to apply ACL rule to unicast traffic.

Specify “mc” to apply ACL rule to multicast traffic. Specify “bc” to apply ACL rule to broadcast traffic. Or, enter the specific destination MAC address.

<ether_type>: Specify “Any” to apply ACL rule to any Ether types. Or, enter the specific Ether Type.

For example:

SWH(config-acl_1)#frame-type etype any bc any

frame-type arp <source_mac>

Configure the ARP frame type settings.

<source_mac>: Specify “Any” to apply ACL rule to any source MAC addresses. Or, enter the specific source MAC address.

<dmac_type>: Specify “Any” to apply ACL rule to any destination MAC addresses. Or, specify “uc” to apply ACL rule to unicast traffic; “mc” to apply ACL rule to multicast traffic; “bc” to apply ACL rule to broadcast traffic.

<type>: Specify “any”, “arp”, “rarp”, or “other”.

<opcode>: Specify “any” to apply ACL rule to both reply and request frames; “reply” to denote reply frames; “request” to denote request frames.

<source_ip>: This is sender IP filtering function. Specify “any” to filter frames from any sender IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<dest_ip>: This is target IP filtering function.

Specify “any” to filter frames to any target IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<arp_smac_match>: This is to configure whether ARP source MAC sent and received are matched or not. Specify “any” to denote both a match and not a match; “0” to denote not a match; “1” to denote a match.

<rarp_dmac_match>: This is to configure whether RARP destination MAC sent and received are matched or not. Specify “any” to denote both a match and not a match; “0” to denote not a match; “1” to denote a match.

<ip/ethernet_length_check> : Specify “0” to indicate that HLN (Hardware Address Length) field in the ARP/RARP frame is not equal to Ethernet (0x6) and the Protocol Address Length field is not equal to IPv4 (0x4). Specify

“1” to indicate that HLN (Hardware Address Length) field in the ARP/RARP frame is equal to Ethernet (0x6) and the Protocol Address Length field is equal to IPv4 (0x4). Specify

“Any” to indicate a match and not a match.

<ip>: Specify “0” to indicate that Protocol Address Space field in ARP/RARP frame is not equal to IP (0x800). Specify “1” to indicate that Protocol Address Space is equal to IP (0x800). Specify “Any” to indicate a match and not a match.

<ethernet>: Specify “0” to indicate that Hardware Address Space field in ARP/RARP frame is not equal to Ethernet (1). Specify “1”

to indicate that Hardware Address Space field is equal to Ethernet (1). Specify “Any” to indicate a match and not a match.

frame-type ipv4 <dmac_type>

Configure the IPv4 frame type settings.

<protocol_id>: This parameter is to show the protocol number defined in the protocol field of the IPv4 packet. Specify “any” to denote any protocols; specify “1-255” to denote different defined protocols.

NOTE: If you want to configure ICMP, UDP, or TCP frame type settings, you can use commands and parameters specific to these frames types (See below). Otherwise, some additional values specific to ICMP, UDP, or TCP will be set to “any”.

<source_ip>: This is source IP filtering function. Specify “any” to filter frames from any sender IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<dest_ip>: This is target IP filtering function.

Specify “any” to filter frames to any target IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<ip_ttl>: Specify “0” to indicate that the TTL field in IPv4 header is 0. If the value in TTL field is not 0, use “1” to indicate that. You can also specify “any” to denote the value which is either zero or not zero.

<ip_fragment>: Specify “0” to indicate that the fragment field in IPv4 header is 0. If the value in TTL field is not 0, use “1” to indicate that. You can also specify “any” to denote the value which is either 0 or not 0.

<ip_option>: Specify “1” to indicate that the IPv4 header is bigger than 5 bytes; “0” to indicate that the IPv4 is 5 bytes. Specify “any”

to denote the value which is either 0 or not 0.

frame-type icmp <dmac_type>

<icmp_type> <icmp_code>

<source_ip><dest_ip> <ip_ttl>

<ip_fragment> <ip_option>

Configure the ICMP frame type settings.

<dmac_type>: Specify “Any” to denote any destination MAC addresses. Or, specify “uc”

to denote unicast traffic; “mc” to denote multicast traffic; “bc” to denote broadcast traffic.

<icmp_type>: This parameter is to show and filter the ICMP type defined in the type field of the ICMP header. Specify “any” to filter any types; specify “0-255” to filter different defined types.

<icmp_code>: This parameter is to show and filter the ICMP code defined in the code field of the ICMP header. Specify “any” to filter any

types; specify “0-255” to filter different defined codes.

<source_ip>: This is source IP filtering function. Specify “any” to filter frames from any sender IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<dest_ip>: This is target IP filtering function.

Specify “any” to filter frames to any target IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<ip_option>: Specify “1” to indicate that the IPv4 header is bigger than 5 bytes; “0” to indicate that the IPv4 is 5 bytes. Specify “any”

to denote the value which is either 0 or not 0.

frame-type udp <dmac_type>

<source_port> <dest_port>

<source_ip><dest_ip> <ip_ttl>

<ip_fragment> <ip_option>

Configure the UDP frame type settings.

<dmac_type>: Specify “Any” to denote any destination MAC addresses. Or, specify “uc”

to denote unicast traffic; “mc” to denote multicast traffic; “bc” to denote broadcast traffic.

<source_port>: Specify “Any” to filter frames from any source ports. If you would like to filter a specific source port, specify a source port number from 0 to 65535. If you would like to filter a range of port numbers, you need to specify a source port range (from 0 to 65535).

<dest_port>: Specify “Any” to filter frames from any destination ports. If you would like to filter a specific destination port, specify a destination port number from 0 to 65535. If you would like to filter a range of port numbers, you need to specify a destination port range (from 0 to 65535).

<source_ip>: This is source IP filtering function. Specify “any” to filter frames from any sender IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<dest_ip>: This is target IP filtering function.

Specify “any” to filter frames to any target IP addresses. Or, specify either a host IP address or a network address and subnet mask.

either zero or not zero.

<ip_option>: Specify “1” to indicate that the IPv4 header is bigger than 5 bytes; “0” to indicate that the IPv4 is 5 bytes. Specify “any”

to denote the value which is either 0 or not 0.

frame-type tcp <dmac_type>

Configure the TCP frame type settings.

<dmac_type>: Specify “Any” to denote any destination MAC addresses. Or, specify “uc”

to denote unicast traffic; “mc” to denote multicast traffic; “bc” to denote broadcast traffic.

<source_ip>: This is source IP filtering function. Specify “any” to filter frames from any sender IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<dest_ip>: This is target IP filtering function.

Specify “any” to filter frames to any target IP addresses. Or, specify either a host IP address or a network address and subnet mask.

<ip_option>: Specify “1” to indicate that the IPv4 header is bigger than 5 bytes; “0” to indicate that the IPv4 is 5 bytes. Specify “any”

to denote the value which is either 0 or not 0.

<tcp_fin>: Specify “0” to indicate that the FIN value in TCP header is zero; “1” to indicate the FIN value in TCP header is one. Specify

“any” to indicate that the value is either 1 or 0.

<tcp_syn>: Specify “0” to indicate that the SYN value in TCP header is zero; “1” to

indicate the SYN value in TCP header is one.

Specify “any” to indicate that the value either 1 or 0.

<tcp_rst>: Specify “0” to indicate that the RST value in TCP header is zero; “1” to indicate the RST value in TCP header is one.

Specify “any” to indicate that the value is either 1 or 0.

<tcp_psh>: Specify “0” to indicate that the PSH value in TCP header is zero; “1” to indicate the PSH value in TCP header is one.

Specify “any” to indicate that the value is either 1 or 0.

<tcp_ack>: Specify “0” to indicate that the ACK value in TCP header is zero; “1” to indicate the ACK value in TCP header is one.

Specify “any” to indicate that the value is either 1 or 0.

<tcp_urg>: Specify “0” to indicate that the URG value in TCP header is zero; “1” to indicate the URG value in TCP header is one.

Specify “any” to indicate that the value is either 1 or 0.

in-port < any | policy1-8 | port1-24> Configure the Ingress port.

<any | policy1-8 | port1-24>: Specify “any”,

“policy1-8”, or “port1-24” to indicate which ports are the ingress ports.

port-copy <disable | 1-24> Send a copy of packets to the specified ports.

<diable | 1-24>: Disable port copy function or specify which port(s) will receive a copy of packets.

rate-lim <disable | 1-14> Configure the rate-limiter function.

<disable | 1-14>: Disable rate limiter function or specify a rate limiter ID.

shutdown <enable | disable> To enable or disable shutdown function. If enabled, the interface will be disabled.

vid <any | 1-4094> Configure the VLAN ID filter function.

<any | 1-4094>: Specify “any” to indicate that any VLAN IDs apply to this ACL rule or specify an existing VLAN ID.

tag-prio <any | 0-7> Configure the tag priority for this ACL rule.

<any | 0-7>: Specify “any” to indicate that any tag priorities apply to this ACL rule or specify a tag priority from 0~7.

In document Connect the equipment into a different outlet from that the receiver is connected. (Page 35-43)