slot <SLOT> access-list mode
This command sets the ACL operation mode for line boards.
Filtering is performed for received traffic for the specified interface.
Syntax
slot <SLOT> access-list mode <MODE>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<MODE> – filtering list type:
- whitelist – packets that meet the ACL rules are transmitted;
- blacklist – packets that meet the ACL rules are discarded.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list mode whitelist
slot <SLOT> access-list create
This command creates a new ACL for PLC line cards.
Syntax
slot <SLOT> access-list create <NAME>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<NAME> – ACL name, specified as the string of up to 32 characters.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list create test
slot <SLOT> access-list delete
This command removes the ACL by its name.
Syntax
slot <SLOT> access-list delete <NAME>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<NAME> – ACL name, specified as the string of up to 32 characters.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list delete test
slot <SLOT> access-list bind
This command assigns the ACL to certain interfaces.
Syntax
slot <SLOT> access-list bind <INTERFACE> <RANGE> <NAME>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<INTERFACE> – interface type: plc-front-port; plc-pon-port; plc-slot-channel. Interfaces descriotion is in Table 4.1.
<RANGE> – interface number. The range of values and numbering rules are described in Table 4.1.
<NAME> – ACL name, specified as the string of up to 32 characters.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list bind plc-front-port 0/0 test
slot <SLOT> access-list unbind
This command removes compliance of the ACL with specified interfaces.
Syntax
slot <SLOT> access-list unbind <INTERFACE> <RANGE> <NAME>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<INTERFACE> – interface type: plc-front-port; plc-pon-port; plc-slot-channel. The description of interfaces is given in Table 4.1.
<RANGE> – interface number. The range of values and numbering rules are described in Table 4.1.
<NAME> – ACL name, specified as the string of up to 32 characters.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list unbind plc-front-port 0/0
slot <SLOT> access-list filter
This command sets (add) or removes (del) a packet filtering rule by one of the parameters for a certain ACL.
Syntax
slot <SLOT> access-list [add|del] <TYPE> <VALUE> <NAME>
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - );
<TYPE> – filtering method:
- mac-sa – packet filtering is performed by the MAC address of the sender, MAC address is specified as XX:XX:XX:XX:XX, where each part takes the value 00-FF;
- mac-da – packet filtering is performed by the MAC address of the recepient, MAC address is specified as XX:XX:XX:XX:XX, where each part takes the value 00-FF;
- l2-protocol – packet selection is performed by ethertype, specified in 0xXXXX format;
- ip-protocol – packet filtering is performed via IPV4/IPV6 protocol at L4 level, specified in 0xXX format;
- ip-sa – packet filtering is performed by the IP address of the sender, IP address is specified as AAA.BBB.CCC.DDD, where each part takes values 0-255;
- ip-da – packet filtering is performed by the IP address of the recepient, IP address is specified as AAA.BBB.CCC.DDD, where each part takes values 0-255;
- ip-sa – packet filtering is performed by the IP address of the sender, IP address is specified as XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, where each part takes values 0-FFFF;
- ip-da – packet filtering is performed by the IP address of the recepient, IP address is specified as XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, where each part takes values 0-FFFF;
- tcp-sport – packet filtering is performed by the number of the TCP port of the sender, the port is specified in 0xXXXX format;
- tcp-dport – packet filtering is performed by the number of the TCP port of the recepient, the port is set in 0xXXXX format;
- udp-sport – packet filtering is performed by the number of the UDP port of the sender, the port is specified in 0xXXXX format;
- udp-dport – packet filtering is performed by the number of the UDP port of the recepient, the port is set in 0xXXXX format.
<VALUE> – filter value;
<NAME> – filter name.
Command mode
CONFIG
Example
ma4000(config)# slot 13 access-list filter add ip-sa 192.168.2.2 test
show slot <SLOT> access-list
This command is used to view access control lists on a PLC8 line card.
Syntax
show slot <SLOT> access-list
Parameters
<SLOT> – PLC8 module number, may take values (0..15). You may specify the list of numbers using comma ( , ) or specify the range using hyphen ( - ).
Command mode
ROOT
Example
ma4000# show slot 6 access-list Global mode: blacklist