D-Link DES-3326S Layer 3 Switch CLI Reference
Command Parameters
ethernet_type <hex 0x0-0xffff> } |
ip { vlan <vlan_name 32> | source_ip <ipaddr> | destination_ip <ipaddr> |
dscp <value 0-63> | [ icmp { type <value 0-255> code <value 0-255>} |
igmp {type <value 0-255> } | tcp { src_port <value0-65535> |
dst_port <value 0-65535> | flag [ all | {urg | ack | psh | rst | syn | fin } ] } |
udp { src_port <value 0-65535> | dst_port <value 0-65535> } |
protocol_id <value 0 - 255> {user_define <hex 0x0-0xffffffff> } ] } ]
[ permit | deny ] | delete access_id <value 1-255> ]
enable
cpu_interface_filterin
g
show cpu
access_profile
profile_id <value 1-255>
delete cpu
access_profile
profile_id <value 1-255>
disable
cpu_interface_filterin
g
The Switch allows you to establish criteria to determine whether or not it will forward packets based on the
information contained in each packet’s header. This system of packet filtering known as an Access Control Lists
or ACL are intended to limit network traffic or restrict access to specific devices, users or protocols. The ACL is
composed of rule-based profiles configured to permit or deny ingress packets based on a sequential set of
conditions. The conditions are used to test each packet in the established order of priority. A positive match
(condition match) immediately stops the testing sequence and applies the specified action (permit, deny or
replace content). An ACL may be implemented system-wide, or port-based access control can restrict ingress
based on source or destination MAC or IP, or TCP/UDP port.
The ACL includes two basic parts, a mask and a rule or set of rules. Therefore setting up an access profile is
divided into two parts, create the profile (mask); then configure the conditions for the profile (rule). The
parameters that define an access profile include the Profile ID, Access ID, the content of the filter rule (i.e. the
match conditions) and the action taken (permit, deny or replace priority tag/DSCP).
The Profile ID is especially important as it establishes the order of the match conditions used for packet
examination. Conditions are tested in sequence according to the Profile ID of the rule, the first match stops the
testing and applies the action specified. If no conditions match there is no action taken.
Creating the mask (create access_profile) impose a broad and limited criteria used for filtering, where the rules
(config access_profile) may be numerous and very specific. Hardware limitations restrict the number of profiles
that may be created (see below).
We can illustrate ACL with a simple example:
First an access profile is created using the create access_profile command. For example, if you want to deny all
traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first create an access profile that instructs the Switch
to examine all of the relevant fields of each frame.
First create an access profile that uses IP addresses as the criteria for examination:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch.
Each source IP address the Switch finds will be combined with the source_ip_mask with a logical AND
operation. The profile_id parameter is used to give the access profile an identifying number − in this case, 1 –
177
To Next Page
Loading...
