D-Link DES-3326S Layer 3 Switch CLI Reference
and it is used to assign a priority in case a conflict occurs. The profile_id establishes a priority within the list of
profiles. A lower profile_id gives the rule a higher priority. In case of a conflict in the rules entered for
different profiles, the rule with the highest priority (lowest profile_id) will take precedence. See below for
information regarding limitations on access profiles and access rules.
The deny parameter instructs the Switch to filter any frames that meet the criteria − in this case, when a logical
AND operation between an IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must
use the deny parameter.
Now that an access profile has been created, we add the criteria the Switch will use to decide if a given frame
should be forwarded or filtered. We will use the config access_profile command to create a new rule that
defines the criteria we want. Let’s specify in the new rule to deny access to a range of IP addresses. Here, we
want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 deny
We use the profile_id 1 which was specified when the access profile was created. The add parameter instructs
the Switch to add the criteria that follows to the list of rules that are associated with access profile 1. For each
rule entered into the access profile, you can assign an access_id that identifies the rule within the list of rules.
The access_id is an index number only and does not effect priority within the profile_id. This access_id may be
used later if you want to remove the individual rule from the profile.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each
frame’s header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame’s
header. The IP address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 (specified in the
create access_profile command) to give the IP address 10.42.73.0 for any source IP address between 10.42.73.0
to 10.42.73.255.
Due to a chipset limitation, the Switch supports a maximium of 10 access profiles. The rules used to define the
access profiles are limited to a total of 50 rules for the Switch.
In the example used above - config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 deny – a
single access rule was created. This rule will subtract one rule from the total available rules.
It must be noted that there are specific circumstances under which the ACL cannot filter a packet even when
there is a condition match that should deny forwarding. This is a limitation that may arise if:
•
•
the destination MAC is the same as the Switch (system) MAC
a packet is directed to the system IP interface such as multicast IP packets or if the hardware IP routing table
is full and Switch software routes the packet according to routing protocol.
In order to address this functional limitation of the chip set, an additional function, CPU Interface Filtering,
has been added. CPU Filtering may be universally enabled or disabled. Setting up CPU Interface Filtering
follows the same syntax as ACL configuration and requires some of the same input parameters. To configure
CPU Interface Filtering, see the descriptions below for create cpu access_profile and config cpu
access_profile. To enable CPU Interface Filtering, see enable cpu_interface_filtering.
The Switch supports up 5 CPU access profiles, with up to 5 rules for each profile.
178
To Next Page
Loading...
