DES-3526 / DES-3526DC Layer 2 Fast Ethernet Switch CLI Reference Manual
146
The profile_id establishes a priority within the list of profiles. A lower profile_id gives the rule a higher priority. In case of a
conflict in the rules entered for different profiles, the rule with the highest priority (lowest profile_id) will take precedence. See
below for information regarding limitations on access profiles and access rules.
The deny parameter instructs the Switch to filter any frames that meet the criteria − in this case, when a logical AND operation
between an IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must use the deny
parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame should be
forwarded or filtered. We will use the config access_profile command to create a new rule that defines the criteria we want. Let’s
further specify in the new rule to deny access to a range of IP addresses through an individual port: Here, we want to filter any
packets that have an IP source address between 10.42.73.0 and 10.42.73.255, and specify the port that will not be allowed:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny
We use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the Switch to add
the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access profile,
you can assign an access_id that identifies the rule within the list of rules. The access_id is an index number only and does not
effect priority within the profile_id. This access_id may be used later if you want to remove the individual rule from the profile.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s header.
source_ip tells the Switch that this rule will apply to the source IP addresses in each frame’s header. The IP address 10.42.73.1
will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any source IP address between
10.42.73.0 to 10.42.73.255. Finally the restricted port - port number 7 - is specified.
Due to a chipset limitation, the Switch supports a maximium of 9 access profiles. The rules used to define the access profiles are
limited to a total of 800 rules for the Switch.
There is an additional limitation on how the rules are distributed among the Fast Ethernet and Gigabit Ethernet ports. This
limitation is described as follows: Fast Ethernet ports are limited to 200 rules for each of the three sequential groups of eight ports.
That is, 200 ACL profile rules may be configured for ports 1 to 8. Likewise, 200 rules may be configured for ports 9 to 16, and
another 200 rules for ports 17 to 24. Up to 100 rules may be configured for each Gigabit Ethernet port. The table below provides a
summary of the maximum ACL profile rule limits.
Port Numbers Maximum ACL Profile Rules per Port Group
1 - 8 200
9 – 16 200
17 - 24 200
25 (Gigabit) 100
26 (Gigabit) 100
Total Rules 800
It is important to keep this in mind when setting up VLANs as well. Access rules applied to a VLAN require that a rule be created
for each port in the VLAN. For example, let’s say VLAN10 contains ports 2, 11 and 12. If you create an access profile
specifically for VLAN10, you must create a separate rule for each port. Now take into account the rule limit. The rule limit applies
to both port groups 1-8 and 9-16 since VLAN10 spans these groups. One less rule is available for port group 1-8. Two less rules
are available for port group 9-16. In addition, a total of three rules apply to the 800 rule Switch limit.
In the example used above - config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny – a single
access rule was created. This rule will subtract one rule available for the port group 1 – 8, as well as one rule from the total
available rules.
To Next Page
Loading...
Need help?
General