D-Link DES-3026 Reference Manual - Page 153

CPU ACL Filtering Commands, profile_id 1

Get D-Link DES-3026 - Switch PDF manuals and user guides
UPC - 790069280771
View all D-Link DES-3026 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 153 highlights

DES-3000 Series Layer 2 Switch CLI Reference Manual 20 CPU ACL FILTERING COMMANDS The DES-30XX implement Access Control Lists for the CPU that enable the Switch to deny network access to specific devices or device groups based on IP settings, MAC address and packet content settings. Access profiles allow users to establish criteria to determine whether or not the Switch will forward packets to the CPU based on the information contained in each packet's header. These criteria can be specified on a VLAN-by-VLAN basis. Creating an access profile for the CPU is divided into two basic parts. First, an access profile must be created using the create cpu access_profile command. For example, if users wish to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, an access profile must be created that instructs the Switch to examine all of the relevant fields of each frame: create cpu access_profile profile_id 1 ip source_ip_mask 255.255.255.0 Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP address the Switch finds will be combined with the source_ip_mask with a logical AND operational method. The profile_id parameter is used to give the access profile an identifying number − in this case, 1. The deny parameter instructs the Switch to filter any frames that meet the criteria. The default for an access profile on the Switch is to permit traffic flow. To restrict traffic, use the deny parameter. Now that an access profile has been created, add the criteria the Switch will use to decide if a given frame should be forwarded or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255: config cpu access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1 deny Here we use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the Switch to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access profile, users can assign an access_id that both identifies the rule and establishes a priority within the list of rules. A lower access_id gives the rule a higher priority. In case of a conflict in the rules entered for an access profile, the rule with the highest priority (lowest access_id) will take precedence. The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame's header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame's header. Finally, the IP address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any source IP address between 10.42.73.0 to 10.42.73.255. Due to a chipset limitation, the Switch supports a maximum of 3 CPU access profiles. The rules used to define the access profiles are limited to a total of 5 rules for each entry. CPU Filtering may be universally enabled or disabled. Setting up CPU Interface. To configure CPU Interface Filtering, see the descriptions below for create cpu access_profile and config cpu access_profile. To enable CPU Interface Filtering, see config cpu_interface_filtering. 149

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
DES-3000 Series Layer 2 Switch CLI Reference Manual
20
CPU ACL F
ILTERING
C
OMMANDS
The DES-30XX implement Access Control Lists for the CPU that enable the Switch to deny network access to specific devices
or device groups based on IP settings, MAC address and packet content settings.
Access profiles allow users to establish criteria to determine whether or not the Switch will forward packets to the CPU based
on the information contained in each packet’s header. These criteria can be specified on a VLAN-by-VLAN basis.
Creating an access profile for the CPU is divided into two basic parts. First, an access profile must be created using the
create
cpu access_profile
command. For example, if users wish to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, an access
profile must be created that instructs the Switch to examine all of the relevant fields of each frame:
create cpu access_profile profile_id 1 ip source_ip_mask 255.255.255.0
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the
source_ip_mask
with a logical AND operational method. The
profile_id
parameter is used to give the access profile an identifying number
in this case,
1
. The
deny
parameter instructs the Switch to
filter any frames that meet the criteria.
The default for an access profile on the Switch is to
permit
traffic flow. To restrict traffic, use the
deny
parameter.
Now that an access profile has been created, add the criteria the Switch will use to decide if a given frame should be forwarded
or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255:
config cpu access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1 deny
Here we use the
profile_id 1
which was specified when the access profile was created. The
add
parameter instructs the Switch
to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access
profile, users can assign an
access_id
that both identifies the rule and establishes a priority within the list of rules. A lower
access_id
gives the rule a higher priority. In case of a conflict in the rules entered for an access profile, the rule with the highest
priority (lowest
access_id
) will take precedence.
The
ip
parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s
header.
source_ip
tells the Switch that this rule will apply to the source IP addresses in each frame’s header. Finally, the IP
address
10.42.73.1
will be combined with the
source_ip_mask
255.255.255.0
to give the IP address 10.42.73.0 for any source
IP address between 10.42.73.0 to 10.42.73.255.
Due to a chipset limitation, the Switch supports a maximum of 3 CPU access profiles. The rules used to define the access
profiles are limited to a total of 5 rules for each entry.
CPU Filtering may be universally enabled or disabled. Setting up CPU Interface. To configure CPU Interface Filtering, see the
descriptions below for
create cpu access_profile
and
config cpu access_profile
. To enable CPU Interface Filtering, see
config
cpu_interface_filtering
.
149