D-Link DES-3550 Command Line Interface Reference Manual page 206

DES-3550 Layer 2 Fast Ethernet Switch
Access profiles allow you to establish criteria to determine whether or not the Switch will forward packets based on the
information contained in each packet's header.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create
access_profile command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first
create an access profile that instructs the Switch to examine all of the relevant fields of each frame.
First create an access profile that uses IP addresses as the criteria for examination:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the source_ip_mask with a logical AND operation. The profile_id parameter
is used to give the access profile an identifying number − in this case, 1 – and it is used to assign a priority in case a conflict
occurs. The profile_id establishes a priority within the list of profiles. A lower profile_id gives the rule a higher priority. In
case of a conflict in the rules entered for different profiles, the rule with the highest priority (lowest profile_id) will take
precedence. See below for information regarding limitations on access profiles and access rules.
The deny parameter instructs the Switch to filter any frames that meet the criteria − in this case, when a logical AND operation
between an IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must use the deny
parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame should be
forwarded or filtered. Let's further specify a rule that denies access to a range of IP addresses through an individual port:
Here, we want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255, and specify the port
that will not be allowed:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny
We use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the Switch to
add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access
profile, you can assign an access_id that identifies the rule within the list of rules. The access_id is an index number only and
does not effect priority within the profile_id. This access_id may be used later if you want to remove the individual rule from
the profile.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame's
header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame's header. The IP address
10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any source IP
address between 10.42.73.0 to 10.42.73.255. Finally the restricted port - port number 7 - is specified.
202