Chapter 8: Access Control List (Acl); Access Control List (Acl) Commands - Extreme Networks EAS 100-24t Switch CLI Manual

Layer 2 managed gigabit switch

Hide thumbs Also See for EAS 100-24t Switch CLI:

Hardware installation manual (40 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

Table Of Contents

321

page of 321

/ 321
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 8: Access Control List (ACL)

Command

config access_profile profile_id

show access_profile

Access profiles allow users to establish criteria to determine whether or not the switch will forward

packets based on the information contained in each packet's header.

Creating an access profile is divided into two basic parts. First, an access profile must be created using

the create access_profile command. For example, if you want to deny all traffic to the subnet 10.42.73.0

to 10.42.73.255, you must first create an access profile that instructs the switch to examine all of the

relevant fields of each frame.

Create an access profile that uses IP addresses as the criteria for examination:

create access_profile ip source_ip_mask 255.255.255.0 profile_id 1

In the example above, we have created an access profile that will examine the IP field of each frame

received by the switch. Each source IP address the switch finds will be combined with the

source_ip_mask with a logical AND operation. The profile_id parameter is used to give the access

profile an identifying number - in this case, 1 – and it is used to assign a priority in case a conflict

occurs. The profile_id establishes a priority within the list of profiles. A lower profile_id gives the rule a

higher priority. In case of a conflict in the rules entered for different profiles, the rule with the highest

priority (lowest profile_id) will take precedence, except in the case when there are conflicts between the

packet content offset profile and other kinds of the ACL profile.

The deny parameter instructs the switch to filter any frames that meet the criteria - in this case, when a

logical AND operation between an IP address specified in the next step and the ip_source_mask match.

The default for an access profile on the switch is to permit traffic flow. If you want to restrict traffic, you

must use the deny parameter.

Now that an access profile has been created, you must add the criteria the switch will use to decide if a

given frame should be forwarded or filtered. We will use the config access_profile command to create a

new rule that defines the criteria we want. Let's further specify in the new rule to deny access to a

range of IP addresses through an individual port: In this example, we want to filter any packets that

228

Parameters

<value 1-256> [add access_id [auto_assign | <value 1-65535>] [ethernet {[vlan

<vlan_name 32> | vlan_id <vid> {mask <hex 0x0-0x0fff>}] | source_mac

<macaddr> {mask <macmask>} | destination_mac <macaddr> {mask

<macmask>} | 802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff>}(1) | ip

{[vlan <vlan_name 32> | vlan_id <vid> {mask <hex 0x0-0x0fff>}] | source_ip

<ipaddr> {mask <netmask>} | destination_ip <ipaddr> {mask <netmask>} |

dscp <value 0-63> | [icmp {type <value 0-255> | code <value 0-255>} | igmp

{type <value 0-255>} | tcp {src_port <value 0-65535> {mask <hex 0x0-0xffff>} |

dst_port <value 0-65535> {mask <hex 0x0-0xffff>} | flag [all | {urg | ack | psh |

rst | syn | fin}]} | udp {src_port <value 0-65535> {mask <hex 0x0-0xffff>} |

dst_port <value 0-65535> {mask <hex 0x0-0xffff>}} | protocol_id <value 0-

255>]}(1) | ipv6 {class <value 0-255> | flowlabel <hex 0x0-0xfffff> |

source_ipv6 <ipv6addr> {mask <ipv6mask>} | [tcp {src_port <value 0-65535>

{mask <hex 0x0-0xffff>} | dst_port <value 0-65535> {mask <hex 0x0-

0xffff>}}(1) | udp {src_port <value 0-65535> {mask <hex 0x0-0xffff>} | dst_port

<value 0-65535> {mask <hex 0x0-0xffff>}}]} | packet_content {offset1 <hex

0x0-0xffffffff> {mask <hex 0x0-0xffffffff>} | offset2 <hex 0x0-0xffffffff> {mask

<hex 0x0-0xffffffff>} | offset3 <hex 0x0-0xffffffff> {mask <hex 0x0-0xffffffff>}|

offset4 <hex 0x0-0xffffffff> {mask <hex 0x0-0xffffffff>} | } ] port [<portlist> | all ]

[ permit{ priority <value 0-7> {replace_priority} | replace_dscp_with <value 0-

63> | counter [enable | disable] }|deny|mirror ] | delete access_id <value 1-

65535> ]

{profile_id <value 1-256>}

Extreme Networks EAS 100-24t Switch CLI Manual

Table of Contents

Show Quick Links

Quick Links:
Basic Ip Commands

Hide quick links:

Table of Contents

Chapter 8: Access Control List (Acl); Access Control List (Acl) Commands - Extreme Networks EAS 100-24t Switch CLI Manual

Chapter 8: Access Control List (ACL)

Hide quick links:

Related Manuals for Extreme Networks EAS 100-24t Switch CLI

Related Content for Extreme Networks EAS 100-24t Switch CLI

Table of Contents