Table of Contents
Advertisement
xStack DGS/DXS-3300 Series Layer 3 Stackable Gigabit Ethernet Switch CLI Manual
Command
delete cpu
access_profile
config cpu
access_profile
enable
cpu_interface_filtering
disable
cpu_interface_filtering
show cpu
access_profile
Access profiles allow criteria establishment to determine whether or not the Switch will forward packets based on the
information contained in each packet's header.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create access_profile
command. For example, to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, first create an access profile that instructs
the Switch to examine all of the relevant fields of each frame:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the source_ip_mask to be logical AND operational. The profile_id parameter
is used to give the access profile an identifying number − in this case, 1. The deny parameter instructs the Switch to filter any
frames that meet the criteria − in this case, when a logical AND operation between an IP address specified in the next step and
the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. To restrict traffic, use the deny parameter.
Now that an access profile has been created, it is necessary to add the criteria the Switch will use to decide if a given frame
should be forwarded or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0 and
10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1:1 deny
Here we use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the Switch
to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access
profile, the user may assign an access_id that both identifies the rule and establishes a priority within the list of rules. A lower
Parameters
0xffffffff> <hex 0x0-0xffffffff> | {offset 64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> <hex 0x0-0xffffffff>}] |ipv6 {class | flowlabel | source ipv6mask <ipv6mask>
| destination_ipv6_mask <ipv6mask>}] profile_id <value 1-5>
profile_id <value 1-5>
profile_id <value 1-5> [add access_id <value 1-5> [ethernet {vlan <vlan_name 32> |
source_mac <macaddr 000000000000-ffffffffffff> | destination_mac <macaddr
000000000000-ffffffffffff> | 802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff>} [permit |
deny] | ip {vlan <vlan_name 32> | source_ip <ipaddr> | destination_ip <ipaddr> | dscp
<value 0-63> | [icmp {type <value 0-255> code <value 0-255>} | igmp {type <value 0-
255>} | tcp {src_port <value 0-65535> | dst_port <value 0-65535> | {urg | ack | psh | rst |
syn | fin}]} | udp {src_port <value 0-65535> | dst_port <value 0-65535>} | protocol_id
<value 0 - 255> {user_define <hex 0x0-0xffffffff>}]} [permit | deny] | packet_content
{offset_0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>| offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> <hex 0x0-0xffffffff>} [permit | deny] | ipv6 [class <value 0-255> | flowlabel
<hex 0x0-0xfffff> | source_ipv6 <ipv6addr> | destination_ipv6 <ipv6addr>} [permit |
deny]} | delete access-id <value 1-5>]
profile_id <value 1-5>
215
Advertisement
Table of Contents
