Access Control List (Acl) Commands - D-Link DES-1228 Reference Manual

The DES-1228/ME implements Access Control Lists that enable the Switch to deny network access to specific devices or device
groups based on IP settings and MAC address.
The access profile commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
Command
create access_profile
delete access_profile
config access_profile
show access_profile
enable
cpu_interface_filtering
disable
cpu_interface_filtering
create cpu
access_profile profile_id
delete cpu
access_profile
config cpu
access_profile profile_id
show cpu access_profile
Access profiles allow users to establish criteria to determine whether or not the Switch will forward packets based on the
information contained in each packet's header.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create access_profile
command. For example, if users want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, users must first create an
access profile that instructs the Switch to examine all of the relevant fields of each frame.
First create an access profile that uses IP addresses as the criteria for examination:
DES-1228/ME Layer 2 Metro Ethernet Switch CLI Reference Manual
A
CCESS
Parameters
[ ethernet { vlan | source_mac <macmask> | destination_mac <macmask> | 802.1p |
ethernet_type }(1) | ip { vlan | source_ip_mask <netmask> | destination_ip_mask
<netmask> | dscp | [ icmp | igmp | tcp {src_port_mask <hex 0x0-0xffff> | dst_port_mask
<hex 0x0-0xffff> | flag_mask [ all | {urg | ack | psh | rst | syn | fin}(1)]} | udp {src_port_mask
<hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} | protocol_id_mask <hex 0x0-0xff>]}(1)]
profile_id <value 1-256>
[profile_id <value 1-256> | all]
profile_id <value 1-256> [ add access_id [ auto_assign | <value 1-65535> ] [ ethernet {
vlan <vlan_name 32> | source_mac <macaddr> | destination_mac <macaddr> | 802.1p
<value 0-7> | ethernet_type <hex 0x0-0xffff> }(1) | ip { vlan <vlan_name 32> |
<ipaddr> | destination_ip <ipaddr> | dscp <value 0-63> | [ icmp | igmp | tcp {src_port
<value 0-65535> | dst_port <value 0-65535> | urg | ack | psh | rst | syn | fin } | udp
{src_port <value 0-65535> | dst_port <value 0-65535>} | protocol_id <value 0 - 255> ]}(1)]
port [<portlist> | all ] [ permit{ priority <value 0-7> | replace_priority_with <value 0-7>|
rx_rate [ no_limit |<value 64-1024000>]}|deny|mirror ] | delete access_id <value 1-65535>
]
profile_id <value 1-256>
<value 1-3> [ ethernet { vlan | source_mac <macmask> | destination_mac <macmask> |
802.1p | ethernet_type} (1) | ip { vlan |
destination_ip_mask <netmask> | dscp | [ icmp { type | code } | igmp { type } | tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [ all | {urg |
ack | psh | rst | syn | fin}(1)] } | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex
0x0-0xffff>} | protocol_id_mask <hex 0x0-0xff> {user_define <hex 0x0-0xffffffff>}]}(1)]
profile_id <value 1-3>
<value 1-3> [ add access_id <value 1-5> [ ethernet { vlan <vlan_name 32> | source_mac
<macaddr> | destination_mac <macaddr> | 802.1p <value 0-7> | ethernet_type <hex 0x0-
0xffff> }(1) | ip { vlan <vlan_name 32> | source_ip <ipaddr> |
dscp <value 0-63> | [ icmp {type <value 0-255> | code <value 0-255>} | igmp {type <value
0-255>} | tcp {src_port <value 0-65535> | dst_port <value 0-65535> | urg | ack | psh |
rst | syn | fin } | udp {src_port <value 0-65535> | dst_port <value 0-65535>} | protocol_id
<value 0 - 255> {user_define <hex 0x0-0xffffffff>}]}(1)] port [<portlist> | all ][ permit | deny ]
| delete access_id <value 1-5> ]
profile_id <value 1-3>
C L
ONTROL IST
170
22
(ACL) C
OMMANDS
source_ip_mask <netmask> |
destination_ip <ipaddr> |
source_ip