D-Link DXS-3326GSR Reference Manual page 235

Creating an access profile is divided into two basic parts.
access_profile command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first
create an access profile that instructs the Switch to examine all of the relevant fields of each frame:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the source_ip_mask with a logical AND operation. The profile_id parameter
is used to give the access profile an identifying number − in this case, 1. The deny parameter instructs the Switch to filter any
frames that meet the criteria − in this case, when a logical AND operation between an IP address specified in the next step and
the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must use the deny
parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame should be
forwarded or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 deny
Here we use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the Switch
to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access
profile, you can assign an access_id that both identifies the rule and establishes a priority within the list of rules. A lower
access_id gives the rule a higher priority. In case of a conflict in the rules entered for an access profile, the rule with the highest
priority (lowest access_id) will take precedence.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame's
header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame's header. Finally, the IP
address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any source
IP address between 10.42.73.0 to 10.42.73.255.
create access_profile
Purpose
Syntax
Description
DXS-3326GSR Stackable Gigabit Layer 3 Switch
Used to create an access profile on the Switch and to define
which parts of each incoming frame's header the Switch will
examine. Masks can be entered that will be combined with the
values the Switch finds in the specified frame header fields.
Specific values for the rules are entered using the config
access_profile command, below.
[ethernet {vlan | source_mac <macmask> | destination_mac
<macmask> | 802.1p | ethernet_type} | ip {vlan |
source_ip_mask <netmask> | destination_ip_mask
<netmask> | dscp | [icmp {type | code} | igmp {type} | tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-
0xffff> | flag_mask [all | {urg | ack | psh | rst | syn | fin}]} | udp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-
xffff>} | protocol_id {user _mask <hex 0x0-0xffffffff> }]} |
packet_content_mask {offset_0-15 <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> |
offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-
79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff>}] {port [<portlist> | all] | profile_id <value
1-8>}
The create access_profile command is used to create an access
profile on the Switch and to define which parts of each incoming
First, an access profile must be created using the create
227