Access Control List (Acl) Commands - D-Link xStack DES-3528 Series Cli Reference Manual

xStack® DES-3528/DES-3552 Series Layer 2 Managed Stackable Fast Ethernet Switch CLI Reference Guide

Access Control List (ACL) Commands

The Switch implements Access Control Lists that enable the Switch to deny network access to specific devices or
device groups based on IP settings and MAC address.
Access profiles allows establishment of a criteria to determine whether or not the Switch will forward packets based on
the information contained in each packet's header. These criteria can be specified on a VLAN–by–VLAN basis.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create
access_profile command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you
must first create an access profile that instructs the Switch to examine all of the relevant fields of each frame:
create access_profile profile_id 1 profile_name 1 ip source_ip_mask 255.255.255.0
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each
source IP address the Switch finds will be combined with the source_ip_mask with a logical AND operation. The
profile_id parameter is used to give the access profile an identification number − in this case, 1. The deny parameter
instructs the Switch to filter any frames that meet the criteria − in this case, when a logical AND operation between an
IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. To restrict traffic, users must use the deny
parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame
should be forwarded or filtered. Here, we want to filter any packets that have an IP source address between
10.42.73.0 and 10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1 deny
Here we use the profile_id 1 which was specified when the access profile was created. The add parameter instructs
the Switch to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule
entered into the access profile, you can assign an access_id that both identifies the rule and establishes a priority
within the list of rules. A lower access_id gives the rule a higher priority. In case of a conflict in the rules entered for
an access profile, the rule with the highest priority (lowest access_id) will take precedence.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each
frame's header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame's header.
Finally, the IP address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address
10.42.73.0 for any source IP address between 10.42.73.0 to 10.42.73.255.
Due to a chipset limitation, the Switch supports a maximum of 6 access profiles. The rules used to define the access
profiles are limited to a total of 768 rules for the Switch. One rule can support ACL per port or per portmap.
The access profile commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters)
in the following table.
NOTE: By default, firmware version 2.60 supports only 12 ACL profiles and 1536 rules which is less
than in firmware version 2.01 (14 profiles and 1792 rules). Some ACL settings in the previous
configuration file may be lost after the firmware upgrade. To gain all 14 ACL profiles and 1792 rules,
disable the local routing feature and reload the configuration.
Command
create access_profile
Parameters
profile_id <value 1-14> profile_name <name 1-32> [ethernet {vlan {<hex 0x0-0x0fff>} |
source_mac <macmask> | destination_mac <macmask> | 802.1p | ethernet_type} | ip
{vlan {<hex 0x0-0x0fff>} | source_ip_mask <netmask> | destination_ip_mask <netmask>
| dscp | [icmp {type | code} | igmp {type} | tcp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-0xffff> | flag_mask [all | {urg | ack | psh | rst | syn | fin}]} | udp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} | protocol_id_mask
<hex 0x0-0xff> {user_define_mask <hex 0x0-0xffffffff>}]} | packet_content_mask
{offset_chunk_1 <value 0-31> <hex 0x0-0xffffffff> | offset_chunk_2 <value 0-31> <hex
0x0-0xffffffff> | offset_chunk_3 <value 0-31> <hex 0x0-0xffffffff> | offset_chunk_4 <value
0-31> <hex 0x0-0xffffffff>} | ipv6 {[{class | flowlabel | [tcp {src_port_mask <hex 0x0-
0xffff> | dst_port_mask <hex 0x0-0xffff>} | udp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-0xffff>}]} | source_ipv6_mask <ipv6mask> |
destination_ipv6_mask <ipv6mask>]}]
262