D-Link xStack DES-3200 Series Reference Manual page 216

xStack® DES-3200 Series Layer 2 Ethernet Managed Switch CLI Reference Manual
Command
enable
cpu_interface_filtering
disable
cpu_interface_filtering
create cpu
access_profile
profile_id
delete cpu
access_profile
config cpu
access_profile
profile_id
show cpu
access_profile
Access profiles allow users to establish criteria to determine whether or not the Switch will forward packets based on the
information contained in each packet's header.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create access_profile
command. For example, if users want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, users must first create an access
profile that instructs the Switch to examine all of the relevant fields of each frame.
First create an access profile that uses IP addresses as the criteria for examination:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the source_ip_mask with a logical AND operation. The profile_id parameter is
used to give the access profile an identifying number  in this case, 1 – and it is used to assign a priority in case a conflict occurs.
The profile_id establishes a priority within the list of profiles. A lower profile_id gives the rule a higher priority. In case of a
conflict in the rules entered for different profiles, the rule with the highest priority (lowest profile_id) will take precedence. See
below for information regarding limitations on access profiles and access rules.
The deny parameter instructs the Switch to filter any frames that meet the criteria  in this case, when a logical AND operation
between an IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If users want to restrict traffic, users must use the deny
parameter.
Parameters
<value 1-3> [ethernet {vlan | source_mac <macmask> | destination_mac <macmask> |
802.1p | ethernet_type} (1) | ip { vlan | source_ip_mask <netmask> | destination_ip_mask
<netmask> | dscp | [ icmp {type | code } | igmp {type } | tcp {src_port_mask <hex 0x0-0xffff>
| dst_port_mask <hex 0x0-0xffff> | flag_mask [ all | {urg | ack | psh | rst | syn | fin} (1) ] } |
udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} protocol_id_mask
<hex 0x0-0xff> {user_define_mask <hex 0x0-0xffffffff>} ]} (1) | packet_content_mask
{offset_0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>|offset_16-31 <hex 0x0-0xffffffff><hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>|offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>|offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>|offset_64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> } (1) | ipv6 {[{ class | flowlabel | source_ipv6_mask <ipv6mask> |
destination_ipv6_mask <ipv6mask>]} (1) ]
profile_id <value 1-3>
profile_id <value 1-3> [add access_id <value 1-5>[ethernet {vlan <vlan_name 32> | source_mac
<macaddr> | destination_mac <macaddr > | 802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff>} (1)
| ip{vlan <vlan_name 32> | source_ip <ipaddr> | destination_ip <ipaddr> | dscp <value 0-63> | [icmp
{type <value 0-255> | code <value 0-255>} | igmp {type <value 0-255>} | tcp {src_port <value 0-
65535> | dst_port <value 0-65535> flag [all { urg | ack | psh | rst | syn | fin} (1) ]} | udp {src_port
<value 0-65535> | dst_port <value 0-65535>} | protocol_id <value 0-255> {user_define <hex 0x0-
0xffffffff>}]} (1) | packet_content {offset_0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> } (1) | ipv6 {[{ class <value 0-255> | flowlabel <hex 0x0-0xfffff>} |
source_ipv6 <ipv6addr>| destination_ipv6 <ipv6addr>]}]port [<portlist> | all ][ permit | deny]
{time_range <range_name 32>} | delete access_id <value 1-5>]
profile_id <value 1-3>
211