D-Link DGS-3700 Series Reference Manual page 365

DGS-3700 Series Layer 2 Managed Gigabit Ethernet Switch CLI Reference Guide
C
OMMAND
show cpu
access_profile
config flow_meter
show flow_meter
config time_range
show time_range
show current_config
access_profile
Access profiles allow users to establish criteria to determine whether or not the Switch will forward packets
based on the information contained in each packet's header.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the
create access_profile command. For example, if users want to deny all traffic to the subnet 10.42.73.0 to
10.42.73.255, users must first create an access profile that instructs the Switch to examine all of the relevant
fields of each frame.
First create an access profile that uses IP addresses as the criteria for examination:
create access_profile profile_id 1 profile_name 1 ip source_ip_mask 255.255.255.0
Here we have created an access profile that will examine the IP field of each frame received by the Switch.
Each source IP address the Switch finds will be combined with the source_ip_mask with a logical AND
operation. The profile_id parameter is used to give the access profile an identifying number − in this case,
1 - and it is used to assign a priority in case a conflict occurs. The profile_id establishes a priority within the
list of profiles. A lower profile_id gives the rule a higher priority. In case of a conflict in the rules entered
for different profiles, the rule with the highest priority (lowest profile_id) will take precedence.
See below for information regarding limitations on access profiles and access rules.
The deny parameter instructs the Switch to filter any frames that meet the criteria − in this case, when a
logical AND operation between an IP address specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If users want to restrict traffic, users
must use the deny parameter.
Now that an access profile has been created, users must add the criteria the Switch will use to decide if a
given frame should be forwarded or filtered. We will use the config access_profile command to create a
new rule that defines the criteria we want. Let's further specify in the new rule to deny access to a range of
IP addresses through an individual port: Here, we want to filter any packets that have an IP source address
P
ARAMETERS
32>} | delete access_id <value 1-100>]
profile_id <value 1-5>
[profile_id <value 1-12> | profile_name <name 1-32>] access_id <value 1-
128>[rate [<value 0-1000000>] {burst_size [<value 0-16384>]} rate_exceed
[drop_packet | remark_dscp <value 0-63>] |tr_tcm cir <value 0-1000000>
{cbs <value 0-16384>} pir <value 0-1000000> {pbs <value 0-16384>}
{conform [permit | replace_dscp <value 0-63>] {counter [enable |disable]}}
exceed [permit {replace_dscp <value 0-63>} | drop] {counter [enable
|disable]} violate [permit {replace_dscp <value 0-63>} | drop] {counter
[enable |disable]} |sr_tcm cir <value 0-1000000> cbs <value 0-16384> ebs
<value 0-16384> {conform [permit | replace_dscp <value 0-63>] {counter
[enable |disable]}} exceed [permit {replace_dscp <value 0-63>} | drop]
{counter [enable |disable]} violate [permit {replace_dscp <value 0-63>} |
drop] {counter [enable |disable]} |delete ]
{ [profile_id < value 1-12> | profile_name <name 1-32>] { access_id < value 1-
128 >}}
<range_name 32> [ hours start_time < time hh:mm:ss > end_time< time
hh:mm:ss > weekdays <daylist> | delete]
Page | 365