DES-1228/ME Layer 2 Metro Ethernet Switch CLI Reference Manual
171
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1 profile_name 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the
source_ip_mask
with a logical AND operation. The profile_id parameter is
used to give the access profile an identifying number
−
in this case, 1 – and it is used to assign a priority in case a conflict occurs.
The profile_id establishes a priority within the list of profiles. A lower profile_id gives the rule a higher priority. In case of a
conflict in the rules entered for different profiles, the rule with the highest priority (lowest profile_id) will take precedence.
See
below for information regarding limitations on access profiles and access rules.
The
deny
parameter instructs the Switch to filter any frames that meet the criteria
−
in this case, when a logical AND operation
between an IP address specified in the next step and the
ip_source_mask
match.
The default for an access profile on the Switch is to
permit
traffic flow. If users want to restrict traffic, users must use the
deny
parameter.
Now that an access profile has been created, users must add the criteria the Switch will use to decide if a given frame should be
forwarded or filtered. We will use the
config access_profile
command to create a new rule that defines the criteria we want. Let’s
further specify in the new rule to deny access to a range of IP addresses through an individual port: Here, we want to filter any
packets that have an IP source address between 10.42.73.0 and 10.42.73.255, and specify the port that will not be allowed:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny
We use the
profile_id 1
which was specified when the access profile was created. The
add
parameter instructs the Switch to add
the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access profile,
users can assign an access_id that identifies the rule within the list of rules. The access_id is an index number only and does not
effect priority within the profile_id. This access_id may be used later if users want to remove the individual rule from the profile.
The
ip
parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s header.
source_ip
tells the Switch that this rule will apply to the source IP addresses in each frame’s header. The IP address
10.42.73.1
will be combined with the
source_ip_mask
255.255.255.0
to give the IP address 10.42.73.0 for any source IP address between
10.42.73.0 to 10.42.73.255. Finally the restricted port - port number 7 - is specified.
create access_profile
Purpose
Used to create an access profile on the Switch and to define which parts of each incoming
frame’s header the Switch will examine. Masks can be entered that will be combined with
the values the Switch finds in the specified frame header fields. Specific values for the
rules are entered using the
config access_profile
command, below.
Syntax
create access_profile [ ethernet { vlan | source_mac <macmask> | destination_mac
<macmask> | 802.1p | ethernet_type }(1) | ip { vlan | source_ip_mask <netmask> |
destination_ip_mask <netmask> | dscp | [ icmp | igmp | tcp {src_port_mask <hex
0x0-0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [ all | {urg | ack | psh | rst |
syn | fin}(1)]} | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-
0xffff>} | protocol_id_mask <hex 0x0-0xff>]}(1)] profile_id <value 1-256>
Description
The
create access_profile
command is used to create an access profile on the Switch
and to define which parts of each incoming frame’s header the Switch will examine. Masks
can be entered that will be combined with the values the Switch finds in the specified
frame header fields. Specific values for the rules are entered using the
config
access_profile
command, below.
Parameters
ethernet
−
Specifies that the Switch will examine the layer 2 part of each packet header.
vlan
−
Specifies that the Switch will examine the VLAN part of each packet header.
source_mac <macmask>
−
Specifies a MAC address mask for the source MAC
address. This mask is entered in a hexadecimal format.
destination_mac <macmask>
−
Specifies a MAC address mask for the destination
MAC address.
802.1p
−
Specifies that the Switch will examine the 802.1p priority value in the
frame’s header.
ethernet_type
−
Specifies that the Switch will examine the Ethernet type value in each
frame’s header.