xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch CLI Manual
145
Command Parameters
0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | {offset 32-47 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | {offset 48-
63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | {offset 64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff>}] [profile_id <value 1-5>]
delete cpu access_profile
profile_id <value 1-5>
config cpu access_profile profile_id
<value 1-5> [add access_id <value 1-65535> [ethernet {vlan <vlan_name 32>
| source_mac <macaddr> | destination_mac <macaddr> | ethernet_type <hex
0x0-0xffff>} [permit | deny] | ip {vlan <vlan_name 32> | source_ip <ipaddr> |
destination_ip <ipaddr> | dscp <value 0-63> | [icmp {type <value 0-255> code
<value 0-255>} | igmp {type <value 0-255>} | tcp {src_port <value 0-65535> |
dst_port <value 0-65535> | {urg | ack | psh | rst | syn | fin}]} | udp {src_port
<value 0-65535> | dst_port <value 0-65535>} | protocol_id <value 0 - 255>
{user_define <hex 0x0-0xffffffff>}]} [permit | deny] | packet_content {offset_0-15
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>|
offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>} [permit |
deny] | delete access_id <value 1-65535>]
enable cpu interface_filtering
disable cpu_interface_filtering
show cpu_interface_filtering
show cpu access_profile
{profile_id <value 1-5> {access_id <value 1-65535>}}
Access profiles allow you to establish criteria to determine whether or not the Switch will forward packets based on the information
contained in each packet’s header. These criteria can be specified on a VLAN-by-VLAN basis.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the
create access_profile
command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first
create
an access
profile that instructs the Switch to examine all of the relevant fields of each frame:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP address
the Switch finds will be combined with the
source_ip_mask
with a logical AND operation. The
profile_id
parameter is used to give
the access profile an identifying number
−
in this case,
1
. The
deny
parameter instructs the Switch to filter any frames that meet the
criteria
−
in this case, when a logical AND operation between an IP address specified in the next step and the
ip_source_mask
match.
The default for an access profile on the Switch is to
permit
traffic flow. If you want to restrict traffic, you must use the
deny
parameter.