234
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring and Managing Security ACLs
Creating and Committing a Security ACL
The security ACLs you create can filter packets by source address, IP protocol, port type, and
other characteristics. When you configure an ACE for a security ACL, MSS stores the ACE in
the edit buffer until you commit the ACL to be saved to the permanent configuration. You must
commit a security ACL before you can apply it to an authenticated user’s session or map it to
a port, VLAN, virtual port, or Distributed AP. Every security ACL must have a name.
Setting a Source IP ACL
You can create an ACE that filters packets based on the source IP address and optionally
applies CoS packet handling. (For CoS details, see Class of Service.) You can also determine
where the ACE is placed in the security ACL by using the
before
editbuffer
-
index
or
modify
editbuffer-index
variables with an index number. You can use the
hits
counter to track how
many packets the ACL filters.
The simplest security ACL permits or denies packets from a source IP address:
set security acl ip
acl-name
{
permit
[
cos
cos
] |
deny
}
source-ip-addr
mask
[
before
editbuffer-index
|
modify
editbuffer-index
] [
hits
]
For example, to create ACL
acl-1
that permits all packets from IP address 192.168.1.4, type
the following command:
DWS-1008#
set security acl ip acl-1 permit 192.168.1.4 0.0.0.0
With the following basic security ACL command, you can specify any of the protocols
supported by MSS:
set security acl ip
acl-name
{
permit
[
cos
cos
] |
deny
} {
protocol
} {
source-ip-addr
mask
destination-ip-addr
mask
} [
precedence
precedence
] [
tos
tos
] [
before
editbuffer-index
|
modify
editbuffer-index
] [
hits
]
The following sample security ACL permits all Generic Routing Encapsulation (GRE)
packets from source IP address 192.168.1.11 to destination IP address 192.168.1.15, with
a precedence level of 0 (routine), and a type-of-service (TOS) level of 0 (normal). GRE is
protocol number 47.
DWS-1008#
set security acl ip acl-2 permit cos 2 47 192.168.1.11 0.0.0.0 192.168.1.15
0.0.0.0 precedence 0 tos 0 hits
The security ACL
acl-2
described above also applies the CoS level 2 (medium priority) to
the permitted packets. (For CoS details, see Class of Service.) The keyword
hits
counts the
number of times this ACL affects packet traffic.
The table on the next page lists common IP protocol numbers.