xStack Gigabit Layer 3 Switch Command Line Interface Manual
Due to a chipset limitation, the Switch currently supports a maximum of 8 access profiles, each containing a maximum of 100
rules
−
with the additional limitation of 100 rules total for all 8 access profiles.
Access profiles allow you to establish criteria to determine whether or not the Switch will forward packets based on the
information contained in each packet’s header. These criteria can be specified on a VLAN-by-VLAN basis.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the
create access_profile
command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first
create
an access
profile that instructs the Switch to examine all of the relevant fields of each frame:
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame should be
forwarded or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255:
Upon this release, the Xstack family of switches have encorporated four ways of creating access profile entries on the Switch
which include
Ethernet
(MAC Address),
IP
,
Packet Content
and the most recent
IPv6
. Due to the present complexity of the
access profile commands, it has been decided to split this command into four pieces to be better understood by the user and
therefore simpler for the user to configure. The beginning of this section displays the
create access_profile
and
config
access_profile
commands in their entirety. The following table divides these commands up into the defining features necessary
to properly configure the access profile. Remember these are not the total commands but the easiest way to implemet Access
Control Lists for the Switch.
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the
source_ip_mask
with a logical AND operation. The
profile_id
parameter is
used to give the access profile an identifying number
−
in this case,
1
. The
deny
parameter instructs the Switch to filter any
frames that meet the criteria
−
in this case, when a logical AND operation between an IP address specified in the next step and
the
ip_source_mask
match.
The default for an access profile on the Switch is to
permit
traffic flow. If you want to restrict traffic, you must use the
deny
parameter.
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1:1 deny
Here we use the
profile_id 1
which was specified when the access profile was created. The
add
parameter instructs the Switch
to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered into the access
profile, you can assign an
access_id
that both identifies the rule and establishes a priority within the list of rules. A lower
access_id
gives the rule a higher priority. In case of a conflict in the rules entered for an access profile, the rule with the highest
priority (lowest
access_id
) will take precedence.
The
ip
parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s
header.
source_ip
tells the Switch that this rule will apply to the source IP addresses in each frame’s header. Finally, the IP
address
10.42.73.1
will be combined with the
source_ip_mask
255.255.255.0
to give the IP address 10.42.73.0 for any source
IP address between 10.42.73.0 to 10.42.73.255.
Command Parameters
create access_profile
[ethernet {vlan | source_mac <macmask 000000000000-ffffffffffff>
| destination_mac <macmask 000000000000-ffffffffffff> | 802.1p |
ethernet_type} profile_id <value 1-8>}
config access_profile
profile_id
<value 1-8> [add access_id <value 1-100> [ethernet {vlan
<vlan_name 32> | source_mac <macaddr 000000000000-
ffffffffffff> | destination_mac <macaddr 000000000000-ffffffffffff> |
802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff>} port <port>
[permit {priority <value 0-7> {replace_priority} | replace_dscp
<value 0-63>} | deny] delete <value 1-100>]
219