xStack DGS-3612G Layer 3 Gigabit Ethernet Managed Switch CLI Manual
create access_profile (IP)
Used to create an access profile on the Switch by examining the IP part of the packet
header. Masks entered can be combined with the values the Switch finds in the specified
frame header fields. Specific values for the rules are entered using the
config
access_profile
command, below.
Syntax
create access_profile profile_id <value 1-14> ip {source_ip_mask <netmask> |
destination_ip_mask <netmask> | dscp | [icmp | igmp | tcp {src_port_mask <hex 0x0-
0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [all | {urg | ack | psh | rst | syn |
fin}]} | udp {<hex 0x0-0xffff> | dst_port_mask <hex 0x0-xffff>} | protocol_id_mask
{<hex 0x0-0xff> [user_define_mask <hex 0x0-0xffffffff}]}
Description
This command will allow the user to create a profile for packets that may be accepted or
denied by the Switch by examining the IP part of the packet header. Specific values for
rules pertaining to the IP part of the packet header may be defined by configuring the
config access_profile
command for IP, as stated below.
Parameters
•
•
•
icmp
−
Specifies that the Switch will examine the Internet Control Message Protocol
(ICMP) field in each frame’s header.
•
src_port_mask <hex 0x0-0xffff>
−
Specifies a TCP port mask for the source port.
•
•
•
•
•
Parameters
ip
- Specifies that the Switch will look into the IP fields in each packet with special
emphasis on one or more of the following:
Restrictions
Purpose
profile_id <value 1-14>
- Specifies an index number between 1 and 14 that will
identify the access profile being created with this command.
source_ip_mask <netmask>
−
Specifies an IP address mask for the source IP
address.
•
destination_ip_mask <netmask>
−
Specifies an IP address mask for the destination
IP address.
•
dscp
−
Specifies that the Switch will examine the DiffServ Code Point (DSCP) field in
each frame’s header.
•
igmp
−
Specifies that the Switch will examine each frame’s Internet Group
Management Protocol (IGMP) field.
•
tcp
−
Specifies that the Switch will examine each frames Transport Control Protocol
(TCP) field.
dst_port_mask <hex 0x0-0xffff>
−
Specifies a TCP port mask for the destination
port.
•
flag_mask [all | {urg | ack | psh | rst | syn | fin}]
– Enter the appropriate flag_mask
parameter. All incoming packets have TCP port numbers contained in them as the
forwarding criterion. These numbers have flag bits associated with them which are
parts of a packet that determine what to do with the packet. The user may deny
packets by denying certain flag bits within the packets. The user may choose
between
all
,
urg
(urgent),
ack
(acknowledgement),
psh
(push),
rst
(reset),
syn
(synchronize) and
fin
(finish).
•
udp
−
Specifies that the Switch will examine each frame’s User Datagram Protocol
(UDP) field.
src_port_mask <hex 0x0-0xffff>
−
Specifies a UDP port mask for the source port.
dst_port_mask <hex 0x0-0xffff>
−
Specifies a UDP port mask for the destination
port.
•
protocol_id_mask
−
Specifies that the Switch will examine each frame’s Protocol ID
field.
<hex 0x0-0xff> -
Enter a hexidecimal value that will identify the protocol to be
discovered in the packet header.
user_define <hex 0x0-0xffffffff>
−
Enter a hexidecimal value that will identify the
user defined protocol to be discovered in the packet header.
Only
administrator-level users can issue this command.
Example usage:
To configure a rule for the IP access profile:
181