xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch CLI Manual
25
A
CCESS
C
ONTROL
L
IST
(ACL) C
OMMANDS
(I
NCLUDING
CPU)
The xStack DES-6500 implement Access Control Lists that enable the Switch to deny network access to specific devices or
device groups based on IP settings, MAC address, packet content and IPv6 settings.
Command Parameters
create access_profile
profile_id <value 1-8> [ethernet {vlan | source_mac <macmask> | destination_mac
<macmask> | 802.1p | ethernet_type} | ip {vlan | source_ip_mask <netmask> |
destination_ip_mask <netmask> | dscp | [icmp {type | code} | igmp {type} | tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [all |
{urg | ack | psh | rst | syn | fin}]} | udp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-xffff>} | protocol_id {user _mask <hex 0x0-0xffffffff>}]} |
packet_content_mask {offset_0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>} | ipv6 {class |
flowlabel | [source_ipv6_mask <ipv6mask> | destination_ipv6_mask <ipv6mask>]}]
delete access_profile
profile_id
<value 1-8>
config access_profile
profile_id
<value 1-8> [add access_id <value 1-65535> [ethernet {vlan <vlan_name 32> |
source_mac <macaddr> | destination_mac <macaddr> | 802.1p <value 0-7> |
ethernet_type <hex 0x0-0xffff>} | ip {vlan <vlan_name 32> | source_ip <ipaddr> |
destination_ip <ipaddr> | dscp <value 0-63> | [icmp {type <value 0-255> code
<value 0-255>} | igmp {type <value 0-255>} | tcp {src_port <value 0-65535> |
dst_port <value 0-65535> | urg | ack | psh | rst | syn | fin} | udp {src_port <value 0-
65535> | dst_port <value 0-65535>} | protocol_id <value 0 - 255> {user_define
<hex 0x0-0xffffffff> }]} | packet_content {offset_0-15 <hex0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff><hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_48-63
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> |
offset_64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex0x0-
0xffffffff>} | ipv6 {class <value 0 –255> | flowlabel <hex0x0-0xfffff> | [source_ipv6
<ipv6addr> | destination_ipv6 <ipv6addr>]}] port <portlist> | all] [permit {priority
<value 0-7> {replace_priority}} | replace_dscp <value 0-63> } | deny] | delete <value
1-65535>]
show access_profile
profile_id <value 1-8>
create cpu
access_profile
profile_id <value 1-5> [ethernet {vlan | source_mac <macmask> | destination_mac
<macmask> | ethernet_type} | ip {vlan | source_ip_mask <netmask> |
destination_ip_mask <netmask> | dscp | [icmp {type | code} | igmp {type} | tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} | flag_mask [all |
{urg | ack | psh | rst | syn | fin}]} | udp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-0xffff>} | protocol_id {user_mask <hex 0x0-0xffffffff>} ]} |
packet_content_mask {offset 0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff>| offset 16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | {offset 32-47 <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | {offset 48-63 <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | {offset 64-79 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>}]
209