21
A
CCESS
C
ONTROL
L
IST
(ACL) C
OMMANDS
Parameters
The DES-6500 implements Access Control Lists that enable the Switch to deny network access to specific devices or device
groups based on IP settings, MAC address, and packet content.
Command
[ethernet {vlan | source_mac <macmask> | destination_mac
<macmask> | 802.1p | ethernet_type} | ip {vlan | source_ip_mask
<netmask> | destination_ip_mask <netmask> | dscp | [icmp {type |
code} | igmp {type} | tcp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-0xffff> | flag_mask [all | {urg | ack | psh |
rst | syn | fin}]} | udp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-xffff>} | protocol_id {user _mask <hex
0x0-0xffffffff> }]} | packet_content_mask {offset_0-15 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff>}] port [<portlist> | all ] profile_id <value 1-8>}
delete access_profile
profile_id
<value 1-8>
config access_profile
profile_id
<value 1-8> [add access_id <value 1-100> [ethernet {vlan
<vlan_name 32> | source_mac <macaddr> | destination_mac
<macaddr> | 802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff>}
[permit {priority <value 0-7> {replace_priority} | deny] | ip {vlan
<vlan_name 32> | source_ip <ipaddr> | destination_ip <ipaddr> |
dscp <value 0-63> | [icmp {type <value 0-255> code <value 0-
255>} | igmp {type <value 0-255>} | tcp {src_port <value 0-65535>
| dst_port <value 0-65535> | urg | ack | psh | rst | syn | fin} | udp
{src_port <value 0-65535> | dst_port <value 0-65535>} |
protocol_id <value 0 - 255> {user_define <hex 0x0-0xffffffff> }]}
[permit {priority <value 0-7> {replace_priority} | replace_dscp
<value 0-63> } | deny] | packet_content {offset_0-15 <hex0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff><hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
| offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex0x0-0xffffffff>} port
<port> [permit { priority <value 0-7> {replace_priority} |
replace_dscp <value 0-63> } | deny]} port <port> [permit {priority
<value 0-7> {replace_priority} | deny] | delete <value 1-100>]
show access_profile
{profile_id <value 1-8>}
create access_profile
Due to a chipset limitation, the Switch currently supports a maximum of 8 access profiles, each containing a maximum of 100
rules
−
with the additional limitation of 100 rules total for all 8 access profiles.
Access profiles allow you to establish criteria to determine whether or not the Switch will forward packets based on the
information contained in each packet’s header. These criteria can be specified on a VLAN-by-VLAN basis.
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP
address the Switch finds will be combined with the
source_ip_mask
with a logical AND operation. The
profile_id
parameter
is used to give the access profile an identifying number
−
in this case,
1
. The
deny
parameter instructs the Switch to filter any
Creating an access profile is divided into two basic parts. First, an access profile must be created using the
create
access_profile
command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first
create
an access profile that instructs the Switch to examine all of the relevant fields of each frame:
create access_profile ip source_ip_mask 255.255.255.0 profile_id 1
Summary of Contents for TM DES-6500
Page 6: ...Register online your D Link product at http support dlink com register vi...
Page 33: ...DES 6500 Example usage To terminate the current user s console session DES 6500 4 logout...
Page 62: ...DES 6500 4 disable rmon Command disable rmon Success DES 6500 4...
Page 128: ...DES 6500 4 disable ipif s2 Command disable ipif s2 Success DES 6500 4...
Page 262: ...DES 6500 4 config command_history 20 Command config command_history 20 Success DES 6500 4...
Page 266: ......
Page 267: ...1...