Page 76 / 757 Scroll up to view Page 71 - 75
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
72
DGS-3627:admin# config admin local_enable
Command: config admin local_enable
Enter the old password:
Enter the case-sensitive new password:******
Enter the new password again for confirmation:******
Success.
DGS-3627:admin#
Page 77 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
73
9
ACCESS CONTROL LIST (ACL) COMMANDS
The Switch implements Access Control Lists that enable the Switch to deny network access to specific devices or device
groups based on IP settings and MAC address. Access profiles allow you to establish criteria to determine whether or not
the Switch will forward packets based on the information contained in each packet’s header. These criteria can be
specified on a VLAN-by-VLAN basis.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create
access_profile command. For example, if you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must
first create an access profile that instructs the Switch to examine all of the relevant fields of each frame:
create access_profile profile_id 1 ip source_ip_mask 255.255.255.0
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source
IP address the Switch finds will be combined with the source_ip_mask with a logical AND operation. The profile_id
parameter is used to give the access profile an identifying number
in this case, 1. The deny parameter instructs the
Switch to filter any frames that meet the criteria
in this case, when a logical AND operation between an IP address
specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must use the deny
parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame
should be forwarded or filtered. Here, we want to filter any packets that have an IP source address between 10.42.73.0
and 10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 1 deny
Here we use the profile_id 1 which was specified when the access profile was created. The add parameter instructs the
Switch to add the criteria that follows to the list of rules that are associated with access profile 1. For each rule entered
into the access profile, you can assign an access_id that both identifies the rule and establishes a priority within the list of
rules. A lower access_id gives the rule a higher priority. In case of a conflict in the rules entered for an access profile, the
rule with the highest priority (lowest access_id) will take precedence.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s
header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame’s header. Finally, the
IP address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any
source IP address between 10.42.73.0 to 10.42.73.255.
Due to a chipset limitation, the Switch supports a maximum of fourteen access profiles. The rules used to define the
access profiles are limited to a total of 1792 rules for the Switch. One rule can support ACL per port or per portmap.
Page 78 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
74
The Access Control List (ACL) commands in the Command Line Interface (CLI) are listed (along with the appropriate
parameters) in the following table.
Command
Parameters
create access_profile
[ethernet {vlan | source_mac <macmask 000000000000-ffffffffffff> |
destination_mac <macmask 000000000000-ffffffffffff> | 802.1p | ethernet_type} |
ip {vlan | source_ip_mask <netmask> | destination_ip_mask <netmask> | dscp |
[icmp {type | code} | igmp {type} | tcp {src_port_mask <hex 0x0-0xffff> |
dst_port_mask <hex 0x0-0xffff> | flag_mask [ all | {urg | ack | psh | rst | syn |
fin}]} | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} |
protocol_id_mask <hex 0x0-0xff> {user_define_mask <hex 0x0-0xffffffff>}]}|
packet_content_mask { offset_chunk_1 <value 0-31> <hex 0x0-0xffffffff> |
offset_chunk_2 <value 0-31> <hex 0x0-0xffffffff> | offset_chunk_3 <value 0-31>
<hex 0x0-0xffffffff> | offset_chunk_4 <value 0-31> <hex 0x0-0xffffffff>}| ipv6
{class | flowlabel | source_ipv6_mask <ipv6mask> | destination_ipv6_mask
<ipv6mask> | [ tcp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-
0xffff>} | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-
0xffff>}]}] profile_id <value 1-14>
delete access_profile
[profile_id <value 1-14> |all]
config access_profile
profile_id <value 1-14> [add access_id [auto_assign | <value 1-128>] [ethernet
{vlan <vlan_name 32> | source_mac <macaddr 000000000000-ffffffffffff> |
destination_mac <macaddr 000000000000-ffffffffffff> | 802.1p <value 0-7> |
ethernet_type <hex 0x0-0xffff>} port [<portlist> | all] [permit {priority <value 0-7>
{replace_priority} | rx_rate [no_limit | <value 1-156249>] | replace_dscp <value
0-63> | counter [enable | disable]} | mirror {group_id <value 1-4>} | deny] | ip
{vlan <vlan_name 32> | source_ip <ipaddr> | destination_ip <ipaddr> | dscp
<value 0-63> | [icmp {type <value 0-255> | code <value 0-255>} | igmp {type
<value 0-255>} | tcp {src_port <value 0-65535> | dst_port <value 0-65535> | urg
| ack | psh | rst | syn | fin} | udp {src_port <value 0-65535> | dst_port <value 0-
65535>} | protocol_id <value 0 - 255> {user_define <hex 0x0-0xffffffff>}]} port
[<portlist> | all] [permit {priority <value 0-7> {replace_priority} | rx_rate [ no_limit |
<value 1-156249>] | replace_dscp <value 0-63> | counter [enable | disable]} |
mirror {group_id <value 1-4>} | deny] | packet_content {offset_chunk_1 <hex
0x0-0xffffffff> | offset_chunk_2 <hex 0x0-0xffffffff> | offset_chunk_3 <hex 0x0-
0xffffffff> | offset_chunk_4 <hex 0x0-0xffffffff>} port [<portlist> | all] [permit
{priority <value 0-7> {replace_priority} | rx_rate [no_limit | <value 1-156249>] |
replace_dscp <value 0-63> | counter [enable | disable]} | mirror {group_id <value
1-4>} | deny] | ipv6 {class <value 0-255> | flowlabel <hex 0x0-0xfffff> |
source_ipv6 <ipv6addr> | destination_ipv6 <ipv6addr> | [ tcp {src_port <value 0-
65535> | dst_port <value 0-65535>} | udp {src_port <value 0-65535> | dst_port
<value 0-65535>}]} port [<portlist> | all] [permit {priority <value 0-7>
{replace_priority} | rx_rate [no_limit | <value 1-156249>] | counter [enable |
disable]} | mirror {group_id <value 1-4>} | deny]]{time_range <range_name 32>}
| delete access_id <value 1-128>]
config flow_meter
profile_id <value 1-14> access_id <value 1-128>[ [ tr_tcm
cir <value 0-156249>
{cbs <value 0-16384>} pir <value 0-156249> {pbs <value 0-16384>} |
sr_tcm
cir <value 0-156249> cbs <value 0-16384> ebs <value 0-16384> ] {conform
[permit | replace_dscp <value 0-63>] {counter [enable |disable]}} exceed [permit
| replace_dscp <value 0-63> | drop] {counter [enable |disable]} violate [permit |
replace_dscp <value 0-63> | drop] {counter [enable |disable]} | delete]
show flow_meter
{profile_id <value 1-14> {access_id <value 1-128>}}
config time_range
<range_name 32> [hours start_time <time hh:mm:ss> end_time <time
hh:mm:ss> weekdays <daylist> |delete]
show time_range
Each command is listed, in detail, in the following sections.
Page 79 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
75
create access_profile
Purpose
Used to create access list rules.
Syntax
create access_profile [ethernet {vlan | source_mac <macmask 000000000000-
ffffffffffff> | destination_mac <macmask 000000000000-ffffffffffff> | 802.1p |
ethernet_type} | ip {vlan | source_ip_mask <netmask> | destination_ip_mask
<netmask> | dscp | [icmp {type | code} | igmp {type} | tcp {src_port_mask <hex 0x0-
0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [ all | {urg | ack | psh | rst | syn |
fin}]} | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} |
protocol_id_mask <hex 0x0-0xff> {user_define_mask <hex 0x0-0xffffffff>}]}|
packet_content_mask { offset_chunk_1 <value 0-31> <hex 0x0-0xffffffff> |
offset_chunk_2 <value 0-31> <hex 0x0-0xffffffff> | offset_chunk_3 <value 0-31> <hex
0x0-0xffffffff> | offset_chunk_4 <value 0-31> <hex 0x0-0xffffffff>}| ipv6 {class | flowlabel
| source_ipv6_mask <ipv6mask> | destination_ipv6_mask <ipv6mask> | [ tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} | udp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>}]}] profile_id <value
1-14>
Description
The create access_profile command creates access list rules.
Parameters
vlan
- Specifies a vlan mask. Only the last 12 bits of the mask will be considered.
source_mac
- Specifies the source mac mask.
destination_mac
- Specifies the destination mac mask.
802.1p
- Specifies 802.1p priority tag mask.
ethernet_type
- Specifies the ethernet type mask.
vlan
- Specifies a vlan mask. Only the last 12 bits of the mask will be considered.
source_ip_mask
- Specifies an IP source submask.
destination_ip_mask
- Specifies an IP destination submask.
dscp
- Specifies the dscp mask.
icmp
- Specifies that the rule applies to icmp traffic.
type
- Specifies that the rule applies to icmp type traffic.
code
- Specifies that the rule applies to icmp code traffic.
igmp
- Specifies
that the rule applies to igmp traffic.
type
- Specifies that the rule applies to igmp type traffic.
tcp
- Specifies that the rule applies to tcp traffic.
src_port_mask
- Specifies the tcp source port mask.
dst_port_mask
- Specifies the tcp destination port mask.
flag_mask
- Specifies the TCP flag field mask.
udp
- Specifies that the rule applies to udp traffic.
src_port_mask
- Specifies theudp source port mask.
dst_port_mask
- Specifies theudp destination port mask.
protocod_id_mask
- Specifies that the rule applies to the ip protocol id traffic.
user_define_mask
- Specifies that the rule applies to the ip protocol id and the mask
options behind the IP header length is 20 bytes.
ipv6
- Specifies ipv6 filtering mask. The field is optional by project.
class
- Specifies the ipv6 class.
flowlabel
- Specifies the ipv6 flowlabel.
source_ipv6_mask
- Specifies an IPv6 source submask.
destination_ipv6_mask
- Specifies an IPv6 destination submask.
src_port_mask
- Specifies an IPv6 L4(TCP/UDP) source port submask
des_port_mask
- Specifies an IPv6 L4(TCP/UDP) destination port submask
profile_id
- Specifies the index of access list profile. The range is depend on project..
offset_chunk_1, offset_chunk_2, offset_chunk_3, offset_chunk_4
- Specifies the frame
content offset and mask. Up to 4 trunk offset and masks in maximum could be configured.
A
trunk mask presents 4 bytes.
Page 80 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
76
create access_profile
Restrictions
Only Administrator and Operator-level users can issue this command.
Example usage:
To create an Ethernet access profile:
DGS-3627:admin# create access_profile ethernet vlan source_mac 00-00-00-00-00-01
destination_mac 00-00-00-00-00-02 802.1p ethernet_type profile_id 1
Command: create access_profile ethernet vlan source_mac 00-00-00-00-00-01 destination_mac
00-00-00-00-00-02 802.1p ethernet_type profile_id 1
Success.
DGS-3627:admin#
To create an option 2 packet content mask access profile:
DGS-3627:admin# create access_profile packet_content_mask offset_chunk_1 0 0xFFFFFFFF
offset_chunk_2 1 0xFFFFFFFF offset_chunk_3 2 0xFFFFFFFF offset_chunk_4 3 0xFFFFFFFF
profile_id 3
Command: create access_profile packet_content_mask offset_chunk_1 0 0xFFFFFFFF
offset_chunk_2 1 0xFFFFFFFF offset_chunk_3 2 0xFFFFFFFF offset_chunk_4 3 0xFFFFFFFF
profile_id 3
Success.
DGS-3627:admin#
delete access_profile
Purpose
Used to delete access list rules.
Syntax
delete access_profile [profile_id <value 1-14> |all]
Description
The delete access_profile command deletes access list rules.
Delete access_profile command can only delete the profile which is created by ACL module.
Parameters
profile_id
- Specifies the index of access list profile. The range is depend on project..
all
- Specifies the whole access list profile to delete.
Restrictions
Only Administrator and Operator-level users can issue this command.
Example usage:
To delete access list rules:
DGS-3627:admin#delete access_profile profile_id 10
Command: delete access_profile profile_id 10
Success.
DGS-3627:admin#
config access_profile
Purpose
Used to configure access list entry.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top