Specifications
Chapter 25 - Access Control List (ACL) Commands
The AT-9724TS implements Access Control Lists that enable the Switch to deny network access to specific devices or device groups based on IP settings or MAC
address.
Command Parameters
create access_profile [ethernet {vlan | source_mac <macmask> | destination_mac <macmask> | 802.1p | ethernet_type} | ip {vlan |
source_ip_mask <netmask> | destination_ip_mask <netmask> | dscp | [icmp {type | code} | igmp {type} | tcp
{src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff> | flag_mask [all | {urg | ack | psh | rst | syn
| fin}]} | udp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0-xffff>} | protocol_id {user _mask
<hex 0x0-0xffffffff>}]} | packet_content_mask {offset_0-15 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> |
offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-79
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>}] {port [<portlist> | all] |
profile_id <value 1-8>}
delete access_profile profile_id <value 1-8>
config access_profile profile_id <value 1-8> [add access_id <value 1-50> [ethernet {vlan <vlan_name 32> | source_mac <macaddr> |
destination_mac <macaddr> | 802.1p <value 0-7> | ethernet_type <hex 0x0-0xffff> } | ip {vlan <vlan_name
32> | source_ip <ipaddr> | destination_ip <ipaddr> | dscp <value 0-63> | [icmp {type <value 0-255> code
<value 0-255>} | igmp {type <value 0-255>} | tcp {src_port <value 0-65535> | dst_port <value 0-65535> | {urg
| ack | psh | rst | syn | fin} | udp {src_port <value 0-65535> | dst_port <value 0-65535>} | protocol_id <value 0
- 255> {user_define <hex 0x0-0xffffffff> }]} | packet_content {offset_0-15 <hex0x0-0xffffffff> <hex 0x0-
0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex
0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff><hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-
0xffffffff> | offset_64-79 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex0x0-0xffffffff>}]
[permit { priority <value 0-7> {replace_priority} | replace_dscp <value 0-63> } | deny] | delete <value 1-50>]
show access_profile {profile_id <value 1-8>}
Due to a chipset limitation, the Switch currently supports a maximum of 8 access profiles, each containing a maximum of 50 rules – with the additional limitation
of 50 rules total for all 8 access profiles.
Access profiles allow you to establish criteria to determine whether or not the Switch will forward packets based on the information contained in each packet’s
header.These criteria can be specified on a VLAN-by-VLAN basis.
Creating an access profile is divided into two basic parts. First, an access profile must be created using the create access_profile command. For example, if
you want to deny all traffic to the subnet 10.42.73.0 to 10.42.73.255, you must first create an access profile that instructs the Switch to examine all of the
relevant fields of each frame:
Here we have created an access profile that will examine the IP field of each frame received by the Switch. Each source IP address the Switch finds will be
combined with the source_ip_mask with a logical AND operation.The profile_id parameter is used to give the access profile an identifying number – in this
case, 1.The deny parameter instructs the Switch to filter any frames that meet the criteria – in this case, when a logical AND operation between an IP address
specified in the next step and the ip_source_mask match.
The default for an access profile on the Switch is to permit traffic flow. If you want to restrict traffic, you must use the deny parameter.
Now that an access profile has been created, you must add the criteria the Switch will use to decide if a given frame should be forwarded or filtered. Here, we
want to filter any packets that have an IP source address between 10.42.73.0 and 10.42.73.255:
config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 deny
Here we use the profile_id 1 which was specified when the access profile was created.The add parameter instructs the Switch to add the criteria that follows
to the list of rules that are associated with access profile 1. For each rule entered into the access profile, you can assign an access_id that both identifies the
rule and establishes a priority within the list of rules.A lower access_id gives the rule a higher priority. In case of a conflict in the rules entered for an access
profile, the rule with the highest priority (lowest access_id) will take precedence.
The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s header. source_ip tells the Switch
that this rule will apply to the source IP addresses in each frame’s header. Finally, the IP address 10.42.73.1 will be combined with the source_ip_mask
255.255.255.0 to give the IP address 10.42.73.0 for any source IP address between 10.42.73.0 to 10.42.73.255.
185
Allied Telesyn AT-9724TS High-Density Layer 3 Stackable Gigabit Ethernet Switch • Command Line Interface Reference Manual