Purpose Used to create an access profile on the Switch and to define which parts of each incoming frame’s header the Switch will examine. Masks can be entered that will be combined with the values the Switch finds in the specified frame header fields. Specific values for the rules are entered using the config access_profile command, below.
Syntax create access_profile [ethernet {vlan | source_mac <macmask> | destination_mac <macmask> | 802.1p | ethernet_type} | ip {vlan |
source_ip_mask <netmask> | destination_ip_mask <netmask> | dscp | [icmp {type | code} | igmp {type} | tcp {src_port_mask <hex 0x0-0xffff> | dst_port_mask <hex 0x0- 0xffff> | flag_mask [all | {urg | ack | psh | rst | syn | fin}]} | udp {src_port_mask Port Numbers Maximum ACL Profile Rules per
Port Group 1 - 8 200 9 – 16 200 17 - 24 200 25 (Gigabit) 100 26 (Gigabit) 100 Total Rules 800
create access_profile
<hex 0x0-0xffff> | dst_port_mask <hex 0x0-0xffff>} | protocol_id_mask <hex 0x0- 0xFF> {user_define_mask <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>}]} | packet_content_mask {offset_0-15
<hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_16-31 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>
<hex 0x0-0xffffffff> | offset_32-47 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0- 0xffffffff> <hex 0x0-0xffffffff> | offset_48-63 <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff> | offset_64-79 <hex 0x0-0xffffffff> <hex 0x0- 0xffffffff> <hex 0x0-0xffffffff> <hex 0x0-0xffffffff>}] [profile_id <value 1-255>]
Description The create access_profile command is used to create an access profile on the Switch and to define which parts of each incoming frame’s header the Switch will examine. Masks can be entered that will be combined with the values the Switch finds in the specified frame header fields. Specific values for the rules are entered using the config access_profile command, below.
Parameters ethernet − Specifies that the Switch will examine the layer 2 part of each packet header.
vlan − Specifies that the Switch will examine the VLAN part of each packet header.
source_mac <macmask> − Specifies a MAC address mask for the source MAC address. This mask is entered in a hexadecimal format.
destination_mac <macmask> − Specifies a MAC address mask for the destination MAC address.
802.1p − Specifies that the Switch will examine the 802.1p priority value in the frame’s header.
ethernet_type − Specifies that the Switch will examine the Ethernet type value in each frame’s header.
ip − Specifies that the Switch will examine the IP address in each frame’s header.
vlan − Specifies a VLAN mask.
source_ip_mask <netmask> − Specifies an IP address mask for the source IP address.
destination_ip_mask <netmask> − Specifies an IP address mask for the destination IP address.
dscp − Specifies that the Switch will examine the DiffServ Code Point (DSCP) field in each frame’s header.
icmp − Specifies that the Switch will examine the Internet Control Message Protocol (ICMP) field in each frame’s header.
• type − Specifies that the Switch will examine each frame’s ICMP Type field.
• code − Specifies that the Switch will examine each frame’s ICMP Code field.
igmp − Specifies that the Switch will examine each frame’s Internet Group Management Protocol (IGMP) field.
• type − Specifies that the Switch will examine each frame’s IGMP Type field.
• tcp − Specifies that the Switch will examine each frames Transport Control Protocol (TCP) field.
src_port_mask <hex 0x0-0xffff> − Specifies a TCP port mask for the source port.
dst_port_mask <hex 0x0-0xffff> − Specifies a TCP port mask for the destination port.
flag_mask – Enter the appropriate flag_mask parameter. All incoming packets have TCP
port numbers contained in them as the forwarding criterion. These numbers have flag bits associated with them which are parts of a packet that determine what to do with the packet. The user may deny packets by denying certain flag bits within the packets. The user may choose between all, urg (urgent), ack (acknowledgement), psh (push),
rst (reset), syn (synchronize) and fin (finish).
udp − Specifies that the Switch will examine each frame’s Universal Datagram Protocol (UDP) field.
create access_profile
src_port_mask <hex 0x0-0xffff> − Specifies a UDP port mask for the source port.
dst_port_mask <hex 0x0-0xffff> − Specifies a UDP port mask for the destination port.
protocol_id <value 0-255> − Specifies that the Switch will examine the protocol field in each packet and if this field contains the value entered here, apply the following rules
user_define_mask <hex 0x0-0xffffffff> − Specifies that the rule applies to the IP protocol ID and the mask options behind the IP header.
packet_content_mask – Specifies that the Switch will mask the packet header beginning
with the offset value specified as follows:
offset_0-15 – Enter a value in hex form to mask the packet from the beginning of the
packet to the 15th byte.
offset_16-31 – Enter a value in hex form to mask the packet from byte 16 to byte 31. offset_32-47 – Enter a value in hex form to mask the packet from byte 32 to byte 47.
offset_48-63 – Enter a value in hex form to mask the packet from byte 48 to byte 63. offset_64-79 – Enter a value in hex form to mask the packet from byte 64 to byte 79.
profile_id <value 1-255> − Sets the relative priority for the profile. Priority is set relative to other profiles where the lowest profile ID has the highest priority. The user may enter a profile ID number between 1 – 255, yet, remember only 9 access profiles can be created on the Switch
Restrictions Only Administrator and Operator-level users can issue this command. Example usage:
To create an access list rules:
DES-3526:admin#create access_profile ip vlan source_ip_mask 20.0.0.0 destination_ip_mask 10.0.0.0 dscp icmp type code permit profile_id 101
Command: create access_profile ip vlan source_ip_mask 20.0.0.0 destination_ip_mask 10.0.0.0 dscp icmp type code permit profile_id 101
Success.