Access Profile Example | 3Com 9100 manual

Using Access Profiles

45

The subnet mask specified in the access profile command is interpreted as a reverse mask. A reverse mask indicates the bits that are significant in the IP address. In other words, a reverse mask specifies the part of the address that must match the IP address to which the profile is applied.

If you configure an IP address that is an exact match that is specifically denied or permitted, use a mask of /32 (for example, 141.251.24.28/32). If the IP address represents a subnet address that you wish to deny or permit, then configure the mask to cover only the subnet portion (for example, 141.251.10.0/24).

If you are using off-byte boundary subnet masking, the same logic applies, but the configuration is more tricky. For example, the address 141.251.24.128/27 represents any host from subnet 141.251.24.128.

Access Profile Rules The following rules apply when using access profiles:

■Only one access profile can be applied to each application.

■The access profile can either permit or deny the entries in the profile.

■The same access profile can be applied to more than one application.

There is an implicit aspect to access profiles. For instance, if an access profile of mode permit is applied, then all other sources are assumed denied, and are not permitted access to the application. On the other, if an access profile of mode deny is applied, then all other sources are assumed permitted.

Access Profile Example

The following example creates an access profile named testpro, and denies access for the device with the IP address 192.168.10.10:

create access-profile testpro type ipaddress

config access-profile testpro mode deny

config access-profile testpro add ipaddress 192.168.10.10/32

The following command applies the access profile testpro to Telnet:

enable telnet access-profile testpro

To view the contents of an access profile, type:

show access-profile <access_profile>

Image 45

Contents

SuperStack Switch User Guide 3Com Corporation 5400 Bayfront Plaza Santa Clara, California Contents Installation and Setup Virtual Lans Vlans Forwarding Database FDB Quality of Service QOS Using the WEB Interface Technical Specifications Troubleshooting Page About this Guide Ethernet concepts Ethernet switching and bridging concepts Icon Description ConventionsConvention Description Screen displays Documentation RelatedYear Compliance About this Guide Switch Switch 9100 OverviewFeatures About Simple Network Management Protocol Snmp Virtual LANs VLANs For information on load sharing, refer to Chapter Quality of Service QoS ConfigurationNetwork Example Key Switch 9100 used in a backbone configuration Front panel has the following features ViewPorts LEDs Describes the LED behavior on the SwitchStandard Media Type Mhz/Km Rating Maximum Distance Color Indicates 1000BASE-SX Port Status LEDs Switch 9100 Rear shows the Switch 9100 rear view Color Indicates 100/1000BASE-TX Port Status LEDsUnit Status LED Reset Button Power SocketsSerial Number MAC Address Public Installation and Setup DeterminingLocation Installing TabletopRack Mounting Installing the Switch 9100 Function Pin Number Direction Connecting Equipment to the Console Port Switch Flashes until the switch has successfully passed the Post Installation Login admin Default Vlan named defaultLogging on for First Time Installation and Setup Accessing the Switch Accessing the Switch Be a range of numbers, for example You could enter the following shortcut Config vlan name ipaddress ipaddress Symbol DescriptionConfig snmp community readonly readwrite string Reboot date time cancel Line-Editing Keys Create account admin user username encrypted password Command Description Disable cli-config-logging Disable bootp vlan name allDisable clipaging Disable idletimeout Unconfig switch all Configuring Management AccessShow banner 3C177052 Changing the Default Password Account Name Access Level3C1770519# Create account admin user username encrypted Viewing AccountsShow accounts Using Access Methods Managing SwitchProfiles Deleting an Account Config access-profile accessprofile To view the contents of an access profile, type Access Profile Example To view the Telnet configuration, type Using TelnetConnecting to Another Host Using Telnet Using a Bootp Server Manually Configuring the IP Settings Config iproute add default ipaddress metric Config vlan name ipaddress ipaddress subnetmaskFor example Your changes take effect immediately Terminate the session by using the following command Show sessionClear session sessionnumber Using the Web CommandsOn the switch IP Host Accessing Switch Using SnmpAgents Supported MIBs Enable Snmp traps Enable Snmp access Command Options for the ping command are described in Table Ping command syntax isChecking Basic Connectivity Configuring Switch Port Speed Duplex Setting Switch 9100 PortsEnabling Disabling Enable ports portlist Enable learning ports portlistEnable sharing masterport Config ports portlist qosprofile Disable ports portlist Disable learning ports portlistDisable sharing masterport Show ports portlist txerrors Accessing the Switch Enable sharing 4 grouping Port-Mirroring ConfigurationVerifying the Load Sharing Disable mirroring CommandsExample Show mirroring Accessing the Switch VLANs provide extra security VLANs help to control traffic Igmp Overview VLANs ease the change and movement of devicesIgmp Snooping Enable igmp vlan name Enable igmp snoopingForward-mcrouter-only Forward-mcrouter-only is specified, Port-Based VLANs Types of VLANs Marketing Finance Sales Spanning Switches with Port-Based VLANs Switch AccountingEngineering Assigning a Vlan Tag Uses of Tagged VLANs Tagged Ports Shows a logical diagram of the same network Mixing Port-Based and Tagged VLANs NetBIOS DECNet IPX8022 Following protocol filters are predefined on the switchPredefined Protocol Filters AppleTalk Config protocol protocolname add protocoltype Hexvalue Defining Protocol FiltersCreate protocol protocolname Vlan Names Deleting a Protocol FilterPackets Over Protocol On the Switch Configuring VLANs 6 to it Displaying Vlan Settings To display Vlan settings, use the following commandShow vlan name Deleting VLANs Virtual Lans Vlans Forwarding Database FDB Associating a QoS Profile with an FDB Entry Disable learning ports Config fdb agingtime numberEntries Following example adds a permanent entry to the FDB To display FDB entries, use the command Displaying FDB EntriesShow fdb macaddress vlan name portlist Permanent Removing FDB Delete Fdbentry macaddress vlanName Clear fdb macaddress vlan name portlist Forwarding Database FDB Overview Spanning Tree Protocol STPSpanning Tree Protocol Network with an illegal topology Traffic flowing through Bridge B Initialization Reconfiguration DomainsStabilization STPD2 contains VLANs Manufacturing and Engineering Stpd Marketing & Sales Marketing, Sales & Engineering Config stpd stpdname add vlan name Configuring STP on the SwitchEnable stpd stpdname Create stpd stpdname Enable stpd port portlist Shows the commands used to configure STP Settings Displaying STPThrough 3, and port Listed in Table Resetting STP Spanning Tree Protocol STP Quality of Service QOS Quality of ServiceBuilding Blocks QoS Profiles Profile Name Priority Minimum Bandwidth Maximum Bandwidth Vlan Dynamic MAC Addresses Permanent MAC addresses Verifying MAC-Based QoS Settings Command to clear the FDB is as followsOr the command Blackhole Enable dot1p replacement ports portlist all Config dot1p type dot1pvalue qosprofile qosname802.1p Packets Physical and Logical Groupings Verifying Physical and Logical Groupings Source Port Verifying Configuration Performance Displaying QoS Information QoS MonitorShow ports portlist qosmonitor Disable qosmonitor Enable qosmonitor port port Configuring QoS Quality of Service QOS Status Monitoring Statistics Show switch Show log configShow log priority Show memory To view port statistics, use the following command Port StatisticsAccuracy Port Errors To view port transmit errors, use the following commandTo view port receive errors, use the following command Port Monitoring Display KeysLogging Where the following is true Is specific to the problemLevel Description Clear log static To configure the log display, use the following command Configure remote logging by using the following commandReal-Time Display Disable syslog Disable log display On the network Rmon features supported by the switchAllows you to monitor LANs remotely Clear Counters Alarms StatisticsHistory Improving Efficiency EventsAllowing Proactive Management Reducing the Traffic Load Alarms Rmon Group Support Supplied by the Switch StatisticsHistory Events Action High Threshold Enable disable rmon Status Monitoring and Statistics Using the WEB Interface Enabling Disabling Web AccessTo re-enable Web access, use the following command Setting Up Your Accessing the WebBrowser Navigating the Web Interface Task FrameWebserver busy Browser Controls Status MessagesSelection Type Key Sequence Configuring a Vlan Saving ChangesDo a Get When Using the WEB Interface Secondary image and configuration file on the switch Software Upgrade and Boot OptionsDownloading a New Image Rebooting the Switch SavingChanges Upgrading Software Upgrade and Boot Options Show configuration Boot OptionCancel option Save configuration primary Software Upgrade and Boot Options Safety Information Information Important Safety Lithium Battery Appendix a Safety Information Sécurité Importante ’information de Appendix a Safety Information Batterie au lithium Europe Wichtige Sicherheitsinformat ionen Lithiumbatterie Warnung Faseroptikanschlüsse Optische Sicherheit Appendix a Safety Information Technical Specifications Terminal Emulation Protocols Used for Administration LEDs Troubleshooting Switch does not power up Using Command-Line InterfaceSnmp Network Manager cannot access the device Telnet workstation cannot access the device Permanent entries remain in the FDB Traps are not received by the Snmp Network Manager You forget your password and cannot log Port Configuration No link light on 100/1000BASE-TX portExcessive RX CRC errors VLANs You cannot add a port to a Vlan No link light on Gigabit fiber port VLANs, IP Addresses and default routes Vlan names802.1Q links do not work correctly Using the Command-Line Interface Appendix C Troubleshooting Services Technical SupportOnline Technical Username anonymous Access by Analog ModemHours a day, 7 days a week Country Data Rate Telephone Number Access by Digital Modem 847 262408 727 Country Telephone Number Asia, Pacific Rim Europe, South Africa, and Middle East Country Telephone Number Fax Number Page Glossary Broadcast BridgeBroadcast storm Collision Glossary Latency IP addressLine speed Loop Port trunks See load sharing Resilient link RepeaterRouter Segment Switch Database SwitchStandby port Telnet Glossary Admin IndexNumbers FDB Rmon Tftp Index Index Index of Commands 118 Index of Commands Index of Commands 3Com Corporation Limited Warranty Warranties Exclusive Governing LAW EMC Statements