D-Link TM DES-6500 manual 211

xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch CLI Manual

The ip parameter instructs the Switch that this new rule will be applied to the IP addresses contained within each frame’s header. source_ip tells the Switch that this rule will apply to the source IP addresses in each frame’s header. Finally, the IP address 10.42.73.1 will be combined with the source_ip_mask 255.255.255.0 to give the IP address 10.42.73.0 for any source IP address between 10.42.73.0 to 10.42.73.255.

Due to a chipset limitation, the Switch supports a maximum of 8 access profiles. The rules used to define the access profiles are limited to a total of 9600 rules for the Switch, depending on line cards installed.

There is an additional limitation on how the rules are distributed among line cards inserted into the chassis. For 24-port line cards (DES-6504, DES-6508, DES-6510), ports 1-8 can support 240 rules maximum, ports 9-16 support 240 rules maximum and ports 17-24 support 240 rules maximum, which leads to a total of 720 rules maximum per 24-port line card. Since the Switch can hold up to 8 line cards, the maximum number of ACL rules will be 5760 (240 * 3 * 8 = 5760).

For 12 port line cards (DES-6505, DES-6507, DES-6509, DES-6512), all ports can support 100 rules each, which means that the maximum number of ACL rules using the maximum number of inserted 12-port line cards will be 9600 (12 * 100 * 8 = 9600).

It is important to keep this in mind when setting up VLANs as well. Access rules applied to a VLAN require that a rule be created for each port in the VLAN. For example, let’s say VLAN10 contains ports 2, 11 and 12. If you create an access profile specifically for VLAN10, you must create a separate rule for each port. Now take into account the rule limit. The rule limit applies to both port groups 1-8 and 9-16 since VLAN10 spans these groups. One less rule is available for port group 1-8. Two less rules are available for port group 9-16. In addition, a total of three rules apply to the 9600 rule Switch limit.

In the example used above - config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny – a single access rule was created. This rule will subtract one rule available for the port group 1 – 8, as well as one rule from the total available rules.

It must be noted that there are specific circumstances under which the ACL cannot filter a packet even when there is a condition match that should deny forwarding. This is a limitation that may arise if:

•the destination MAC is the same as the Switch (system) MAC

•a packet is directed to the system IP interface such as multicast IP packets or if the hardware IP routing table is full and Switch software routes the packet according to routing protocol.

In order to address this functional limitation of the chip set, an additional function, CPU Interface Filtering, has been added. CPU Filtering may be universally enabled or disabled. Setting up CPU Interface Filtering follows the same syntax as ACL configuration and requires some of the same input parameters. To configure CPU Interface Filtering, see the descriptions below for create cpu access_profile and config cpu access_profile. To enable CPU Interface Filtering, see config cpu_interface_filtering.

The DES-6500 has four ways of creating access profile entries on the Switch which include Ethernet (MAC Address), IP, Packet Content and IPv6. Due to the present complexity of the access profile commands, it has been decided to split this command into four pieces to be better understood by the user and therefore simpler for the user to configure. The beginning of this section displays the create access_profile and config access_profile commands in their entirety. The following table divides these commands up into the defining features necessary to properly configure the access profile. Remember these are not the total commands but the easiest way to implement Access Control Lists for the Switch.

Due to a backward compatability issue, when a user upgrades to R3 firmware (3.00-B21), all settings previously configured for any ACL function (CPU ACL included) on the Switch will be lost. We recommend that the user save a configuration file of current settings before upgrading to R3 firmware.

211