D-Link Enterprise > DES-3200-Series

ACL on DES-3200-28

(1/1)

markkrj:
Hello,

I need to create an ACL blocking TCP port 23 and 22 (telnet and SSH) and UDP port 161 (SNMP), I already have tried on another models, but with this in special I'm having trouble. I have like 4 subnets that i'm wanna allow the traffic in that ports and block the rest.

What I did was just:


--- Code: ---create access_profile ip source_ip_mask 255.255.240.0 tcp dst_port_mask 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 100 ip tcp dst_port 23 port all deny
config access_profile profile_id 1 add access_id 101 ip tcp dst_port 22 port all deny
config access_profile profile_id 1 add access_id 1 ip source_ip 111.111.111.0 tcp dst_port 23 port all permit
config access_profile profile_id 1 add access_id 2 ip source_ip 222.222.222.0 tcp dst_port 23 port all permit
config access_profile profile_id 1 add access_id 3 ip source_ip 111.111.111.0 tcp dst_port 22 port all permit
config access_profile profile_id 1 add access_id 4 ip source_ip 222.222.222.0 tcp dst_port 22 port all permit

--- End code ---

And so on, but it simply don't work like in the other models... In this switch, to get it working I need to Enable cpu_interface_filtering and then create cpu access_profile, exactly like the above and it work, but the problem is that normal ACL I can create 512 with 65535 rules and CPU ACL I can have 3 with 5 rules each.

Anyone has faced this problem already?

In my tests I could block all ICMP ping request with:


--- Code: ---create access_profile packet_content_mask offset1 l4 0 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 10 packet_content offset1 0x800 port all deny
--- End code ---

This was the only Normal ACL that worked in DES-3200..

Navigation

[0] Message Index