xStack
®
DES-3200-10/18/28/28F Layer 2 Ethernet Managed Switch User Manual
CPU Interface Filtering
Due to a chipset limitation and needed extra switch security, the Switch incorporates CPU Interface filtering. This
added feature increases the running security of the Switch by enabling the user to create a list of access rules for
packets destined for the Switch’s CPU interface. Employed similarly to the Access Profile feature previously
mentioned, CPU interface filtering examines Ethernet, IP and Packet Content Mask packet headers destined for the
CPU and will either forward them or filter them, based on the user’s implementation. As an added feature for the CPU
Filtering, the Switch allows the CPU filtering mechanism to be enabled or disabled globally, permitting the user to
create various lists of rules without immediately enabling them.
Creating an access profile for the CPU is divided into two basic parts. The first is to specify which part or parts of a
frame the Switch will examine, such as the MAC source address or the IP destination address. The second part is
entering the criteria the Switch will use to determine what to do with the frame. The entire process is described below.
CPU Access Profile List
In the following window, the user may globally enable or disable the CPU Interface Filtering State mechanism by using
the radio buttons to change the running state.
To access this window, click ACL > CPU Access Profile List
Choose Enabled to enable CPU packets to be scrutinized by the Switch and Disabled to disallow this scrutiny.
Figure 6 - 28. CPU Access Profile List window
This window displays the CPU Access Profile List entries created on the Switch. To view the configurations for an
entry, click the corresponding Show Details button (once an entry has been created).
To add an entry to the CPU Access Profile List window, click the Add CPU ACL Profile button. This will open the
Add CPU ACL Profile window. Click the Select button to see the window, as shown below. To remove all CPU
Access Profile List entries, click the Delete All button.
The Switch supports four CPU Access Profile types: Ethernet (or MAC address-based) profile configuration, IP (IPv4)
address-based profile configuration, IPv6 address-based profile configuration, and Packet Content Mask.
The window shown below is the Add CPU ACL Profile window for Ethernet:
168