In this article I will give some examples of blocking IP addresses, MAC addresses, DHCP packets from DHCP servers, etc.
Example of blocking a MAC address (I recommend blocking by MAC address, not IP, because if you block by IP address, then at the time of the first connection, clients usually connect with IP address 0.0.0.0, and then receive an IP address via DHCP, that is, a client session will rise and fall through timeout):
create access_profile profile_id 1 profile_name tank34 ethernet source_mac FF-FF-FF-FF-FF-FF
config access_profile profile_id 1 add access_id 1 ethernet source_mac E8-9A-8F-BB-F8-44 vlan_based vlan_id 226 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 port 1:24 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 vlan_based vlan_id 226 deny
Ban Netbios and Windows sharing (for udp similarly):
create access_profile ip tcp dst_port_mask 0xFFFF profile_id 15
config access_profile profile_id 15 add access_id 15 ip tcp dst_port 135 port 1-24 deny
config access_profile profile_id 15 add access_id 16 ip tcp dst_port 139 port 1-24 deny
config access_profile profile_id 15 add access_id 17 ip tcp dst_port 445 port 1-24 deny
You can protect yourself from third-party DHCP servers through the ACL (but if the DHCP Server Screening function is supported, then it is better through it):
create access_profile ip udp src_port 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 port 25 permit
config access_profile profile_id 1 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny
# DGS-3100
create access_profile profile_id 5 ip udp src_port_mask ffff
config access_profile profile_id 5 add access_id 1 ip udp src_port 67 ports 1:9 permit
config access_profile profile_id 5 add access_id 2 ip udp src_port 67 ports 1:1-1:8,1:10-1:24 deny
# DGS-3120
create access_profile profile_id 5 profile_name 67dhcp ip udp src_port_mask 0xffff
config access_profile profile_id 5 add access_id 1 ip udp src_port 67 port 1:9 permit
config access_profile profile_id 5 add access_id 2 ip udp src_port 67 port 1:1-1:8, 1:10-1:24 deny
Prohibition of all broadcast traffic, I note that in this case, users will not be able to receive IP addresses via DHCP (but only manually registered IPs will work):
create access_profile ethernet destination_mac ff-ff-ff-ff-ff-ff profile_id 7
config access_profile profile_id 7 add access_id auto_assign ethernet destination_mac ff-ff-ff-ff-ff-ff port 1-24 deny
We allow traffic flow through the switch for only one IP and block for all others:
create access_profile ip source_ip_mask 255.255.255.255 profile_id 10
config access_profile profile_id 10 add access_id 1 ip source_ip 192.168.1.1 port 5 permit
create access_profile ip source_ip_mask 0.0.0.0 profile_id 20
config access_profile profile_id 20 add access_id 2 ip source_ip 0.0.0.0 port 5 deny
See also my article:
Blocking multicast IP addresses on D-Link