DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-18
rule (“1” indicates matching the bit in the corresponding filtering rule, 0 for not).
Therefore, when it is time to match a bit, it is required to set 1 for the corresponding bit
in the filter domain template. If the filter domain template bit is set as 0, no match will
be done no matter what the corresponding bit is in the filtering rule.
For example,
DES-7200(config)# expert access-list advanced name
DES-7200(config-exp-dacl)# permit 00d0f8123456 ffffffffffff 0
DES-7200(config-exp-dacl)# deny 00d0f8654321 ffffffffffff 6
The user custom access control list matches any byte of the first 80 bytes in the layer-2
data frames according to the user definitions, and then performs corresponding
processing for the messages. To use the user custom access control list correctly, it is
necessary to have in-depth knowledge about the structure of layer-2 data frame. The
following illustrates the first 64 bytes in a layer-2 data frame (each letter indicates a
hexadecimal number, and each two letters indicate a byte).
AA AA AA AA AA AA BB BB BB BB BB BB CC CC DD DD
DD DD EE FF GG HH HH HH II II JJ KK LL LL MM MM
NN NN OO PP QQ QQ RR RR RR RR SS SS SS SS TT TT
UU UU VV VV VV VV WW WW WW WW XY ZZ aa aa bb bb
In the figure above, the meaning of each letter and the value of offset are shown
below:
Letter Meaning Offset Letter Meaning Offset
A Destination MAC 0 O TTL field 34
B Source MAC 6 P Protocol ID 35
C VLAN tag field 12 Q IP checksum 36
D Data frame length field 14 R Source IP address 38
E DSAP field 18 S Destination IP address 42
F SSAP field 19 T TCP source port 46
G Ctrl field 20 U TCP destination port 48
H Org Code field 21 V Sequential number 50
I Encapsulated data type 24 W Confirmation field 54
J IP version No. 26 XY
IP header length and
reservation bits
58
K TOS field 27 Z Reservation bit and flags bit 59
L IP packet length 28 a Windows size field 60
M ID 30 b Others 62
N Flags field 32