Filter
Top Products
DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-19
As shown in the above table, the offset of each field is it offset in the SNAP+tag 802.3
data frame. In the user custom access control list, the user can use two parameters,
the rule mask and offset, to abstract any byte from the first 80 bytes of the data frame,
and then compare it with the user defined rule to filter the matched data frame for
corresponding processing. The user defined rule can be some fixed attributes of the
data. For example, the user wants to filter all the TCP messages by defining the rule as
“06”, rule mask as “FF” and offset as 35. Here, the rule mask and offset work together
to abstract the contents of the TCP protocol ID field in the received data frame, and
compare it with the rule to filter all TCP messages.
Note
ACL80 is supported on DES-7200 series.
ACL80 supports matching against Ethernet packets, 803.3 SNAP
packets, and 802.311c packets. If the value for matching DSAP to the
cnt1 field is set to AAAA03, it indicates to match the 803.3 SNAP
packets. If the value is set to E0E003, it indicates to match the
803.311c packets. This field cannot be set to match Ethernet packets.
Note:
1. For DES-7200 series, 3 bytes of AAAA03 must be configured to
match the 803.3snap packets(other bytes of AAAA03 shall not be
configured). Besides, when using the non-24SFP line card to
configure the matched snap packets, if the first byte of the org
code filed of the packet is 0, the packet will be dropped. Only if the
first byte of the org code is not 0, the packet can be matched. You
shall pay special attention to that using this function.
Configuration note:
The ACL180 has only 16 bytes for matching. If the 16 bytes are used,
no fields other than the 16 bytes can be matched. For example:
DES-7200(config)# expert access-list advanced name
DES-7200(config-exp-dacl)# permit 11223344556677889900aabbccd
deeff ffffffffffffffffffffffffffffffff 50
If you use the following command to add another ACE:
DES-7200(config-exp-dacl)#permit 11223344556677889900aabbccd
deeff ffffffffffffffffffffffffffffffff 54
The configuration will fail because the 16 bytes are used by the first
ACE. To match the second ACE, you must firstly delete the first ACE.
1.7 Configuring TCP Flag
Filtering Control
The TCP Flag filtering feature provides a flexible mechanism. At present, TCP Flag
filtering control supports the match-all option. Namely, when the TCP Flags in a
received message exactly match those defined in the ACL table entry, the message