DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-37
2. DHCP packets (UDP port number being 67/68) are allowed to pass through
without authentication, so that the user PC can acquire the IP address in order to
proceed with authentication.
1.12.3.3 Configuration Tips
Configure ACL80 or expert ACL on the access device (SwitchB/SwitchC) and
combine the feature of secure tunnel to permit certain packets without authentication.
In this case, ACL80 is configured on SwitchB and expert ACL is configured on
SwitchC.
1.12.3.4 Configuration Steps
SwitchB
☞
Configuration
Guide
The customized ACL allows the user to define 64 bytes out
of the first 80 bytes of packets to perform per-bit matching
and filtering. The user-defined string will be compared with
the string extracted from packet (1 means match and 0
means no match), so as to determine further action.
Step 1: Configure the customized ACL
SwitchB#configure terminal
! Create a customized ACL named "tongdao"
SwitchB(config)#expert access-list advanced tongdao
! Permit all ARP packets (protocol number being 0800, offset being 24) with source IP
(the offset in the source IP of ARP packets is 40) falling within the network segment of
172.18.0.0 (hexadecimal value being ac12)
SwitchB(config-exp-dacl)#permit 0806 ffff 24 ac12 ffff 40
! Permit all IP packets (protocol number being 0800, offset being 24) with source IP
(the offset in the source IP of IP packets is 38) falling within the network segment of
172.18.0.0 (hexadecimal value being ac12)
SwitchB(config-exp-dacl)#permit 0800 ffff 24 ac12 ffff 38
! Permit DHCP packets with UDP port being 67 (Bootstrap Protocol Server) and 68
(Bootstrap Protocol Client) (offset in protocol number being 35; hexadecimal value of
11 to indicate UDP; offset in port being 46; hexadecimal value of 43/44 corresponding
to 67 and 68).
SwitchB(config-exp-dacl)# permit 11 ff 35 00440043 ffffffff 46
SwitchB(config-exp-dacl)#exit
Step 2: Globally configure the ACL for secure tunnel application
! Configure ACL "tongdao" for secure tunnel application
SwitchB(config)# security global access-group tongdao