да я нашел 616 страницу
Цитата:
44.6 Configuring Access List ACL80
The ACL80 is also called the user-defined access list, which means matching the first 80
bytes of a packet for filtering. A packet consists of a series of byte flows. The ACL80 enables
a user to match and filter the specified 16 bytes by bits in the first 80 bytes.
Note
The specified 16 bytes do not include the following fields:
Packet SMAC, DMAC,SIP, DIP,ETYPE,PROTOCOL,L4_SPORT, L4_DPORT,VID.
Besides matching the above fields, you can match 16 bytes
For any 16-byte field, it is possible to compare the configured value by bits. In other words, it
allows setting any bit of those 16 bytes to 0 or 1. There are two factors in filtering any byte:
filtering rule and filter domain template. The bits of the both correspond to each uniquley.
The filtering rule specifies the value of the field to be filtered. The filter domain template
specifies whether to filter the related fields in the filtering rule (1 indicates matching the bit in
the corresponding filtering rule, 0 for not). Therefore, when it is time to match a bit, it is
required to set 1 for the corresponding bit in the filter domain template. If the filter domain
template bit is set to 0, no match will be done no matter what the corresponding bit is in the
filtering rule.
For example,
DGS-3610(config)# expert access-list advanced name
DGS-3610(config-exp-dacl)# permit 00d0f8123456 ffffffffffff 0
DGS-3610(config-exp-dacl)# deny 00d0f8654321 ffffffffffff 6
The user-defined access control list matches any byte of the first 80 bytes in the layer-2 data
frames according to the user definitions, and then performs corresponding processing for
the packets. To use the user-defined access control list correctly, it is necessary to have
in-depth knowledge about the structure of layer-2 data frame. The following illustrates the
first 64 bytes in a layer-2 data frame (each letter indicates a hexadecimal number, and each
two letters indicate a byte).
AA AA AA AA AA AA BB BB BB BB BB BB CC CC DD DD
DD DD EE FF GG HH HH HH II II JJ KK LL LL MM MM
NN NN OO PP QQ QQ RR RR RR RR SS SS SS SS TT TT
UU UU VV VV VV VV WW WW WW WW XY ZZ aa aa bb bb
In the figure above, the meaning of each letter and the value of offset are shown below:
Letter Meaning Offset Letter Meaning Offset
A Destination MAC 0 O TTL field 34
B Source MAC 6 P Protocol ID 35
C Data frame length field 12 Q IP checksum 36
Letter Meaning Offset Letter Meaning Offset
D VLAN tag field 14 R Source IP address 38
E
DSAP (destination
service access point)
field
18 S Destination IP address 42
F
SSAP (source service
access point) field
19 T TCP source port 46
G Ctrl field 20 U TCP destination port 48
H Org Code field 21 V Sequential number 50
I Encapsulated data type 24 W Confirmation field 54
J IP version No. 26 XY
IP header length and
reservation bits
58
K TOS field 27 Z
Reservation bit and flags
bit
59
L IP packet length 28 a Windows size field 60
M ID 30 b Others 62
N Flags field 32
In the table above, the offset of each field is the same as that in the SNAP+tag 802.3 data
frame. In the user-defined access control list, the user can use two parameters, the rule
mask and offset, to abstract any byte from the first 64 bytes of the data frame, and then
compare it with the user defined rule to filter the matched data frame for corresponding
processing. The user defined rule can be some fixed attributes of the data. For example, the
user wants to filter all the TCP packets by defining the rule as 06, rule mask as FF and offset
as 35. Here, the rule mask and offset work together to abstract the contents of the TCP
protocol ID field in the received data frame, and compare it with the rule to filter all TCP
packets.
Note
DGS-3610-26P does not support ACL80. ACL80 does not support the
function of matching packets of Ethernet, 803.3snap and 802.3llc. If the
value of matching DSAP to the cntl field is set to AAAA03, it indicates the
803.3snap packet is to be matched. If the value is set to E0E003, it
indicates that the 803.3llc packet is to be matched. The field cannot be
matched for Ethernet packets.
Precautions for configuration:
Only 16 bytes can be matched at will for ACL80. If the resource is occupied, you cannot
match any other byte. For example,
DGS-3610(config)# expert access-list advanced name
DGS-3610(config-exp-dacl)#permit 11223344556677889900aabbccd
deeff ffffffffffffffffffffffffffffffff 50
Add another ACE:
DGS-3610(config-exp-dacl)#permit 11223344556677889900aabbccd
deeff ffffffffffffffffffffffffffffffff 54
Configuration of the second ACE fails because the 16 bytes are occupied by the first ACE.
To configure for the second ACE, you must delete the first one.
а в свиче спокойно сделал то что в 1 посте