一.測試拓?fù)洌?/strong>
成都創(chuàng)新互聯(lián)公司專注于石嘴山網(wǎng)站建設(shè)服務(wù)及定制��,我們擁有豐富的企業(yè)做網(wǎng)站經(jīng)驗(yàn)�。 熱誠為您提供石嘴山營銷型網(wǎng)站建設(shè)���,石嘴山網(wǎng)站制作���、石嘴山網(wǎng)頁設(shè)計、石嘴山網(wǎng)站官網(wǎng)定制��、成都微信小程序服務(wù)�,打造石嘴山網(wǎng)絡(luò)公司原創(chuàng)品牌,更為您提供石嘴山網(wǎng)站排名全網(wǎng)營銷落地服務(wù)。
R1------------SW1------------------(MAC:2.2.2)R2
|
R3
R1���,R2�����,R3都在VLAN11中�����,R1連接SW1的接口手工指定mac地址為1.1.1,R2連接SW1的接口手工指定mac地址為2.2.2;
R1接口的IP地址為10.1.1.1;
R2接口的IP地址為10.1.1.2;
R3接口的IP地址為10.1.1.3.
二.交換機(jī)VACL第一種配置方式:
mac access-list extended R2
permit host 0002.0002.0002 any (只能屏蔽非IP包���,比如arp包)
access-list 100 permit ip host 10.1.1.3 any
vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11
因?yàn)镾W1拒絕了R2發(fā)出的非IP包(arp回應(yīng)包被拒絕了)��,R1和R3沒有R2接口地址的ARP條目����,導(dǎo)致R1無法ping和telnet R2���,如果R1手工添加R2接口地址的ARP條目���,R1則能pint和telnet R2,返回過來也可以�。
A.R1 PING R3
R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
*Feb 12 11:19:41.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:43.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:45.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:47.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:49.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
B.R3 PING R1
R3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R1上開啟debug沒有看到數(shù)據(jù)包到達(dá)R1
C.R1 PING R2
R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
在R2上開啟debug沒有看到數(shù)據(jù)包到達(dá)R2
D.R2 PING R1
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
*May 23 00:05:21.700: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:23.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:25.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:27.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:29.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
F.R3 ping R2
R3#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R2上開啟debug沒有看到數(shù)據(jù)包到達(dá)R2
三.交換機(jī)VACL第二種配置方式:
mac access-list extended R2
permit any host 0002.0002.0002 (只能屏蔽非IP包,比如arp包)
access-list 100 permit ip any host 10.1.1.3
vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11
因?yàn)镾W1拒絕去往R2的非IP包(R1和R2給R2的arp回應(yīng)包被拒絕了)����,R2沒有R1和R3接口地址的ARP條目�,導(dǎo)致R1無法ping和telnet R2���,如果R2手工添加R1接口地址的ARP條目��,R1則能pint和telnet R2����,返回過來也可以�。A.R1 PING R3
R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
B.R3 PING R1
R3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
*May 23 00:20:36.024: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:38.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:40.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:42.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:44.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
C.R1 PING R2
R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.994: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
D.R2 PING R1
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
F.R3 ping R2
R3#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Jun 15 11:16:23.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:25.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:27.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:29.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
四.總結(jié):
A.mac地址過濾,只能過濾非IP流量�����,不能過濾IP流量
B.icmp屬于IP層的協(xié)議����,icmp流量屬于ip流量
C.arp流量不屬于IP流量����,mac地址過濾導(dǎo)致arp無法正常工作,才會導(dǎo)致ip層協(xié)議出現(xiàn)問題�,如果手工添加ARP條目,就能是IP流量正常通行。
網(wǎng)站欄目:交換機(jī)的VACL測試
文章分享:
http://weahome.cn/article/gscsjs.html
重慶分公司
重慶分公司
