亚洲av成人无遮挡网站在线观看,少妇性bbb搡bbb爽爽爽,亚洲av日韩精品久久久久久,兔费看少妇性l交大片免费,无码少妇一区二区三区

  免費(fèi)注冊(cè) 查看新帖 |

Chinaunix

  平臺(tái) 論壇 博客 文庫(kù)
最近訪問(wèn)板塊 發(fā)新帖
查看: 4022 | 回復(fù): 6
打印 上一主題 下一主題

ACL配置后,奇怪現(xiàn)像。 [復(fù)制鏈接]

論壇徽章:
0
跳轉(zhuǎn)到指定樓層
1 [收藏(0)] [報(bào)告]
發(fā)表于 2008-12-24 14:55 |只看該作者 |倒序?yàn)g覽
Center4506#show ver
Load for five secs: 13%/0%; one minute: 15%; five minutes: 15%
Time source is NTP, 14:23:59.682 UTC Wed Dec 24 2008
Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 23-Sep-05 13:31 by ssearch
Image text-base: 0x10000000, data-base: 0x114DFF08

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

Center4506 uptime is 19 weeks, 3 days, 10 hours, 55 minutes
System returned to ROM by power-on
System restarted at 03:32:00 UTC Sun Aug 10 2008
System image file is "bootflash:"

cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of memory.
Processor board ID FOX10200169
MPC8245 CPU at 266Mhz, Supervisor II+
Last reset from PowerUp
26 Virtual Ethernet interfaces
20 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2101



Center4506#show run
.
.
interface Vlan2
ip address 172.18.2.254 255.255.255.0
ip access-group 101 in
no ip redirects
!
.
interface Vlan16
ip address 192.16.1.254 255.255.255.0
ip access-group 115 in
no ip redirects
!
.
router ospf 100
log-adjacency-changes
area 1 range 172.18.0.0 255.255.240.0
area 1 range 172.18.16.0 255.255.248.0
passive-interface Vlan2
passive-interface Vlan3
passive-interface Vlan4
passive-interface Vlan5
passive-interface Vlan6
passive-interface Vlan7
passive-interface Vlan8
passive-interface Vlan9
passive-interface Vlan10
passive-interface Vlan11
passive-interface Vlan12
passive-interface Vlan13
passive-interface Vlan14
passive-interface Vlan15
passive-interface Vlan16
passive-interface Vlan17
passive-interface Vlan18
passive-interface Vlan19
passive-interface Vlan20
passive-interface Vlan21
passive-interface Vlan22
passive-interface Vlan23
passive-interface Vlan28
network 172.18.0.0 0.0.15.255 area 1
network 172.18.16.0 0.0.7.255 area 1
network 172.18.28.0 0.0.0.255 area 1
network 172.18.253.48 0.0.0.7 area 1
network 172.18.254.48 0.0.0.7 area 1
network 192.16.1.0 0.0.0.255 area 1
.
access-list 115 permit ip any host 172.18.29.1
access-list 115 permit ip any host 172.18.29.2
access-list 115 permit ip any host 172.18.29.3
access-list 115 permit ip any host 172.18.29.7
access-list 115 permit ip any host 172.18.29.19
access-list 115 permit ip any host 172.18.29.26
access-list 115 permit ip any host 172.18.29.27
access-list 115 permit ip any host 172.18.29.40
access-list 115 permit ip any host 172.18.29.41
access-list 115 permit ip any host 172.18.29.42
access-list 115 permit ip any host 172.18.28.245
access-list 115 deny   ip any any
.
.
.

目的是限制192.16.1.X網(wǎng)段的IP地址只能訪問(wèn)ACL 115中的IP地址,其它IP地址禁止被192.16.1.X網(wǎng)段訪問(wèn),已手工刪除其它的條目,如原ACL中有這么一條記錄:“access-list 115 permit ip any host 172.18.2.1”也被刪除。

現(xiàn)在碰到這樣的現(xiàn)象:
192.16.1.X網(wǎng)段的IP地址可以PING通172.18.2.1,丟包嚴(yán)重,有規(guī)律的能通一個(gè)包。
172.18.28.X網(wǎng)段的IP地址可以PING通192.16.1.X網(wǎng)段的IP,丟包嚴(yán)重,有規(guī)律的能通一個(gè)包。

172.18.28.245 PING 192.16.1.X網(wǎng)段的IP,正常。
172.18.29.3 PING 192.16.1.X網(wǎng)段的IP,正常。

在172.18.28.18上執(zhí)行ping、tracert命令,進(jìn)行測(cè)試:
C:\Documents and Settings\anan>ping 192.16.1.20 -t
Reply from 192.16.1.20: bytes=32 time=1ms TTL=127
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.


C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms     *     192.16.1.20
  3    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1     9 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1     9 ms     1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.14

Tracing route to 192.16.1.14 over a maximum of 30 hops

  1    <1 ms     1 ms    <1 ms  172.18.28.254
  2     *            *         <1 ms  192.16.1.14

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.14

Tracing route to 192.16.1.14 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.14

Trace complete.


在172.18.29.2在執(zhí)行ping測(cè)試:
$ ping 192.16.1.20
PING 192.16.1.20: (192.16.1.20): 56 data bytes
64 bytes from 192.16.1.20: icmp_seq=0 ttl=126 time=2 ms
64 bytes from 192.16.1.20: icmp_seq=1 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=2 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=3 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=4 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=5 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=6 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=7 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=8 ttl=126 time=0 ms
^C
----192.16.1.20 PING Statistics----
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 0/0/2 ms

只要在一方的ACL上做訪問(wèn)控制,就可以限制訪問(wèn)了,但現(xiàn)在卻出現(xiàn)有規(guī)律的有PING通的現(xiàn)像存在,很是想不通,找不出問(wèn)題。

所以想請(qǐng)教下大家有沒(méi)有碰到過(guò)類似的情況。

[ 本帖最后由 lxj821028 于 2008-12-24 15:04 編輯 ]

論壇徽章:
0
2 [報(bào)告]
發(fā)表于 2008-12-24 19:48 |只看該作者
個(gè)人覺(jué)得你的訪問(wèn)列表似乎有點(diǎn)問(wèn)題

你的vlan16看樣子是劃給192.16.1.0網(wǎng)段的

在vlan16虛接口的in方向上應(yīng)用訪問(wèn)列表115,允許的卻是任何地址到172.18.29網(wǎng)段的機(jī)器……

如果你只是想允許特定機(jī)器訪問(wèn)192.16.1.0網(wǎng)段的話,可以試試

access-list 115 permit ip host 172.18.29.1 192.16.1.0 255.255.255.0
access-list 115 permit ip host 172.18.29.2 192.16.1.0 255.255.255.0
... ...
access-list 115 deny ip any 192.16.1.0 255.255.255.0

論壇徽章:
0
3 [報(bào)告]
發(fā)表于 2008-12-25 10:11 |只看該作者
使用此方法:

(1)、no 掉 115 的 acl ,用145序號(hào)重寫(xiě)acl ,去掉vlan 16下的應(yīng)用,重新下發(fā)新的acl

         access-list 145 permit ip any host 172.18.29.1
         access-list 145 permit ip any host 172.18.29.2
         access-list 145 permit ip any host 172.18.29.3
         access-list 145 permit ip any host 172.18.29.7
         access-list 145 permit ip any host 172.18.29.19
         access-list 145 permit ip any host 172.18.29.26
         access-list 145 permit ip any host 172.18.29.27
         access-list 145 permit ip any host 172.18.29.40
         access-list 145 permit ip any host 172.18.29.41
         access-list 145 permit ip any host 172.18.29.42
         access-list 145 permit ip any host 172.18.28.245
         access-list 145 deny   ip any any
        int vlan 16
           no ip access-group 115 in
           ip access-group 145 in


(2)、用ip 擴(kuò)展ACL
ip access-list extended hgyy
    permit ip any host 172.18.29.1
    permit ip any host 172.18.29.2
    permit ip any host 172.18.29.3
    permit ip any host 172.18.29.7
    permit ip any host 172.18.29.19
    permit ip any host 172.18.29.26
    permit ip any host 172.18.29.27
    permit ip any host 172.18.29.40
    permit ip any host 172.18.29.41
    permit ip any host 172.18.29.42
    permit ip any host 172.18.28.245
    deny   ip any any

int vlan 16
no ip access-group 115 in
ip access-group hgyy in

兩種方法都試過(guò)了,問(wèn)題還是依舊...

論壇徽章:
0
4 [報(bào)告]
發(fā)表于 2008-12-25 22:29 |只看該作者
2樓的acl寫(xiě)反了!樓主的acl沒(méi)有問(wèn)題。
我分析如下:在172.18.29.2執(zhí)行ping 192.16.1.20,icmp報(bào)文可以正常到達(dá)192.16.1.20,并且主機(jī)192.16.1.20也會(huì)回復(fù)icmp報(bào)文,這個(gè)icmp報(bào)文是否能到達(dá)172.18.29.2,就要看路由是怎么走的了,如果報(bào)文進(jìn)入了vlan16就被過(guò)濾掉了,如果報(bào)文從別的路徑走了,可能會(huì)到達(dá)。
建議樓主把交換機(jī)和主機(jī)的路由都打印出來(lái)看看,看看4506有沒(méi)有可能給主機(jī)192.16.1.20發(fā)icmp-路由重定向報(bào)文給主機(jī)192.16.1.20,讓其改變路由

論壇徽章:
0
5 [報(bào)告]
發(fā)表于 2008-12-26 17:39 |只看該作者
反了?

我是這樣理解的:

訪問(wèn)列表115過(guò)濾進(jìn)入vlan16的ip報(bào)文,而vlan16內(nèi)的主機(jī)都是192.168.1.0網(wǎng)段的,那么限制就應(yīng)該是其余網(wǎng)段的機(jī)器如何訪問(wèn)192.168.1.0

所以我才會(huì)這樣寫(xiě)

如果我的理解有什么問(wèn)題,望指正

論壇徽章:
0
6 [報(bào)告]
發(fā)表于 2008-12-26 22:53 |只看該作者
因?yàn)関lan16內(nèi)的主機(jī)都是192.168.1.0,所以進(jìn)入vlan16的報(bào)文源地址都是192.168.1.0,樓主寫(xiě)了any,包含了所有的源地址,是沒(méi)有問(wèn)題的。


如果你想限制其余網(wǎng)段的機(jī)器訪問(wèn)192.168.1.0,對(duì)于你定義的acl,應(yīng)該應(yīng)用到out方向,命令如下:
int vlan16
ip access-group 115 out

因?yàn)槠渌W(wǎng)段發(fā)出的報(bào)文,肯定都是從其他vlan接口進(jìn)入交換機(jī),然后經(jīng)過(guò)路由處理,從vlan16發(fā)出,才能到達(dá)主機(jī)192.168.1.0

論壇徽章:
0
7 [報(bào)告]
發(fā)表于 2008-12-27 14:09 |只看該作者
建議:首先檢查路由表,然后trace一下有問(wèn)題的網(wǎng)段,檢查網(wǎng)絡(luò)路徑是否唯一。
您需要登錄后才可以回帖 登錄 | 注冊(cè)

本版積分規(guī)則 發(fā)表回復(fù)

  

北京盛拓優(yōu)訊信息技術(shù)有限公司. 版權(quán)所有 京ICP備16024965號(hào)-6 北京市公安局海淀分局網(wǎng)監(jiān)中心備案編號(hào):11010802020122 niuxiaotong@pcpop.com 17352615567
未成年舉報(bào)專區(qū)
中國(guó)互聯(lián)網(wǎng)協(xié)會(huì)會(huì)員  聯(lián)系我們:huangweiwei@itpub.net
感謝所有關(guān)心和支持過(guò)ChinaUnix的朋友們 轉(zhuǎn)載本站內(nèi)容請(qǐng)注明原作者名及出處

清除 Cookies - ChinaUnix - Archiver - WAP - TOP