温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

交换机的VACL测试

发布时间:2020-07-31 16:17:24 来源:网络 阅读:628 作者:碧云天 栏目:安全技术

一.测试拓扑:

R1------------SW1------------------(MAC:2.2.2)R2

   |

  R3

R1,R2,R3都在VLAN11中,R1连接SW1的接口手工指定mac地址为1.1.1,R2连接SW1的接口手工指定mac地址为2.2.2;

R1接口IP地址为10.1.1.1;

R2接口IP地址为10.1.1.2;

R3接口IP地址为10.1.1.3.

二.交换机VACL第一种配置方式:

mac access-list extended R2
permit host 0002.0002.0002 any   (只能屏蔽非IP包,比如arp包)

access-list 100 permit ip host 10.1.1.3 any

vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11

因为SW1拒绝了R2发出的非IP包(arp回应包被拒绝了),R1和R3没有R2接口地址的ARP条目,导致R1无法ping和telnet R2,如果R1手工添加R2接口地址的ARP条目,R1则能pint和telnet R2,返回过来也可以。


A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#
*Feb 12 11:19:41.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:43.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:45.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:47.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:49.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R1上开启debug没有看到数据包到达R1

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
在R2上开启debug没有看到数据包到达R2
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:05:21.700: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:23.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:25.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:27.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:29.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2

E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上开启debug没有看到数据包到达R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R2上开启debug没有看到数据包到达R2

三.交换机VACL第二种配置方式:

mac access-list extended R2
permit any host 0002.0002.0002  (只能屏蔽非IP包,比如arp包)

access-list 100 permit ip  any host 10.1.1.3
vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11
因为SW1拒绝去往R2的非IP包(R1和R2给R2的arp回应包被拒绝了),R2没有R1和R3接口地址的ARP条目,导致R1无法ping和telnet R2,如果R2手工添加R1接口地址的ARP条目,R1则能pint和telnet R2,返回过来也可以。
A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上开启debug没有看到数据包到达R3
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:20:36.024: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:38.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:40.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:42.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:44.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.994: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上开启debug没有看到数据包到达R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Jun 15 11:16:23.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:25.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:27.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:29.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3

四.总结:

A.mac地址过滤,只能过滤非IP流量,不能过滤IP流量

B.icmp属于IP层的协议,icmp流量属于ip流量

C.arp流量不属于IP流量,mac地址过滤导致arp无法正常工作,才会导致ip层协议出现问题,如果手工添加ARP条目,就能是IP流量正常通行。

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI