R1------------SW1------------------(MAC:2.2.2)R2

  |

 R3

R1，R2，R3都在VLAN11中，R1連接SW1的接口手工指定mac地址為1.1.1,R2連接SW1的接口手工指定mac地址為2.2.2;

R1接口的IP地址為10.1.1.1;

R2接口的IP地址為10.1.1.2;

R3接口的IP地址為10.1.1.3.

二.交換機(jī)VACL第一種配置方式：

mac access-list extended R2
permit host 0002.0002.0002 any  （只能屏蔽非IP包，比如arp包）

access-list 100 permit ip host 10.1.1.3 any

vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11

因?yàn)镾W1拒絕了R2發(fā)出的非IP包（arp回應(yīng)包被拒絕了），R1和R3沒有R2接口地址的ARP條目，導(dǎo)致R1無法ping和telnet R2，如果R1手工添加R2接口地址的ARP條目，R1則能pint和telnet R2，返回過來也可以。

A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#
*Feb 12 11:19:41.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:43.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:45.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:47.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:49.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R1上開啟debug沒有看到數(shù)據(jù)包到達(dá)R1

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
在R2上開啟debug沒有看到數(shù)據(jù)包到達(dá)R2
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:05:21.700: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:23.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:25.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:27.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:29.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2

E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R2上開啟debug沒有看到數(shù)據(jù)包到達(dá)R2

三.交換機(jī)VACL第二種配置方式：

mac access-list extended R2
permit any host 0002.0002.0002  （只能屏蔽非IP包，比如arp包）

access-list 100 permit ip  any host 10.1.1.3
vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11
因?yàn)镾W1拒絕去往R2的非IP包（R1和R2給R2的arp回應(yīng)包被拒絕了），R2沒有R1和R3接口地址的ARP條目，導(dǎo)致R1無法ping和telnet R2，如果R2手工添加R1接口地址的ARP條目，R1則能pint和telnet R2，返回過來也可以。A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:20:36.024: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:38.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:40.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:42.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:44.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.994: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數(shù)據(jù)包到達(dá)R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Jun 15 11:16:23.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:25.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:27.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:29.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3

四.總結(jié)：

A.mac地址過濾，只能過濾非IP流量，不能過濾IP流量

B.icmp屬于IP層的協(xié)議，icmp流量屬于ip流量

C.arp流量不屬于IP流量，mac地址過濾導(dǎo)致arp無法正常工作，才會導(dǎo)致ip層協(xié)議出現(xiàn)問題，如果手工添加ARP條目，就能是IP流量正常通行。

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

當(dāng)前名稱：交換機(jī)的VACL測試-創(chuàng)新互聯(lián)
鏈接地址：http://chinadenli.net/article38/cdjesp.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供做網(wǎng)站、企業(yè)建站、網(wǎng)站設(shè)計(jì)、App設(shè)計(jì)、ChatGPT、品牌網(wǎng)站設(shè)計(jì)

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會在第一時間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時需注明來源： 創(chuàng)新互聯(lián)