求救ACL问题 - 网络工程师联盟 - 51cto技术圈

注册 | 登录忘记密码？

51cto首页 | 博客 | 论坛 | 招聘

名师讲堂WEB光盘火热发售

	51CTO博客 > 技术圈 > 网络工程师联盟 > 讨论区

[楼主]

普通圈友

圈积分：2

发短消息博客

求救ACL问题回复：0 阅读：59	2008-04-26 11:22:12


以下配置,什么在7段(vlan10)里能侦察到2段(vlan4)的IP包?我已经用ACL限制了他们的访问? 请问为什么? # sysname Quidway # super password level 3 simple xxxxxxx # radius scheme system server-type huawei primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain radius scheme cams server-type portal key authentication huawei3com key accounting huawei3com user-name-format without-domain domain system radius-scheme system access-limit disable state active vlan-assignment-mode integer idle-cut disable self-service-url disable messenger time disable domain default enable cams # local-server nas-ip 127.0.0.1 key huawei local-user xxxxxx password simple xxxxxxx service-type telnet level 3 # temperature-limit 0 20 80 # acl number 3001 rule 0 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 1 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 2 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 3 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 4 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.6.0 0.0.0.255 rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 6 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 7 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3002 rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 2 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 3 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 4 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.6.0 0.0.0.255 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 6 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 7 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3003 rule 0 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 3 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 4 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 6 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3004 rule 0 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 3 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 4 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 5 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 6 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3005 rule 0 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 3 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 4 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 5 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 6 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3006 rule 0 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 acl number 3007 rule 0 permit ip source 192.168.7.117 0 destination any rule 1 permit ip source any destination 192.168.7.117 0 rule 2 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 3 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 4 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 5 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 6 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 7 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.6.0 0.0.0.255 rule 8 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 9 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3008 rule 0 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 3 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 4 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 5 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 6 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 acl number 3009 rule 0 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 1 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 2 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 3 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 4 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 5 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 6 deny ip source 192.168.9.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 acl number 3010 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 rule 2 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 3 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.6.0 0.0.0.255 rule 4 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.8.0 0.0.0.255 rule 6 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 # vlan 1 # vlan 2 description manager # vlan 3 description yanfa_a # vlan 4 description yanfa_b # vlan 5 description server # vlan 6 description caiwu # vlan 7 description other # vlan 8 description jingli # vlan 9 description erp # vlan 10 description test # vlan 11 description xiaoting_a # vlan 12 description xiaoting_b # interface Vlan-interface2 ip address 192.168.11.1 255.255.255.0 # interface Vlan-interface3 ip address 192.168.0.1 255.255.255.0 # interface Vlan-interface4 ip address 192.168.2.1 255.255.255.0 # interface Vlan-interface5 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface6 ip address 192.168.3.1 255.255.255.0 # interface Vlan-interface7 ip address 192.168.4.1 255.255.255.0 # interface Vlan-interface8 ip address 192.168.5.1 255.255.255.0 # interface Vlan-interface9 ip address 192.168.6.1 255.255.255.0 # interface Vlan-interface10 ip address 192.168.7.1 255.255.255.0 # interface Vlan-interface11 ip address 192.168.8.1 255.255.255.0 # interface Vlan-interface12 ip address 192.168.9.1 255.255.255.0 # interface Aux0/0 # interface Ethernet0/1 port access vlan 2 # interface Ethernet0/2 port link-type trunk port trunk permit vlan 3 to 4 12 packet-filter inbound ip-group 3001 rule 0 packet-filter inbound ip-group 3001 rule 1 packet-filter inbound ip-group 3001 rule 2 packet-filter inbound ip-group 3001 rule 3 packet-filter inbound ip-group 3001 rule 5 packet-filter inbound ip-group 3001 rule 6 packet-filter inbound ip-group 3001 rule 7 packet-filter inbound ip-group 3002 rule 0 packet-filter inbound ip-group 3002 rule 1 packet-filter inbound ip-group 3002 rule 2 packet-filter inbound ip-group 3002 rule 3 packet-filter inbound ip-group 3002 rule 4 packet-filter inbound ip-group 3002 rule 5 packet-filter inbound ip-group 3002 rule 6 packet-filter inbound ip-group 3002 rule 7 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3009 rule 1 packet-filter inbound ip-group 3009 rule 2 packet-filter inbound ip-group 3009 rule 3 packet-filter inbound ip-group 3009 rule 4 packet-filter inbound ip-group 3009 rule 5 packet-filter inbound ip-group 3009 rule 6 # interface Ethernet0/3 port link-type trunk port trunk permit vlan 3 to 4 12 packet-filter inbound ip-group 3001 rule 0 packet-filter inbound ip-group 3001 rule 1 packet-filter inbound ip-group 3001 rule 2 packet-filter inbound ip-group 3001 rule 3 packet-filter inbound ip-group 3001 rule 5 packet-filter inbound ip-group 3001 rule 6 packet-filter inbound ip-group 3001 rule 7 packet-filter inbound ip-group 3002 rule 0 packet-filter inbound ip-group 3002 rule 1 packet-filter inbound ip-group 3002 rule 2 packet-filter inbound ip-group 3002 rule 3 packet-filter inbound ip-group 3002 rule 4 packet-filter inbound ip-group 3002 rule 5 packet-filter inbound ip-group 3002 rule 6 packet-filter inbound ip-group 3002 rule 7 packet-filter inbound ip-group 3009 rule 0 packet-filter inbound ip-group 3009 rule 1 packet-filter inbound ip-group 3009 rule 2 packet-filter inbound ip-group 3009 rule 3 packet-filter inbound ip-group 3009 rule 4 packet-filter inbound ip-group 3009 rule 5 packet-filter inbound ip-group 3009 rule 6 # interface Ethernet0/4 port link-type trunk port trunk permit vlan 3 to 4 packet-filter inbound ip-group 3001 rule 0 packet-filter inbound ip-group 3001 rule 1 packet-filter inbound ip-group 3001 rule 2 packet-filter inbound ip-group 3001 rule 3 packet-filter inbound ip-group 3001 rule 5 packet-filter inbound ip-group 3001 rule 6 packet-filter inbound ip-group 3001 rule 7 packet-filter inbound ip-group 3002 rule 0 packet-filter inbound ip-group 3002 rule 1 packet-filter inbound ip-group 3002 rule 2 packet-filter inbound ip-group 3002 rule 3 packet-filter inbound ip-group 3002 rule 4 packet-filter inbound ip-group 3002 rule 5 packet-filter inbound ip-group 3002 rule 6 packet-filter inbound ip-group 3002 rule 7 # interface Ethernet0/5 port link-type trunk port trunk permit vlan 3 to 4 packet-filter inbound ip-group 3001 rule 0 packet-filter inbound ip-group 3001 rule 1 packet-filter inbound ip-group 3001 rule 2 packet-filter inbound ip-group 3001 rule 3 packet-filter inbound ip-group 3001 rule 5 packet-filter inbound ip-group 3001 rule 6 packet-filter inbound ip-group 3001 rule 7 packet-filter inbound ip-group 3002 rule 0 packet-filter inbound ip-group 3002 rule 1 packet-filter inbound ip-group 3002 rule 2 packet-filter inbound ip-group 3002 rule 3 packet-filter inbound ip-group 3002 rule 4 packet-filter inbound ip-group 3002 rule 5 packet-filter inbound ip-group 3002 rule 6 packet-filter inbound ip-group 3002 rule 7 # interface Ethernet0/6 port access vlan 10 packet-filter inbound ip-group 3007 rule 0 packet-filter inbound ip-group 3007 rule 1 packet-filter inbound ip-group 3007 rule 2 packet-filter inbound ip-group 3007 rule 3 packet-filter inbound ip-group 3007 rule 4 packet-filter inbound ip-group 3007 rule 5 packet-filter inbound ip-group 3007 rule 6 packet-filter inbound ip-group 3007 rule 7 packet-filter inbound ip-group 3007 rule 8 packet-filter inbound ip-group 3007 rule 9 # interface Ethernet0/7 port access vlan 10 packet-filter inbound ip-group 3007 rule 0 packet-filter inbound ip-group 3007 rule 1 packet-filter inbound ip-group 3007 rule 2 packet-filter inbound ip-group 3007 rule 3 packet-filter inbound ip-group 3007 rule 4 packet-filter inbound ip-group 3007 rule 5 packet-filter inbound ip-group 3007 rule 6 packet-filter inbound ip-group 3007 rule 7 packet-filter inbound ip-group 3007 rule 8 packet-filter inbound ip-group 3007 rule 9 # interface Ethernet0/8 port access vlan 10 packet-filter inbound ip-group 3007 rule 0 packet-filter inbound ip-group 3007 rule 1 packet-filter inbound ip-group 3007 rule 2 packet-filter inbound ip-group 3007 rule 3 packet-filter inbound ip-group 3007 rule 4 packet-filter inbound ip-group 3007 rule 5 packet-filter inbound ip-group 3007 rule 6 packet-filter inbound ip-group 3007 rule 7 packet-filter inbound ip-group 3007 rule 8 packet-filter inbound ip-group 3007 rule 9 # interface Ethernet0/9 port link-type trunk port trunk permit vlan 4 7 to 8 10 11 12 packet-filter inbound ip-group 3002 rule 0 packet-filter inbound ip-group 3002 rule 1 packet-filter inbound ip-group 3002 rule 2 packet-filter inbound ip-group 3002 rule 3 packet-filter inbound ip-group 3002 rule 4 packet-filter inbound ip-group 3002 rule 5 packet-filter inbound ip-group 3002 rule 6 packet-filter inbound ip-group 3002 rule 7 packet-filter inbound ip-group 3004 rule 0 packet-filter inbound ip-group 3004 rule 1 packet-filter inbound ip-group 3004 rule 2 packet-filter inbound ip-group 3004 rule 3 packet-filter inbound ip-group 3004 rule 4 packet-filter inbound ip-group 3004 rule 5 packet-filter inbound ip-group 3004 rule 6 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3005 rule 1 packet-filter inbound ip-group 3005 rule 2 packet-filter inbound ip-group 3005 rule 3 packet-filter inbound ip-group 3005 rule 4 packet-filter inbound ip-group 3005 rule 5 packet-filter inbound ip-group 3005 rule 6 packet-filter inbound ip-group 3007 rule 0 packet-filter inbound ip-group 3007 rule 1 packet-filter inbound ip-group 3007 rule 2 packet-filter inbound ip-group 3007 rule 3 packet-filter inbound ip-group 3007 rule 4 packet-filter inbound ip-group 3007 rule 5 packet-filter inbound ip-group 3007 rule 6 packet-filter inbound ip-group 3007 rule 7 packet-filter inbound ip-group 3008 rule 0 packet-filter inbound ip-group 3008 rule 1 packet-filter inbound ip-group 3008 rule 2 packet-filter inbound ip-group 3008 rule 3 packet-filter inbound ip-group 3008 rule 4 packet-filter inbound ip-group 3008 rule 5 packet-filter inbound ip-group 3008 rule 6 packet-filter inbound ip-group 3009 rule 0 packet-filter inbound ip-group 3009 rule 1 packet-filter inbound ip-group 3009 rule 2 packet-filter inbound ip-group 3009 rule 3 packet-filter inbound ip-group 3009 rule 4 packet-filter inbound ip-group 3009 rule 5 packet-filter inbound ip-group 3009 rule 6 # interface Ethernet0/10 port link-type trunk port trunk permit vlan 6 to 7 packet-filter inbound ip-group 3003 rule 0 packet-filter inbound ip-group 3003 rule 1 packet-filter inbound ip-group 3003 rule 2 packet-filter inbound ip-group 3003 rule 3 packet-filter inbound ip-group 3003 rule 4 packet-filter inbound ip-group 3003 rule 5 packet-filter inbound ip-group 3003 rule 6 packet-filter inbound ip-group 3004 rule 0 packet-filter inbound ip-group 3004 rule 1 packet-filter inbound ip-group 3004 rule 2 packet-filter inbound ip-group 3004 rule 3 packet-filter inbound ip-group 3004 rule 4 packet-filter inbound ip-group 3004 rule 5 packet-filter inbound ip-group 3004 rule 6 # interface Ethernet0/11 port access vlan 8 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3005 rule 1 packet-filter inbound ip-group 3005 rule 2 packet-filter inbound ip-group 3005 rule 3 packet-filter inbound ip-group 3005 rule 4 packet-filter inbound ip-group 3005 rule 5 packet-filter inbound ip-group 3005 rule 6 # interface Ethernet0/12 port access vlan 5 # interface Ethernet0/13 port access vlan 8 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3005 rule 1 packet-filter inbound ip-group 3005 rule 2 packet-filter inbound ip-group 3005 rule 3 packet-filter inbound ip-group 3005 rule 4 packet-filter inbound ip-group 3005 rule 5 packet-filter inbound ip-group 3005 rule 6 # interface Ethernet0/14 port access vlan 8 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3005 rule 1 packet-filter inbound ip-group 3005 rule 2 packet-filter inbound ip-group 3005 rule 3 packet-filter inbound ip-group 3005 rule 4 packet-filter inbound ip-group 3005 rule 5 packet-filter inbound ip-group 3005 rule 6 # interface Ethernet0/15 port access vlan 8 packet-filter inbound ip-group 3005 rule 0 packet-filter inbound ip-group 3005 rule 1 packet-filter inbound ip-group 3005 rule 2 packet-filter inbound ip-group 3005 rule 3 packet-filter inbound ip-group 3005 rule 4 packet-filter inbound ip-group 3005 rule 5 packet-filter inbound ip-group 3005 rule 6 # interface Ethernet0/16 port access vlan 5 # interface Ethernet0/17 port access vlan 5 packet-filter inbound ip-group 3010 rule 0 packet-filter inbound ip-group 3010 rule 1 packet-filter inbound ip-group 3010 rule 2 packet-filter inbound ip-group 3010 rule 3 packet-filter inbound ip-group 3010 rule 4 packet-filter inbound ip-group 3010 rule 5 packet-filter inbound ip-group 3010 rule 6 # interface Ethernet0/18 port access vlan 9 # interface Ethernet0/19 port access vlan 9 # interface Ethernet0/20 port access vlan 5 # interface Ethernet0/21 port access vlan 9 # interface Ethernet0/22 port access vlan 5 # interface Ethernet0/23 port access vlan 5 # interface Ethernet0/24 port access vlan 5 # interface GigabitEthernet1/1 port access vlan 9 # interface GigabitEthernet1/2 port access vlan 5 # interface GigabitEthernet1/3 port link-type trunk port trunk permit vlan 11 to 12 packet-filter inbound ip-group 3008 rule 0 packet-filter inbound ip-group 3008 rule 1 packet-filter inbound ip-group 3008 rule 2 packet-filter inbound ip-group 3008 rule 3 packet-filter inbound ip-group 3008 rule 4 packet-filter inbound ip-group 3008 rule 5 packet-filter inbound ip-group 3008 rule 6 packet-filter inbound ip-group 3009 rule 0 packet-filter inbound ip-group 3009 rule 1 packet-filter inbound ip-group 3009 rule 2 packet-filter inbound ip-group 3009 rule 3 packet-filter inbound ip-group 3009 rule 4 packet-filter inbound ip-group 3009 rule 5 packet-filter inbound ip-group 3009 rule 6 # interface GigabitEthernet1/4 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 192.168.1.99 preference 60 # user-interface aux 0 screen-length 0 user-interface vty 0 4 # return

	引用回复

提醒：您还不是网络工程师联盟的成员，您可以回复，但不能发表新帖。现在加入本圈与圈友无界沟通。