不涉及
Illegal destination port object group type.
现场需要使用ipv6 acl的rule规则中调用对象组实现匹配tcp的目的端口,但是配置过程有报错导致配置失败
[H3C-acl-ipv6-adv-3000]rule permit tcp destination object-group v6add destination-port object-group v6
Illegal destination port object group type.
[H3C-acl-ipv6-adv-3000]dis this
#
acl ipv6 advanced 3000
#
1、检查相关对象组配置,发现目的端口处调用的对象组类型是service
#
object-group ipv6 address v6add
0 network host address 1::1
10 network host address 1::2
20 network host address 1::3
30 network host address 1::4
#
object-group service v6
0 service tcp destination eq 443
#
2、实际上我们需要调用的对象组只是用来匹配端口号,设备上还有另一种对象组类型为port,于是创建如下对象组:
# object-group port v6port
0 port eq 443
10 port eq 444
#
3、重新配置成功:
[H3C-acl-ipv6-adv-3000]rule permit tcp destination object-group v6add destination-port object-group v6port
[H3C-acl-ipv6-adv-3000]dis this
# acl ipv6 advanced 3000
rule 0 permit tcp destination object-group v6add destination-port object-group v6port
#
ACL中匹配目的端口调用的对象组类型应该使用“port”类,而不是“service”类。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作