sr 6608 v5.20
- 0关注
- 1收藏,2732浏览
问题描述:
H3C的SR 6608路由器版本为v5.20,在写acl的时候最后一条acl为deny ip logging,添加了logging关键字,
但是无法看到具体匹配了那个源地址跟目的地址的记录,请问有什么命令可以查看匹配了哪些具体流量?
- 2017-08-22提问
- 举报
-
(0)
logging表示对符合条件的报文可记录日志信息。该功能需要使用该ACL的模块支持日志记录功能,例如防火墙。您具体是怎么配置的呢?有没有和firewall功能配合使用,能提供一下配置及现象吗?
- 2017-08-22回答
- 评论(1)
- 举报
-
(0)
H3C Comware Platform Software Comware Software, Version 5.20.106, Release 3303P20 Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved. H3C SR6608 uptime is 39 weeks, 4 days, 16 hours, 42 minutes acl number 3107 name ACL-YLJJFM-IN rule 5 permit icmp rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 999 deny ip logging 使用命令查看dis acl all Advanced ACL 3107, named ACL-YLJJFM-IN, 8 rules, ACL's step is 5 rule 5 permit icmp (9 time(s) matched) rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 (603 time(s) matched) rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (1991206 time(s) matched) rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (20350 time(s) matched) rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 (3 time(s) matched) rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (262 time(s) matched) rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (6 time(s) matched) rule 999 deny ip logging (311 time(s) matched) 看到rule 999后面有匹配的条目,但是使用dis logbuffer看不到具体匹配了哪些条目,就是不知道匹配 了哪些具体地址的报文
H3C Comware Platform Software
Comware Software, Version 5.20.106, Release 3303P20
Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C SR6608 uptime is 39 weeks, 4 days, 16 hours, 42 minutes
acl number 3107 name ACL-YLJJFM-IN
rule 5 permit icmp
rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023
rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161
rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 999 deny ip logging
使用命令查看dis acl all
Advanced ACL 3107, named ACL-YLJJFM-IN, 8 rules,
ACL's step is 5
rule 5 permit icmp (9 time(s) matched)
rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 (603 time(s) matched)
rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (1991206 time(s) matched)
rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (20350 time(s) matched)
rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 (3 time(s) matched)
rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (262 time(s) matched)
rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (6 time(s) matched)
rule 999 deny ip logging (311 time(s) matched)
看到rule 999后面有匹配的条目,但是使用dis logbuffer看不到具体匹配了哪些条目,就是不知道匹配
了哪些具体地址的报文
- 2017-08-22回答
- 评论(3)
- 举报
-
(0)
在路由器上没有这条命令吧,只有firewall enable这条命令,开启之后logbuffer里面也是看不到匹配了哪些报文
你这个需要配合firewall packet-filter acl 来进行测试,logbuffer里面应该就会出现哪些被匹配到
在路由器上没有这条命令吧,只有firewall enable这条命令,开启之后logbuffer里面也是看不到匹配了哪些报文
在路由器上没有这条命令吧,只有firewall enable这条命令,开启之后logbuffer里面也是看不到匹配了哪些报文
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
H3C Comware Platform Software Comware Software, Version 5.20.106, Release 3303P20 Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved. H3C SR6608 uptime is 39 weeks, 4 days, 16 hours, 42 minutes acl number 3107 name ACL-YLJJFM-IN rule 5 permit icmp rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 999 deny ip logging 使用命令查看dis acl all Advanced ACL 3107, named ACL-YLJJFM-IN, 8 rules, ACL's step is 5 rule 5 permit icmp (9 time(s) matched) rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 (603 time(s) matched) rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (1991206 time(s) matched) rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (20350 time(s) matched) rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 (3 time(s) matched) rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (262 time(s) matched) rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (6 time(s) matched) rule 999 deny ip logging (311 time(s) matched) 看到rule 999后面有匹配的条目,但是使用dis logbuffer看不到具体匹配了哪些条目,就是不知道匹配 了哪些具体地址的报文