H3C的SR 6608路由器版本为v5.20,在写acl的时候最后一条acl为deny ip logging,添加了logging关键字,
但是无法看到具体匹配了那个源地址跟目的地址的记录,请问有什么命令可以查看匹配了哪些具体流量?
(0)
logging表示对符合条件的报文可记录日志信息。该功能需要使用该ACL的模块支持日志记录功能,例如防火墙。您具体是怎么配置的呢?有没有和firewall功能配合使用,能提供一下配置及现象吗?
(0)
H3C Comware Platform Software
Comware Software, Version 5.20.106, Release 3303P20
Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C SR6608 uptime is 39 weeks, 4 days, 16 hours, 42 minutes
acl number 3107 name ACL-YLJJFM-IN
rule 5 permit icmp
rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023
rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161
rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161
rule 999 deny ip logging
使用命令查看dis acl all
Advanced ACL 3107, named ACL-YLJJFM-IN, 8 rules,
ACL's step is 5
rule 5 permit icmp (9 time(s) matched)
rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 (603 time(s) matched)
rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (1991206 time(s) matched)
rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (20350 time(s) matched)
rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 (3 time(s) matched)
rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (262 time(s) matched)
rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (6 time(s) matched)
rule 999 deny ip logging (311 time(s) matched)
看到rule 999后面有匹配的条目,但是使用dis logbuffer看不到具体匹配了哪些条目,就是不知道匹配
了哪些具体地址的报文
(0)
你这个需要配合firewall packet-filter acl 来进行测试,logbuffer里面应该就会出现哪些被匹配到
在路由器上没有这条命令吧,只有firewall enable这条命令,开启之后logbuffer里面也是看不到匹配了哪些报文
在路由器上没有这条命令吧,只有firewall enable这条命令,开启之后logbuffer里面也是看不到匹配了哪些报文
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
H3C Comware Platform Software Comware Software, Version 5.20.106, Release 3303P20 Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved. H3C SR6608 uptime is 39 weeks, 4 days, 16 hours, 42 minutes acl number 3107 name ACL-YLJJFM-IN rule 5 permit icmp rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 rule 999 deny ip logging 使用命令查看dis acl all Advanced ACL 3107, named ACL-YLJJFM-IN, 8 rules, ACL's step is 5 rule 5 permit icmp (9 time(s) matched) rule 10 permit tcp source 11.131.250.8 0 source-port range ftp-data ftp destination 145.0.241.101 0 destination-port gt 1023 (603 time(s) matched) rule 15 permit tcp source 11.192.254.161 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (1991206 time(s) matched) rule 16 permit tcp source 11.192.254.162 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (20350 time(s) matched) rule 20 permit tcp source 144.131.254.238 0 source-port gt 1023 destination 15.60.6.18 0 destination-port eq 20161 (3 time(s) matched) rule 25 permit tcp source 11.192.254.46 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (262 time(s) matched) rule 30 permit tcp source 11.192.254.245 0 source-port gt 1023 destination 145.0.241.101 0 destination-port eq 20161 (6 time(s) matched) rule 999 deny ip logging (311 time(s) matched) 看到rule 999后面有匹配的条目,但是使用dis logbuffer看不到具体匹配了哪些条目,就是不知道匹配 了哪些具体地址的报文