VLAN间访问控制没起作用!请问是什么原因呢
- 0关注
- 0收藏,99浏览
问题描述:
interface Vlan-interface1998
ip binding vpn-instance 712NWY23397985
ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface1999
ip binding vpn-instance 712NWY23397985
ip address 172.16.0.1 255.255.255.0
#
interface Vlan-interface3922
ip binding vpn-instance 712NWY23397985
ip address 172.16.2.1 255.255.255.0
#
traffic classifier 1 operator or
if-match acl 3000
#
traffic behavior 1
filter permit (用deny也试过)
#
qos policy 1
classifier 1 behavior 1
#
acl advanced 3000
rule 5 deny ip vpn-instance 712NWY23397985 source 172.16.2.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
rule 10 deny ip vpn-instance 712NWY23397985 source 172.16.0.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
rule 1000 permit ip vpn-instance 712NWY23397985
#
qos vlan-policy 1 vlan 3922 inbound
qos vlan-policy 1 vlan 1999 inbound
在vlan3922 下面找了个终端,PING VLAN1999的网关地址依然是通的,为啥?是我的配置有问题吗?
组网及组网描述:
[YQLT-H3C-S5552F]disp version
H3C Comware Software, Version 7.1.070, Release 6126P20
Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.
H3C S5552F-EI-D uptime is 31 weeks, 3 days, 11 hours, 33 minutes
Last reboot reason : Cold reboot
Boot image: flash:/s5500sei_d-cmw710-boot-r6126p20.bin
Boot image version: 7.1.070, Release 6126P20
Compiled Apr 03 2018 11:00:00
System image: flash:/s5500sei_d-cmw710-system-r6126p20.bin
System image version: 7.1.070, Release 6126P20
Compiled Apr 03 2018 11:00:00
Slot 1:
Uptime is 31 weeks,3 days,11 hours,33 minutes
S5552F-EI-D with 1 Processor
BOARD TYPE: S5552F-EI-D
DRAM: 512M bytes
FLASH: 256M bytes
PCB 1 Version: VER.B
Bootrom Version: 121
CPLD 1 Version: 002
Release Version: H3C S5552F-EI-D-6126P20
Patch Version : None
Reboot Cause : ColdReboot
[SubSlot 0] 46SFP+2COMBO+4SFP Plus
直接pa 3000 in三层接口不就行了
检查下组网和配置在仔细检查分析下吧
我也试过,但是不知道为啥,会出现这个提示 packet-filter 3000 inbound Failed to apply IPv4 ACL 3000 to the inbound direction of interface Vlan-interface3922 on slot 1.
disp packet-filter verbose interface vlan 3922 inbound Interface: Vlan-interface3922 Inbound policy: IPv4 ACL 3000 (Failed)
所以我才想起用vlan间访问控制来试试
将访问控制列表改为 acl advanced 3000 rule 0 permit ip vpn-instance 712NWY23397985 source 172.16.2.0 0.0.0.255 destination 172.16.0.0 0.0.0.255 rule 5 permit ip vpn-instance 712NWY23397985 source 172.16.0.0 0.0.0.255 destination 172.16.2.0 0.0.0.255 # traffic behavior 1 filter deny 改为了deny # qos vlan-policy 1 vlan 1999 inbound qos vlan-policy 1 vlan 3922 inbound 试了一下也不行
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
将访问控制列表改为 acl advanced 3000 rule 0 permit ip vpn-instance 712NWY23397985 source 172.16.2.0 0.0.0.255 destination 172.16.0.0 0.0.0.255 rule 5 permit ip vpn-instance 712NWY23397985 source 172.16.0.0 0.0.0.255 destination 172.16.2.0 0.0.0.255 # traffic behavior 1 filter deny 改为了deny # qos vlan-policy 1 vlan 1999 inbound qos vlan-policy 1 vlan 3922 inbound 试了一下也不行