用户使用包过滤对内网数据进行过滤,反馈之前在V5平台的S7506E交换机上通过“Display ACL”可以查到匹配规则的报文数量,但是在V7平台S7506E交换机上通过“Display ACL”无法查到匹配规则的报文数量。
通过查询S7506E设备的确不支持直接在ACL下查看规则匹配数量,但是通过另外一种方法解决。
<H3C> display acl 2001
Basic IPv4 ACL 2001, 1 rule, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5, start ID is 0
rule 5 permit source 1.1.1.1 0
rule 5 comment This rule is used on Ten-GigabitEthernet1/0/1.
解决方法:
1、在创建ACL时规则后添加counting参数。
acl Advanced 3502
rule 0 deny ip source 9.4.1.255 0 destination 9.4.1.2 0 counting
rule 1 deny ip source 9.4.1.2 0 destination 9.4.1.255 0 counting
2、端口下调用包过滤策略时添加hardware-count参数。
interface GigabitEthernet1/4/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
packet-filter 3502 outbound hardware-count
3、通过“dis packet-filter statistics”命令可以查询ACL的匹配个数。
[H3C]dis packet-filter statistics interface GigabitEthernet 1/4/0/1 outbound
Interface: GigabitEthernet1/4/0/1
Outbound policy:
IPv4 ACL 3502, Hardware-count
From 2019-06-26 03:24:16 to 2019-06-26 03:25:38
rule 0 deny ip source 9.4.1.255 0 destination 9.4.1.2 0 counting
rule 1 deny ip source 9.4.1.2 0 destination 9.4.1.255 0 counting (5 packets)
Totally 0 packets permitted, 5 packets denied
Totally 0% permitted, 100% denied
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作