In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
one。 Test the topology:
R1MurSW1-(MAC:2.2.2) R2
| |
R3
R1 Magi R2 and R3 are all in VLAN11. The interface of R1 to SW1 manually specifies the mac address as 1.1.1. The interface of R2 to connect to SW1 manually specifies the mac address as 2.2.2.
The IP address of the R1 interface is 10.1.1.1
The IP address of the R2 interface is 10.1.1.2
The IP address of the R3 interface is 10.1.1.3.
two。 The first configuration of switch VACL:
Mac access-list extended R2
Permit host 0002.0002.0002 any (only non-IP packages can be shielded, such as arp packages)
Access-list 100 permit ip host 10.1.1.3 any
Vlan access-map test 10
Match ip address 100
Action drop
Vlan access-map test 20
Match mac address R2
Action drop
Vlan access-map test 30
Action forward
!
Vlan filter test vlan-list 11
Because SW1 rejected the non-IP packet sent by R2 (the arp response packet was rejected), R1 and R3 do not have an ARP entry for the R2 interface address, resulting in R1 being unable to ping and telnet R2. If R1 manually adds the ARP entry for the R2 interface address, R1 can pint and telnet R2, or it can come back.
A.R1 PING R3
R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
R3#
* Feb 12 11 src 19V 41.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
* Feb 12 11 src 19V 43.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
* Feb 12 11 src 19V 45.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
* Feb 12 11 src 19V 47.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
* Feb 12 11 src 19V 49.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
B.R3 PING R1
R3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
Turn on debug on R1 and do not see the packet arriving on R1
C.R1 PING R2
R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
R1#
Turn on debug on R2 and do not see the packet arriving on R2
D.R2 PING R1
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
R1#
* May 2300 May 05VR 21.700: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 2300VO5VOV 23.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 echo reply sent 05VR 25.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 echo reply sent 05VR 27.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 src 05 src 29.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
Turn on debug on R3 and do not see the packet arriving at R3
F.R3 ping R2
R3#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
Turn on debug on R2 and do not see the packet arriving on R2
three。 The second configuration of switch VACL:
Mac access-list extended R2
Permit any host 0002.0002.0002 (only non-IP packages can be shielded, such as arp packages)
Access-list 100 permit ip any host 10.1.1.3
Vlan access-map test 10
Match ip address 100
Action drop
Vlan access-map test 20
Match mac address R2
Action drop
Vlan access-map test 30
Action forward
!
Vlan filter test vlan-list 11
Because SW1 rejects non-IP packets to R2 (R1 and R2's arp response packets to R2 are rejected), R2 does not have an ARP entry for the R1 and R3 interface addresses, so R1 cannot ping and telnet R2. If R2 manually adds the ARP entry for the R1 interface address, R1 can pint and telnet R2, or return. A.R1 PING R3
R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
Turn on debug on R3 and do not see the packet arriving at R3
B.R3 PING R1
R3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
R1#
* May 23 00 echo reply sent 20 src 36.024: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
* May 23 00 20 src 38.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
* May 23 00 echo reply sent 20: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
* May 23 00 src 20: 42.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
* May 23 00 src 20: 44.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
C.R1 PING R2
R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!
Success rate is 80 percent (4amp 5), round-trip min/avg/max = 1-1-1 ms
R2#
* Jun 15 10 echo reply sent 42 src 29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
* Jun 15 10 echo reply sent 42 src 29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
* Jun 15 10 echo reply sent 42 src 29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
* Jun 15 10 echo reply sent 42 src 29.994: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
D.R2 PING R1
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!
Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-1-4 ms
R1#
* May 23 00 src 23: 03.836: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 src 23: 03.836: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 src 23: 03.836: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 src 23: 03.836: echo reply sent, src 10.1.1.1, dst 10.1.1.2
* May 23 00 src 23: 03.836: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
Turn on debug on R3 and do not see the packet arriving at R3
F.R3 ping R2
R3#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.
Success rate is 0 percent (0Unip 5)
R2#
* Jun 15 11 echo reply sent 16V 23.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
* Jun 15 11 src 16V 25.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
* Jun 15 11 src 16 echo reply sent 27.882: echo reply sent, src 10.1.1.2, dst 10.1.1.3
* Jun 15 11 src 16 src 29.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
four。 Summary:
A.mac address filtering, which can only filter non-IP traffic, not IP traffic
B.icmp belongs to IP layer protocol, and icmp traffic belongs to ip traffic.
C.arp traffic does not belong to IP traffic. Mac address filtering causes arp not to work properly, which leads to problems with ip layer protocol. If ARP entries are added manually, IP traffic can pass normally.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
