S7706 acl 不生效

问题描述

1.S7706 V200R003C00SPC500,之前的锐捷的设备,在做配置翻译的时候发现,在interface Vlanif102同时做了traffic-filter inbound acl 3008 和traffic-policy PBR_SACG inbound,traffic-policy不生效,但在全局下做了traffic-filter vlan 102 发现traffic-policy生效,traffic-filter不生效。

配置如下:

interface Vlanif102

 description CIC-NMS-USER

 ip address x.x.x.x 255.255.255.0

 vrrp vrid 102 virtual-ip x.x.x.x

 vrrp vrid 102 priority 150

 traffic-filter inbound acl 3008

 traffic-policy PBR_SACG inbound

#

traffic classifier PBR_SACG operator or precedence 5

 if-match acl 3002

#

traffic behavior PBR_SACG

 permit

 redirect ip-nexthop x.x.x.x track-nqa test nqa

#

traffic policy PBR_SACG match-order config

 classifier PBR_SACG behavior PBR_SACG

#

acl number 3002

 description extended PBR_CLT

 rule 10 permit ip source x.x.x.x 0.0.31.255

 rule 20 permit ip source x.x.x.x 0.0.31.255

 rule 30 permit ip source x.x.x.x 0.0.31.255

 rule 40 permit ip source x.x.x.x 0.0.31.255

 rule 370 permit ip source x.x.x.x 0.0.0.255

 rule 460 permit ip source x.x.x.x 0.0.0.255

 rule 470 permit ip source x.x.x.x 0.0.0.255

 rule 480 permit ip source x.x.x.x 0.0.0.255

 rule 481 permit ip source x.x.x.x 0.0.0.255

 rule 490 permit ip source x.x.x.x 0.0.0.255

 rule 500 permit ip source x.x.x.x 0.0.1.255

 rule 530 permit ip source x.x.x.x 0.0.3.255

!

 

acl number 3008

 description extended vlan102-in-acl

 rule 1 deny tcp destination-port eq 445

 rule 2 deny udp destination-port eq 445

 rule 3 deny tcp destination-port eq 135

 rule 4 deny udp destination-port eq 135

 rule 5 deny tcp destination-port range 137 139

 rule 6 deny udp destination-port range netbios-ns netbios-ssn

 rule 10 permit ip destination x.x.x.x 0.255.255.255

 rule 20 permit ip destination 0.0.0.0 255.255.31.255

 rule 30 permit icmp destination x.x.x.x 0.0.0.7

 rule 31 permit ip source x.x.x.x

 rule 32 permit ip source x.x.x.x 0

 rule 33 permit ip source x.x.x.x 0

 rule 40 deny ip source x.x.x.x 0.0.0.7 destination x.x.x.x 0.0.0.7

 rule 50 deny ip source x.x.x.x 0 destination x.x.x.x 0.0.0.7

 rule 60 deny ip source x.x.x.x 0 destination x.x.x.x 0.0.0.7

 rule 70 deny ip source x.x.x.x 0 destination x.x.x.x 0.0.0.7

 rule 71 permit ip source x.x.x.x 0 destination x.x.x.x 0

 rule 75 permit tcp source x.x.x.x 0 source-port eq 8000

 rule 76 permit tcp source x.x.x.x 0 source-port eq www

 rule 77 permit tcp source x.x.x.x 0 source-port eq 13389 destination x.x.x.x 0

 rule 80 deny tcp destination x.x.x.x 0.0.0.127 destination-port gt 1024

 rule 82 permit tcp source x.x.x.x 0.0.0.7 source-port eq 13389 destination x.x.x.x 0.0.31.255

 rule 84 deny tcp source x.x.x.x 0.0.0.7 source-port eq 13389

 rule 90 permit ip source x.x.x.x 0.0.0.7

 rule 100 permit ip source x.x.x.x 0

 rule 110 permit ip source x.x.x.x 0

 rule 120 permit ip source x.x.x.x 0

 rule 160 permit ip source x.x.x.x 0 destination x.x.x.x 0.0.0.255

 rule 190 permit ip source x.x.x.x 0 destination x.x.x.x 0

 rule 210 permit ip source x.x.x.x 0 destination x.x.x.x 0.0.0.255

 rule 220 permit tcp destination x.x.x.x 0 destination-port eq 1688

 rule 230 permit icmp

 rule 240 permit ip destination x.x.x.x 0.255.255.255

 rule 250 permit ip source x.x.x.x 0

 

告警信息

处理过程

1.对于S交换机而言,流量在命中ACL规则时,会打上标记位,没有特殊情况时,流量都只会匹配一次ACL,后续的ACL将不再命中。交换机的ACL生效优先级如下:

视图优先级: 接口>VLAN>全局

同一视图下:简化流策略> 流策略

2.所以这个ACL不生效,要看下具体的流量,是否已经命中了之前高优先级的ACL规则,导致后续规则无法命中。

根因

1.int vlan下做了 traffic-filter inbound acl 3008  traffic-policy PBR_SACG inbound

traffic-policy不生效

2.int vlan下做了traffic-policy PBR_SACG inbound,在全局下做了traffic-filter vlan 102 in

发现traffic-policy生效,traffic-filter不生效。

解决方案

1.traffic- filterac1原和目的调换, traffic-filter inbound acl 3008 改为outbound方案,因为一个方向只能命中一次acl.

建议与总结

1.对于S交换机而言,流量在命中ACL规则时,会打上标记位,没有特殊情况时,流量都只会匹配一次ACL,后续的ACL将不再命中。根据现网场景,一个vlanif下做了traffic- policy又要做 traffic- filter,及要命中 traffic- filter的ac1,又要命中 traffic- policy的ac1,无法实现,所以需要将traffic- filter的方向改为 outbound,将 traffic- filter的ac1原和目的调换,但因芯片特点,出方向预留的ACL资源比较少,且无法通过命令去调整。建议精简ACL或在上下行其它设备做过滤

https://support.huawei.com/enterprise/zh/knowledge/EKB1100057767

版权声明:
作者:SE_Gao
链接:https://www.cnesa.cn/1327.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。

THE END
打赏
海报
S7706 acl 不生效
问题描述 1.S7706 V200R003C00SPC500,之前的锐捷的设备,在做配置翻译的时候发现,在interface Vlanif102同时做了traffic-filter inbound acl 3008 和traffi……
<<上一篇
下一篇>>