為什麽s9300 v2r1配置acl控制(zhì)兩個(gè)網段互訪成功後,還(hái)是可(kě)以ping通(tōng)對方的vlanif網關地址
2014/12/17 13:54:06點擊:
問題描述
按照如下配置後,pc與pc之間(jiān)的互訪已經生(shēng)效,不能互訪,但(dàn)是vlan50的用戶去ping vlanif51的接口ip還(hái)是可(kě)以通(tōng)信。
acl number 3000
rule 5 deny ip destination 10.11.50.0 0.0.0.255
rule 10 deny ip destination 10.11.51.0 0.0.0.255
traffic classifier a operator or precedence 5
if-match acl 3000
#
traffic behavior a
permit
#
traffic policy a
classifier a behavior a
interface Vlanif50
ip address 10.11.50.1 255.255.255.0
#
interface Vlanif51
ip address 10.11.51.1 255.255.255.0
vlan 50
traffic-policy a inbound
acl number 3000
rule 5 deny ip destination 10.11.50.0 0.0.0.255
rule 10 deny ip destination 10.11.51.0 0.0.0.255
traffic classifier a operator or precedence 5
if-match acl 3000
#
traffic behavior a
permit
#
traffic policy a
classifier a behavior a
interface Vlanif50
ip address 10.11.50.1 255.255.255.0
#
interface Vlanif51
ip address 10.11.51.1 255.255.255.0
vlan 50
traffic-policy a inbound
解決方案
最後确認,去ping設備本地地址是由cpu在處理(lǐ),框式的交換機的cpu處理(lǐ)流程在流策略流程之前,所以本地的vlanif接口是不受acl控制(zhì)的。
盒式交換機除了5720HI和(hé)框式一樣外,cpu處理(lǐ)流程在流策略流程之後。
盒式交換機除了5720HI和(hé)框式一樣外,cpu處理(lǐ)流程在流策略流程之後。
- 上(shàng)一篇:數(shù)通(tōng)産品5700如何自定義命令權限 2014/12/17
- 下一篇:終端獲取IP地址慢 2014/12/17