ACL配置后，奇怪现像。

lxj821028

Center4506#show ver
Load for five secs: 13%/0%; one minute: 15%; five minutes: 15%
Time source is NTP, 14:23:59.682 UTC Wed Dec 24 2008
Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 23-Sep-05 13:31 by ssearch
Image text-base: 0x10000000, data-base: 0x114DFF08

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

Center4506 uptime is 19 weeks, 3 days, 10 hours, 55 minutes
System returned to ROM by power-on
System restarted at 03:32:00 UTC Sun Aug 10 2008
System image file is "bootflash:"

cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of memory.
Processor board ID FOX10200169
MPC8245 CPU at 266Mhz, Supervisor II+
Last reset from PowerUp
26 Virtual Ethernet interfaces
20 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2101



Center4506#show run
.
.
interface Vlan2
ip address 172.18.2.254 255.255.255.0
ip access-group 101 in
no ip redirects
!
.
interface Vlan16
ip address 192.16.1.254 255.255.255.0
ip access-group 115 in
no ip redirects
!
.
router ospf 100
log-adjacency-changes
area 1 range 172.18.0.0 255.255.240.0
area 1 range 172.18.16.0 255.255.248.0
passive-interface Vlan2
passive-interface Vlan3
passive-interface Vlan4
passive-interface Vlan5
passive-interface Vlan6
passive-interface Vlan7
passive-interface Vlan8
passive-interface Vlan9
passive-interface Vlan10
passive-interface Vlan11
passive-interface Vlan12
passive-interface Vlan13
passive-interface Vlan14
passive-interface Vlan15
passive-interface Vlan16
passive-interface Vlan17
passive-interface Vlan18
passive-interface Vlan19
passive-interface Vlan20
passive-interface Vlan21
passive-interface Vlan22
passive-interface Vlan23
passive-interface Vlan28
network 172.18.0.0 0.0.15.255 area 1
network 172.18.16.0 0.0.7.255 area 1
network 172.18.28.0 0.0.0.255 area 1
network 172.18.253.48 0.0.0.7 area 1
network 172.18.254.48 0.0.0.7 area 1
network 192.16.1.0 0.0.0.255 area 1
.
access-list 115 permit ip any host 172.18.29.1
access-list 115 permit ip any host 172.18.29.2
access-list 115 permit ip any host 172.18.29.3
access-list 115 permit ip any host 172.18.29.7
access-list 115 permit ip any host 172.18.29.19
access-list 115 permit ip any host 172.18.29.26
access-list 115 permit ip any host 172.18.29.27
access-list 115 permit ip any host 172.18.29.40
access-list 115 permit ip any host 172.18.29.41
access-list 115 permit ip any host 172.18.29.42
access-list 115 permit ip any host 172.18.28.245
access-list 115 deny   ip any any
.
.
.

目的是限制192.16.1.X网段的IP地址只能访问ACL 115中的IP地址，其它IP地址禁止被192.16.1.X网段访问，已手工删除其它的条目，如原ACL中有这么一条记录：“access-list 115 permit ip any host 172.18.2.1”也被删除。

现在碰到这样的现象：
192.16.1.X网段的IP地址可以PING通172.18.2.1，丢包严重，有规律的能通一个包。
172.18.28.X网段的IP地址可以PING通192.16.1.X网段的IP，丢包严重，有规律的能通一个包。

172.18.28.245 PING 192.16.1.X网段的IP，正常。
172.18.29.3 PING 192.16.1.X网段的IP，正常。

在172.18.28.18上执行ping、tracert命令，进行测试：
C:\Documents and Settings\anan>ping 192.16.1.20 -t
Reply from 192.16.1.20: bytes=32 time=1ms TTL=127
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.
Reply from 192.16.1.20: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.


C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms     *     192.16.1.20
  3    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1     9 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.20

Tracing route to 192.16.1.20 over a maximum of 30 hops

  1     9 ms     1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.20

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.14

Tracing route to 192.16.1.14 over a maximum of 30 hops

  1    <1 ms     1 ms    <1 ms  172.18.28.254
  2     *            *         <1 ms  192.16.1.14

Trace complete.

C:\Documents and Settings\anan>tracert -d 192.16.1.14

Tracing route to 192.16.1.14 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.18.28.254
  2    <1 ms    <1 ms    <1 ms  192.16.1.14

Trace complete.


在172.18.29.2在执行ping测试：
$ ping 192.16.1.20
PING 192.16.1.20: (192.16.1.20): 56 data bytes
64 bytes from 192.16.1.20: icmp_seq=0 ttl=126 time=2 ms
64 bytes from 192.16.1.20: icmp_seq=1 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=2 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=3 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=4 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=5 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=6 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=7 ttl=126 time=0 ms
64 bytes from 192.16.1.20: icmp_seq=8 ttl=126 time=0 ms
^C
----192.16.1.20 PING Statistics----
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 0/0/2 ms

只要在一方的ACL上做访问控制，就可以限制访问了，但现在却出现有规律的有PING通的现像存在，很是想不通，找不出问题。

所以想请教下大家有没有碰到过类似的情况。

[ 本帖最后由 lxj821028 于 2008-12-24 15:04 编辑 ]

0ZXCVBNM0

个人觉得你的访问列表似乎有点问题

你的vlan16看样子是划给192.16.1.0网段的

在vlan16虚接口的in方向上应用访问列表115，允许的却是任何地址到172.18.29网段的机器……

如果你只是想允许特定机器访问192.16.1.0网段的话，可以试试

access-list 115 permit ip host 172.18.29.1 192.16.1.0 255.255.255.0
access-list 115 permit ip host 172.18.29.2 192.16.1.0 255.255.255.0
... ...
access-list 115 deny ip any 192.16.1.0 255.255.255.0

lxj821028

使用此方法：

（1）、no 掉 115 的 acl ，用145序号重写acl ,去掉vlan 16下的应用，重新下发新的acl

         access-list 145 permit ip any host 172.18.29.1
         access-list 145 permit ip any host 172.18.29.2
         access-list 145 permit ip any host 172.18.29.3
         access-list 145 permit ip any host 172.18.29.7
         access-list 145 permit ip any host 172.18.29.19
         access-list 145 permit ip any host 172.18.29.26
         access-list 145 permit ip any host 172.18.29.27
         access-list 145 permit ip any host 172.18.29.40
         access-list 145 permit ip any host 172.18.29.41
         access-list 145 permit ip any host 172.18.29.42
         access-list 145 permit ip any host 172.18.28.245
         access-list 145 deny   ip any any
        int vlan 16
           no ip access-group 115 in
           ip access-group 145 in


（2）、用ip 扩展ACL
ip access-list extended hgyy
    permit ip any host 172.18.29.1
    permit ip any host 172.18.29.2
    permit ip any host 172.18.29.3
    permit ip any host 172.18.29.7
    permit ip any host 172.18.29.19
    permit ip any host 172.18.29.26
    permit ip any host 172.18.29.27
    permit ip any host 172.18.29.40
    permit ip any host 172.18.29.41
    permit ip any host 172.18.29.42
    permit ip any host 172.18.28.245
    deny   ip any any

int vlan 16
no ip access-group 115 in
ip access-group hgyy in

两种方法都试过了，问题还是依旧...

slurker

2楼的acl写反了！楼主的acl没有问题。
我分析如下：在172.18.29.2执行ping 192.16.1.20，icmp报文可以正常到达192.16.1.20，并且主机192.16.1.20也会回复icmp报文，这个icmp报文是否能到达172.18.29.2，就要看路由是怎么走的了，如果报文进入了vlan16就被过滤掉了，如果报文从别的路径走了，可能会到达。
建议楼主把交换机和主机的路由都打印出来看看，看看4506有没有可能给主机192.16.1.20发icmp-路由重定向报文给主机192.16.1.20，让其改变路由

0ZXCVBNM0

反了？

我是这样理解的：

访问列表115过滤进入vlan16的ip报文，而vlan16内的主机都是192.168.1.0网段的，那么限制就应该是其余网段的机器如何访问192.168.1.0

所以我才会这样写

如果我的理解有什么问题，望指正

slurker

因为vlan16内的主机都是192.168.1.0，所以进入vlan16的报文源地址都是192.168.1.0，楼主写了any，包含了所有的源地址，是没有问题的。


如果你想限制其余网段的机器访问192.168.1.0，对于你定义的acl，应该应用到out方向，命令如下：
int vlan16
ip access-group 115 out

因为其他网段发出的报文，肯定都是从其他vlan接口进入交换机，然后经过路由处理，从vlan16发出，才能到达主机192.168.1.0

kulengzz

建议：首先检查路由表，然后trace一下有问题的网段，检查网络路径是否唯一。