论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2007-10-01 22:58 |只看该作者 |倒序浏览

问:\r\n以前很多人在这里发相关的防ARP的ACL。但是一直都讲得不是很清楚！在这里我给大家详细讲一下！！\r\n\r\nacl number 5000\r\nrule 0 deny 0806 ffff 20 c0a801fe ffffffff 36\r\nrule 1 permit 0806 ffff 20 000fe22306b4 ffffffffffff 30\r\nacl number 5001\r\nrule 0 deny 0806 ffff 20 c0a802fe ffffffff 36\r\nrule 1 permit 0806 ffff 20 000fe22306b4 ffffffffffff 30\r\n\r\n\r\n0806不用说了！！！\r\nFFFF这个也不用说了！\r\n20是偏移位为20。c0a801fe是IP 192.168.1.254的十六进制表示方法/000fe22306b4为192。168。1。254对应的MAC，另外36是5600的IP偏移位。30是MAC偏移位！不同的产品有不同的偏移位！我是问产品经理得到的！\r\n\r\n另请在每个端口上都做下发！！！\r\n网友一:\r\n在网吧的应用\r\n[h3c5624]dis cu \r\n# \r\nsysname h3c5624 \r\n# \r\nsuper password level 3 cipher WX)LTDa_E\"[Q=^Q`MAF4<1!! \r\n# \r\nvfs check check-method fix \r\n# \r\nweb set-package flash:/http3.1.3-0060.web force \r\n# \r\nradius scheme system \r\n# \r\ndomain system \r\n# \r\nlocal-user 3 \r\nlocal-user 520520520 \r\npassword simple 520520520 \r\nservice-type telnet \r\nlevel 3 \r\nlocal-user 6287874 \r\npassword simple 6287874 \r\nservice-type telnet \r\nlevel 3 \r\nlocal-user sswb-3928 \r\n# \r\nacl number 5000 \r\nrule 0 deny 0806 ffff 24 b0a81001 ffffffff 40 \r\nrule 1 deny 0806 ffff 24 b0a81201 ffffffff 40 \r\nrule 2 deny 0806 ffff 24 b0a86401 ffffffff 40 \r\nrule 3 permit 0806 ffff 24 000fe213d039 ffffffffffff 34 \r\n# \r\nvlan 1 \r\n# \r\nvlan 16 \r\n# \r\nvlan 18 \r\n# \r\nvlan 100 \r\n# \r\ninterface Vlan-interface16 \r\nip address 192.168.16.1 255.255.255.0 \r\n# \r\ninterface Vlan-interface18 \r\nip address 192.168.18.1 255.255.255.0 \r\n# \r\ninterface Vlan-interface100 \r\nip address 192.168.100.1 255.255.255.0 \r\n# \r\ninterface Aux1/0/0 \r\n# \r\ninterface GigabitEthernet1/0/1 \r\nduplex full \r\nspeed 100 \r\nport access vlan 100 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/2 \r\nduplex full \r\nspeed 100 \r\nport access vlan 100 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/3 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/4 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/5 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/6 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/7 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/8 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/9 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/10 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/11 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/12 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/13 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/14 \r\nport access vlan 16 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\n# \r\ninterface GigabitEthernet1/0/15 \r\nport access vlan 18 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\nmirroring-port both \r\n# \r\ninterface GigabitEthernet1/0/16 \r\nport access vlan 18 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\nmirroring-port both \r\n# \r\ninterface GigabitEthernet1/0/17 \r\nport access vlan 18 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\npacket-filter inbound user-group 5000 rule 2 \r\npacket-filter inbound user-group 5000 rule 3 \r\nmirroring-port both \r\n# \r\ninterface GigabitEthernet1/0/18 \r\nport access vlan 18 \r\npacket-filter inbound user-group 5000 rule 0 \r\npacket-filter inbound user-group 5000 rule 1 \r\n[h3c5624]dis cpu \r\n[h3c5624]dis cpu \r\nUnit 1 \r\nBoard 0 CPU busy status: \r\n 10% in last 5 seconds \r\n 8% in last 1 minute \r\n 7% in last 5 minutes \r\n[h3c5624]quit\r\n\r\n网友二:\r\n我是这么做的\r\nacl number 4001\r\nrule 4 deny source 0017-31ed-3e66 ffff-ffff-ffff\r\n其实在发生ARP冲突的时候，在交换机终端可观察到伪造IP的MAC，如下\r\n%Apr 21 20:52:17:375 2000 zhongxin ARP/5/DUPIP:- 1 -IP address 192.168.9.80 collision detected, sourced by 0018-f337-a867 on Ethernet1/0/3 of VLAN102 and 0017-31ed-3e66 on Ethernet1/0/3 of VLAN102\r\n然后作如上策略下发到该冲突端口e0/0/3即可。

返回列表

Chinaunix › 论坛 › 备份版区 › 攻防交流区 › 5600系列防ARP的ACL做法

5600系列防ARP的ACL做法 [复制链接]

浏览过的版块