- 论坛徽章:
- 0
|
acl number 5000\r\nrule 0 deny 0806 ffff 24 c0a801fe ffffffff 40\r\nrule 1 deny 0806 ffff 24 c0a802fe ffffffff 40\r\nrule 3 deny 0806 ffff 24 c0a803fe ffffffff 40\r\nrule 4 deny 0806 ffff 24 c0a804fe ffffffff 40\r\nrule 5 deny 0806 ffff 24 c0a805fe ffffffff 40\r\nrule 6 deny 0806 ffff 24 c0a806fe ffffffff 40\r\nrule 7 deny 0806 ffff 24 c0a807fe ffffffff 40\r\nrule 8 deny 0806 ffff 24 c0a8fafe ffffffff 40\r\nrule 9 deny 0806 ffff 24 c0a8fbfe ffffffff 40\r\nrule 10 deny 0806 ffff 24 c0a8fcfe ffffffff 40\r\nrule 11 deny 0806 ffff 24 0a000001 ffffffff 40\r\nrule 13 deny 0806 ffff 24 c0a809fe ffffffff 40\r\nrule 14 deny 0806 ffff 24 c0a80efe ffffffff 40\r\nrule 15 deny 0806 ffff 24 c0a80ffe ffffffff 40\r\nrule 16 deny 0806 ffff 24 c0a810fe ffffffff 40\r\nrule 17 deny 0806 ffff 24 c0a811fe ffffffff 40\r\nrule 18 deny 0806 ffff 24 c0a812fe ffffffff 40\r\nrule 19 deny 0806 ffff 24 c0a813fe ffffffff 40\r\nrule 20 deny 0806 ffff 24 c0a814fe ffffffff 40\r\nrule 21 deny 0806 ffff 24 c0a815fe ffffffff 40\r\nrule 22 deny 0806 ffff 24 c0a816fe ffffffff 40\r\nrule 23 deny 0806 ffff 24 c0a817fe ffffffff 40\r\nrule 24 deny 0806 ffff 24 c0a818fe ffffffff 40\r\nrule 25 deny 0806 ffff 24 c0a819fe ffffffff 40\r\nrule 26 deny 0806 ffff 24 c0a81afe ffffffff 40\r\nrule 27 deny 0806 ffff 24 c0a81bfe ffffffff 40\r\nrule 28 deny 0806 ffff 24 c0a81cfe ffffffff 40\r\nrule 29 deny 0806 ffff 24 c0a81dfe ffffffff 40\r\nrule 30 deny 0806 ffff 24 c0a81efe ffffffff 40\r\nrule 31 deny 0806 ffff 24 c0a81ffe ffffffff 40\r\nrule 32 deny 0806 ffff 24 c0a820fe ffffffff 40\r\n\r\nACL num 5000\r\nrule 0 deny 0806 ffff 16 64010101 ffffffff 32\r\n\r\n39的偏移量是16,但是56的偏移量是20,所以应该该为\r\nrule 0 deny 0806 ffff 20 64010101 ffffffff 36\r\n\r\n注意:64010101是网关的16进制表示,用户需对应做修改\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n网友1:\r\n\r\n\r\n我试过了\r\n我试过了,95根本就不支持5000的ACL\r\n[s9512-1] acl num 5000\r\n ^\r\n% Wrong parameter found at \'^\' position.\r\n[s9512-1] acl num ?\r\n INTEGER<2000-2999> Specify a basic acl\r\n INTEGER<3000-3999> Specify an advanced acl\r\n INTEGER<4000-4999> Specify a link acl\r\n\r\n[s9512-1] acl num 4000\r\n[s9512-1-acl-link-4000]r5ule ?\r\n ^\r\n% Unrecognized command found at \'^\' position.\r\n[s9512-1-acl-link-4000]rule ?\r\n INTEGER<0-127> ID of the acl rule\r\n deny Specify packets from where to reject\r\n permit Specify packets from where to forward\r\n\r\n[s9512-1-acl-link-4000]rule deny ?\r\n HEX<1-FFFF> Protocol type\r\n arp Protocol type (0x0806)\r\n c-tag-cos Specify custom tag 802.1p priority\r\n cos Specify 802.1p priority\r\n egress Specify packets\' destination information\r\n exp Specify MPLS packet\'s EXP field\r\n ingress Specify packets\' source information\r\n ip Protocol type (0x0800)\r\n ipv6 Protocol type (0x86DD)\r\n mac-type Specify mac-type field in the packet\r\n mpls Protocol type (0x8847)\r\n nbx Protocol type (0x8868)\r\n pppoe-control Protocol type (0x8863)\r\n pppoe-data Protocol type (0x8864)\r\n rarp Protocol type (0x8035)\r\n s-tag-vlan Service tag VLAN ID\r\n time-range Specify a special time\r\n <cr>\r\n\r\n[s9512-1-acl-link-4000]rule deny 0806 ?\r\n c-tag-cos Specify custom tag 802.1p priority\r\n cos Specify 802.1p priority\r\n egress Specify packets\' destination information\r\n exp Specify MPLS packet\'s EXP field\r\n ingress Specify packets\' source information\r\n mac-type Specify mac-type field in the packet\r\n s-tag-vlan Service tag VLAN ID\r\n time-range Specify a special time\r\n <cr>\r\n\r\n[s9512-1-acl-link-4000]rule deny 0806 ffff ?\r\n ^\r\n% Too many parameters found at \'^\' position.\r\n[s9512-1-acl-link-4000]q\r\n[s9512-1]acl num ?\r\n INTEGER<2000-2999> Specify a basic acl\r\n INTEGER<3000-3999> Specify an advanced acl\r\n INTEGER<4000-4999> Specify a link acl\r\n\r\n[s9512-1]acl num ?\r\n INTEGER<2000-2999> Specify a basic acl\r\n INTEGER<3000-3999> Specify an advanced acl\r\n INTEGER<4000-4999> Specify a link acl\r\n\r\n[s9512-1]acl num 5000?\r\n ^\r\n% Unrecognized command found at \'^\' position.\r\n[s9512-1]acl num 5000 ?\r\n ^\r\n% Wrong parameter found at \'^\' position.\r\n[s9512-1]acl ?\r\n name Specify a named acl\r\n number Specify a numbered acl\r\n\r\n[s9512-1]acl num ?\r\n INTEGER<2000-2999> Specify a basic acl\r\n INTEGER<3000-3999> Specify an advanced acl\r\n INTEGER<4000-4999> Specify a link acl\r\n\r\n[s9512-1]acl num 4000\r\n[s9512-1-acl-link-4000]rule deny ?\r\n HEX<1-FFFF> Protocol type\r\n arp Protocol type (0x0806)\r\n c-tag-cos Specify custom tag 802.1p priority\r\n cos Specify 802.1p priority\r\n egress Specify packets\' destination information\r\n exp Specify MPLS packet\'s EXP field\r\n ingress Specify packets\' source information\r\n ip Protocol type (0x0800)\r\n ipv6 Protocol type (0x86DD)\r\n mac-type Specify mac-type field in the packet\r\n mpls Protocol type (0x8847)\r\n nbx Protocol type (0x8868)\r\n pppoe-control Protocol type (0x8863)\r\n pppoe-data Protocol type (0x8864)\r\n rarp Protocol type (0x8035)\r\n s-tag-vlan Service tag VLAN ID\r\n time-range Specify a special time\r\n <cr>\r\n\r\n[s9512-1-acl-link-4000]rule deny 0816 ?\r\n c-tag-cos Specify custom tag 802.1p priority\r\n cos Specify 802.1p priority\r\n egress Specify packets\' destination information\r\n exp Specify MPLS packet\'s EXP field\r\n ingress Specify packets\' source information\r\n mac-type Specify mac-type field in the packet\r\n s-tag-vlan Service tag VLAN ID\r\n time-range Specify a special time\r\n <cr>\r\n\r\n[s9512-1-acl-link-4000]rule deny 0816 ffff?\r\n ^\r\n% Unrecognized command found at \'^\' position.\r\n[s9512-1-acl-link-4000]rule deny 0816 ffff ?\r\n ^\r\n% Too many parameters found at \'^\' position.\r\n[s9512-1-acl-link-4000]rule deny 0816 ffff\r\n\r\n楼主是不是没有试过啊?\r\n\r\n\r\n网友2:\r\n\r\n\r\nS95系统视图下可以开启anti-attack arp enable,对抑制ARP攻击有一定作用\r\n\r\n\r\n网友3:\r\n\r\nacl 5000,基于这种做法,个人觉得做在核心上基本没有用处。\r\nARP广播在接入层交换机上就已经完成了转发,接在同一接入层交换机上的PC仍然可以学到错误的ARP信息。\r\n95上现在好象有ARP的攻击检测功能,(大概意思应该也是设定多少时间免费发送免费ARP报文),应该可以缓解部分ARP攻击。\r\n\r\n网友4:\r\n\r\nanti arp还是做到接入层交换机上去吧\r\n\r\n\r\n低端的不支持 |
|