S5700配置流策略进行访问控制后时由于ACL规则没有双向放行导致业务中断

发布时间:  2016-04-11 浏览次数:  151 下载次数:  0
问题描述
两台S5700VRRP,当配置流策略进行访问控制后,终端只能ping通虚拟网关地址,ping不通其它网段的任何地址。
处理过程

1.让客户提供设备配置信息,相关配置如下:

#

acl number 3002

 rule 5 permit ip destination 10.32.244.80 0

 rule 10 permit ip destination 10.32.244.81 0

 rule 15 permit ip destination 10.32.244.82 0

 rule 20 permit ip destination 10.32.244.17 0

 rule 25 permit ip destination 10.32.244.18 0

 rule 30 permit ip destination 10.32.244.19 0

 rule 35 permit ip destination 10.32.244.55 0

 rule 40 permit ip destination 10.44.244.34 0

 rule 45 permit ip destination 10.44.244.57 0

 rule 60 deny ip

#

traffic classifier c2 operator and

 if-match acl 3002                       

#

traffic behavior b2

 permit

#

traffic policy p2

 classifier c2 behavior b2

#

vlan 2072

traffic-policy p2 inbound

#

2.与客户确认后得知,客户想只放行ACL 3002中访问10.44.244.0网段中的部分地址,但配置后发现全部不通。

仔细报文转发流程发现,放行的只是去往这些地址的单方向报文,而这些终端的回程报文并没有放行。按照解决方案进行修改后,问题解决。

根因
ACL规则配置错误,没有双向放行。
解决方案

对主备设备的ACL 3002都进行修改,修改后的结果如下(标红的为新添加的匹配规则):

#

acl number 3002

rule 5 permit ip destination 10.32.244.80 0

rule 10 permit ip destination 10.32.244.81 0

rule 15 permit ip destination 10.32.244.82 0

rule 20 permit ip destination 10.32.244.17 0

rule 25 permit ip destination 10.32.244.18 0

rule 30 permit ip destination 10.32.244.19 0

rule 35 permit ip destination 10.32.244.55 0

rule 40 permit ip destination 10.44.244.34 0

rule 45 permit ip destination 10.44.244.57 0

rule 46 permit ip source 10.32.244.80 0

rule 47 permit ip source 10.32.244.81 0

rule 48 permit ip source 10.32.244.82 0

rule 49 permit ip source 10.32.244.17 0

rule 50 permit ip source 10.32.244.18 0

rule 51 permit ip source 10.32.244.19 0

rule 52 permit ip source 10.32.244.55 0

rule 53 permit ip source 10.44.244.34 0

rule 54 permit ip source 10.44.244.57 0

rule 60 deny ip

#

建议与总结

配置访问控制规则时要仔细分析报文的转发流程后才能进行合理配置,从而达到预期效果。

END