ACL规则没有双向放行导致业务中断

发布时间:  2016-08-10 浏览次数:  119 下载次数:  0
问题描述

两台S7712VRRP,当配置流策略进行访问控制后,终端只能ping通虚拟网关地址,ping不通其它网段的任何地址。

告警信息
处理过程

1.截取设备相关配置如下:

#

acl number 3000

 rule 0 permit ip destination 172.36.1.30 0

 rule 5 permit ip destination 172.36.1.31 0

 rule 10 permit ip destination 172.36.1.32 0

 rule 15 permit ip destination 172.32.5.17 0

 rule 20 permit ip destination 172.32.5.18 0

 rule 25 permit ip destination 172.32.5.19 0

 rule 30 permit ip destination 172.32.5.20 0

 rule 35 permit ip destination 10.30.100.34 0

 rule 40 permit ip destination 10.30.100.57 0

 rule 1000 deny ip

#

traffic classifier aaa operator and

 if-match acl 3000                       

#

traffic behavior bbb

 permit

#

traffic policy ccc

 classifier aaa behavior bbb

#

vlan 100

traffic-policy ccc inbound

#

2.需求是只放行ACL 3000中访问10.30.100.0网段中的部分地址,但配置后发现全部不通。

仔细报文转发流程发现,放行的只是去往这些地址的单方向报文,而这些终端的回程报文并没有放行。按照解决方案进行修改后,问题解决。

根因

ACL规则配置错误,没有双向放行。

解决方案

对主备设备的ACL 3000都进行修改,修改后的结果如下(标红的为新添加的匹配规则):

#

acl number 3000

rule 0 permit ip destination 172.36.1.30 0

rule 5 permit ip destination 172.36.1.31 0

rule 10 permit ip destination 172.36.1.32 0

rule 15 permit ip destination 172.32.5.17 0

rule 20 permit ip destination 172.32.5.18 0

rule 25 permit ip destination 172.32.5.19 0

rule 30 permit ip destination 172.32.5.20 0

rule 35 permit ip destination 10.30.100.34 0

rule 40 permit ip destination 10.30.100.57 0

rule 45 permit ip source 172.36.1.30 0

rule 50 permit ip source 172.36.1.31 0

rule 55 permit ip source 172.36.1.32 0

rule 60 permit ip source 172.32.5.17 0

rule 65 permit ip source 172.32.5.18 0

rule 70 permit ip source 172.32.5.19 0

rule 75 permit ip source 172.32.5.20 0

rule 80 permit ip source 10.30.100.34 0

rule 85 permit ip source 10.30.100.57 0

rule 1000 deny ip

#

建议与总结

配置访问控制规则时要仔细分析报文的转发流程后才能进行合理配置,从而达到预期效果。

END