一.測試拓撲：

成都創新互聯成立于2013年，先為盧龍等服務建站，盧龍等地企業，進行企業商務咨詢服務。為盧龍企業網站制作PC+手機+微官網三網同步一站式服務解決您的所有建站問題。

R1------------SW1------------------(MAC:2.2.2)R2

  |

 R3

R1，R2，R3都在VLAN11中，R1連接SW1的接口手工指定mac地址為1.1.1,R2連接SW1的接口手工指定mac地址為2.2.2;

R1接口的IP地址為10.1.1.1;

R2接口的IP地址為10.1.1.2;

R3接口的IP地址為10.1.1.3.

二.交換機VACL第一種配置方式：

mac access-list extended R2
permit host 0002.0002.0002 any  （只能屏蔽非IP包，比如arp包）

access-list 100 permit ip host 10.1.1.3 any

vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11

因為SW1拒絕了R2發出的非IP包（arp回應包被拒絕了），R1和R3沒有R2接口地址的ARP條目，導致R1無法ping和telnet R2，如果R1手工添加R2接口地址的ARP條目，R1則能pint和telnet R2，返回過來也可以。

A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#
*Feb 12 11:19:41.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:43.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:45.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:47.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
*Feb 12 11:19:49.002: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.1
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R1上開啟debug沒有看到數據包到達R1

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
在R2上開啟debug沒有看到數據包到達R2
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:05:21.700: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:23.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:25.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:27.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:05:29.696: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2

E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數據包到達R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R2上開啟debug沒有看到數據包到達R2

三.交換機VACL第二種配置方式：

mac access-list extended R2
permit any host 0002.0002.0002  （只能屏蔽非IP包，比如arp包）

access-list 100 permit ip  any host 10.1.1.3
vlan access-map test 10
match ip address 100
action drop
vlan access-map test 20
match mac address R2
action drop
vlan access-map test 30
action forward
!
vlan filter test vlan-list 11
因為SW1拒絕去往R2的非IP包（R1和R2給R2的arp回應包被拒絕了），R2沒有R1和R3接口地址的ARP條目，導致R1無法ping和telnet R2，如果R2手工添加R1接口地址的ARP條目，R1則能pint和telnet R2，返回過來也可以。A.R1 PING R3
R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數據包到達R3
B.R3 PING R1
R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#
*May 23 00:20:36.024: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:38.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:40.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:42.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3
*May 23 00:20:44.020: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.3

C.R1 PING R2
R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.990: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
*Jun 15 10:42:29.994: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.1
D.R2 PING R1
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
*May 23 00:23:03.836: ICMP: echo reply sent, src 10.1.1.1, dst 10.1.1.2
E.R2 ping R3
R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上開啟debug沒有看到數據包到達R3
F.R3 ping R2
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Jun 15 11:16:23.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:25.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:27.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3
*Jun 15 11:16:29.882: ICMP: echo reply sent, src 10.1.1.2, dst 10.1.1.3

四.總結：

A.mac地址過濾，只能過濾非IP流量，不能過濾IP流量

B.icmp屬于IP層的協議，icmp流量屬于ip流量

C.arp流量不屬于IP流量，mac地址過濾導致arp無法正常工作，才會導致ip層協議出現問題，如果手工添加ARP條目，就能是IP流量正常通行。

另外有需要云服務器可以了解下創新互聯scvps.cn，海內外云服務器15元起步，三天無理由+7*72小時售后在線，公司持有idc許可證，提供“云服務器、裸金屬服務器、高防服務器、香港服務器、美國服務器、虛擬主機、免備案服務器”等云主機租用服務以及企業上云的綜合解決方案，具有“安全穩定、簡單易用、服務可用性高、性價比高”等特點與優勢，專為企業上云打造定制，能夠滿足用戶豐富、多元化的應用場景需求。

當前名稱：交換機的VACL測試-創新互聯
鏈接地址：http://vcdvsql.cn/article38/cdjesp.html

成都網站建設公司_創新互聯，為您提供做網站、企業建站、網站設計、App設計、ChatGPT、品牌網站設計

廣告

聲明：本網站發布的內容（圖片、視頻和文字）以用戶投稿、用戶轉載內容為主，如果涉及侵權請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網站立場，如需處理請聯系客服。電話：028-86922220；郵箱：631063699@qq.com。內容未經允許不得轉載，或轉載時需注明來源： 創新互聯