文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >惠普检察机关5412 ACL

惠普检察机关5412 ACL
EN

Network Engineering用户
提问于 2015-09-18 16:53:28
回答 3查看 1.2K关注 0票数 1

我是惠普ProCurve的新手,在连接到互联网的vlan中,我遇到了一个问题。我不确定ACL是否阻塞了互联网流量,或者是否存在其他配置问题。我想暂时禁用ACL而不删除所有规则。此模型中是否有命令可以取消ACL。我尝试了"ip不使用-acl“命令,并收到和”无效输入:不使用-acl“错误。

代码语言:javascript
复制
Core Switch config:<br/>
hostname "Prod-Core"<br/>
module 1 type j8702a<br/>
module 2 type j8702a<br/>
module 3 type j8702a<br/>
module 4 type j8702a<br/>
module 5 type j9309a<br/>
module 6 type j8702a<br/>
mirror 1 port A24<br/>
fault-finder broadcast-storm sensitivity high<br/>
fault-finder bad-driver sensitivity high<br/>
fault-finder bad-transceiver sensitivity high<br/>
fault-finder bad-cable sensitivity high<br/>
fault-finder too-long-cable sensitivity high<br/>
fault-finder over-bandwidth sensitivity high<br/>
fault-finder loss-of-link sensitivity high<br/>
fault-finder duplex-mismatch-hdx sensitivity high<br/>
fault-finder duplex-mismatch-fdx sensitivity high<br/>
fault-finder link-flap sensitivity high<br/>
power-over-ethernet pre-std-detect ports F1-F24<br/>
timesync sntp<br/>
sntp unicast<br/>
sntp 60<br/>
sntp server priority 1 10.100.12.33<br/>
sntp server priority 2 10.100.12.32<br/>
time daylight-time-rule continental-us-and-canada<br/>
time timezone -360<br/>
web-management idle-timeout 900<br/>
ip access-list extended "vlan68-DEVEL_ACL"<br/>
     10 remark "ACL Applied to the vlan 68 interface (in)"<br/>
     11 remark "-----------------------------------------"<br/>
     12 remark "Allow traffic to flow within the DEVEL vlan"<br/>
     13 permit ip 10.100.68.0 0.0.3.255 10.100.68.0 0.0.3.255<br/>
     22 remark "Allow 80, 443 for Exchange and KBOX"<br/>
     23 remark "-----------------------------------------"<br/>
     24 permit tcp 10.100.68.0 0.0.3.255 10.100.15.40 0.0.0.0 eq 80<br/>
     25 permit tcp 10.100.68.0 0.0.3.255 10.100.15.40 0.0.0.0 eq 443<br/>
     26 permit tcp 10.100.68.0 0.0.3.255 10.100.15.91 0.0.0.0 eq 80<br/>
     27 permit tcp 10.100.68.0 0.0.3.255 10.100.15.91 0.0.0.0 eq 443<br/>
     28 permit tcp 10.100.68.0 0.0.3.255 10.100.15.98 0.0.0.0 eq 80<br/>
     29 permit tcp 10.100.68.0 0.0.3.255 10.100.15.98 0.0.0.0 eq 443<br/>
     30 remark "Block 80, 443"<br/>
     31 remark "-----------------------------------------"<br/>
     32 deny tcp 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255 eq 80<br/>
     33 deny tcp 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255 eq 443<br/>
     80 remark "Allow Other Dev to Prod traffic"<br/>
     81 remark "-------------------------------"<br/>
     82 permit ip 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255<br/>
     90 remark "Allow Everything else (Internet)"<br/>
     91 remark "--------------------------------"<br/>
     92 permit ip 10.100.68.0 0.0.3.255 0.0.0.0 255.255.255.255<br/>
     100 remark "Allow return Internet traffic"<br/>
     101 remark "--------------------------------"
     102 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255<br/>
   exit<br/>
ip authorized-managers 10.100.12.0 255.255.252.0 access manager<br/>
ip default-gateway 10.100.12.1<br/>
ip route 0.0.0.0 0.0.0.0 10.100.12.1<br/>
ip routing<br/>
..........<br/>
..........<br/>
..........<br/>
snmp-server community "public" unrestricted<br/>
snmp-server host 10.100.13.130 community "public" trap-level critical<br/>
snmp-server contact "Dave Guyton - 2463" location "HQ"<br/>
vlan 1<br/>
   name "DEFAULT_VLAN"<br/>
   no untagged D1-D3,D7,D9,D11,D14,D16,E1-E4,F1-F24<br/>
   untagged A1-A24,B1-B24,C1-C24,D4-D6,D8,D10,D12-D13,D15,D17-D24<br/>
   ip address 10.100.12.10 255.255.252.0<br/>
   ip local-proxy-arp<br/>
   forbid D14,D16<br/>
   exit<br/>
vlan 5<br/>
   name "CharterInternetHA"<br/>
   untagged D1-D3<br/>
   no ip address<br/>
   forbid A1-A24,B3-B24,C1-C24,D5-D24<br/>
   exit<br/>
vlan 6<br/>
   name "AT&TInternetHA"<br/>
   untagged D7,D9,D11<br/>
   no ip address<br/>
   forbid A1-A24,B3-B24,C1-C24,D1-D6,D8,D10,D12-D24<br/>
   exit<br/>
vlan 7<br/>
   name "iSCSI VLAN"<br/>
   untagged E1-E4,F1-F24<br/>
   no ip address<br/>
   forbid A1-A24,B1-B24,C1-C24,D1-D24<br/>
   exit<br/>
vlan 10<br/>
   name "DMZ-Guest-WLAN"<br/>
   tagged D14,D16,D20<br/>
   no ip address<br/>
   exit<br/>
vlan 68<br/>
   name "DEVEL-68"<br/>
   tagged A19,D23-D24<br/>
   ip access-group "vlan68-DEVEL_ACL" in<br/>
   ip address 10.100.68.1 255.255.252.0<br/>
   ip local-proxy-arp<br/>
   exit<br/>
vlan 72<br/>
   name "VOICE"<br/>
   tagged D23-D24<br/>
   ip address 10.100.72.1 255.255.255.0<br/>
   ip local-proxy-arp<br/>
   dhcp-server<br/>
   exit<br/>
no spanning-tree bpdu-throttle<br/>
no autorun<br/>
no dhcp config-file-update<br/>
no dhcp image-file-update<br/>
dhcp-server pool "vlan72-Voice"<br/>
   authoritative<br/>
   default-router "10.100.72.1"<br/>
   dns-server "10.100.12.33,10.100.12.32"<br/>
   domain-name "memco.local"<br/>
   lease 08:00:00<br/>
   network 10.100.72.0 255.255.255.0<br/>
   option 4 ip "10.100.12.33,10.100.12.32"<br/>
   option 42 ip "10.100.12.33,10.100.12.32"<br/>
   option 156 ascii "ftpservers=10.100.13.16, layer2tagging=1, vlanid=72"<br/>
   range 10.100.72.75 10.100.72.253<br/>
   exit<br/>
dhcp-server enable<br/><br/>

 IP Route Entries<br/><br/>

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.<br/>
  ------------------ --------------- ---- --------- ---------- ---------- -----<br/>
  0.0.0.0/0          10.100.12.1     1    static               1          1<br/>
  10.100.12.0/22     DEFAULT_VLAN    1    connected            1          0<br/>
  10.100.68.0/22     DEVEL-68        68   connected            1          0<br/>
  10.100.72.0/24     VOICE           72   connected            1          0<br/>
  127.0.0.0/8        reject               static               0          0<br/>
  127.0.0.1/32       lo0                  connected            1          0<br/><br/><br/>
Dev Switch Config:<br/>
hostname "DEV-4th floor"<br/>
module 1 type j8702a<br/>
module 2 type j8702a<br/>
module 3 type j8702a<br/>
module 4 type j8702a<br/>
module 5 type j8702a<br/>
module 6 type j8702a<br/>
module 7 type j8702a<br/>
module 8 type j8702a<br/>
mirror 1 port A24<br/>
mirror 3 port A8<br/>
fault-finder broadcast-storm sensitivity high<br/>
fault-finder bad-driver sensitivity high<br/>
fault-finder bad-transceiver sensitivity high<br/>
fault-finder bad-cable sensitivity high<br/>
fault-finder too-long-cable sensitivity high<br/>
fault-finder over-bandwidth sensitivity high<br/>
fault-finder loss-of-link sensitivity high<br/>
fault-finder duplex-mismatch-hdx sensitivity high<br/>
fault-finder duplex-mismatch-fdx sensitivity high<br/>
power-over-ethernet pre-std-detect ports B13,B23,C19,F20,F22,F24,H1-H24<br/>
qos device-priority 10.100.13.116/0 priority 7<br/>
timesync sntp<br/>
sntp unicast<br/>
sntp 60<br/>
sntp server priority 1 10.100.12.33<br/>
sntp server priority 2 10.100.12.32<br/>
time daylight-time-rule continental-us-and-canada<br/>
time timezone -360<br/>
ip authorized-managers 10.100.12.0 255.255.252.0 access manager<br/>
ip default-gateway 10.100.12.1<br/>
ip timep manual 10.100.12.32<br/>
..........<br/>
..........<br/>
..........<br/>
snmp-server community "public" unrestricted<br/>
snmp-server host 10.100.12.45 community "public" trap-level not-info<br/>
no snmp-server enable traps link-change A4<br/>
snmp-server contact "Dave Guyton - 2463" location "HQ"<br/>
vlan 1<br/>
   name "DEFAULT_VLAN"<br/>
   no untagged G19,G21,G23,H1-H24<br/>
   untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G18,G20,G22,G24<br/>
   ip address 10.100.12.9 255.255.252.0<br/>
   forbid G19,G21,G23<br/>
   exit<br/>
vlan 10<br/>
   name "GuestVLAN"<br/>
   tagged G19,G21,G23<br/>
   no ip address<br/>
   exit<br/>
vlan 68<br/>
   name "DEVEL-68"<br/>
   untagged H1-H24<br/>
   tagged B19<br/>
   ip address 10.100.68.9 255.255.252.0<br/>
   exit<br/>
vlan 72<br/>
   name "VOICE"<br/>
   tagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F19,F21,F23,G1-G6,G8-G24,H1-H24<br/>
   ip address 10.100.72.9 255.255.255.0<br/>
   forbid F20,F22,F24,G7<br/>
   exit<br/>
no spanning-tree bpdu-throttle<br/>
no autorun<br/>
no dhcp config-file-update<br/>
no dhcp image-file-update<br/><br/>

 IP Route Entries<br/><br/>

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.<br/>
  ------------------ --------------- ---- --------- ---------- ---------- -----<br/>
  0.0.0.0/0          10.100.12.1     1    static               250        1<br/>
  10.100.12.0/22     DEFAULT_VLAN    1    connected            1          0<br/>
  10.100.68.0/22     DEVEL-68        68   connected            1          0<br/>
  10.100.72.0/24     VOICE           72   connected            1          0<br/>
  127.0.0.0/8        reject               static               0          0<br/>
  127.0.0.1/32       lo0                  connected            1          0<br/>
switch
hp-procurve
EN

回答 3

Network Engineering用户

回答已采纳

发布于 2015-09-22 18:32:54

谢谢,配置使它更容易:)

当您查看配置文件时,每个项(不包括“模块”)都是您可以在CLI上提供的配置命令。每个命令都用前面的"no“否定。因此,如果要在一段时间内禁用ACL,只需

代码语言:javascript
复制
no ip access-group "vlan68-DEVEL_ACL" in

这将从界面中删除它,但不会触及规则。当你完成测试后,发出命令

代码语言:javascript
复制
ip access-group "vlan68-DEVEL_ACL" in

它被重新应用了。当然,由于这是应用于VLAN,所以您需要处于VLAN配置上下文中,所以这是实际上的情况(使用提示符):

代码语言:javascript
复制
configure 
vlan 68
no ip access-group "vlan68-DEVEL_ACL" in

这将改变正在运行的配置。如果您需要配置w/o ACL才能在重新启动时生存下来,则需要发出命令。

代码语言:javascript
复制
write memory

最后要保存到启动配置。即使在此之后,您仍然以同样的方式重新应用ACL,只是不要忘记“写内存”;-)

票数 1
EN

Network Engineering用户

发布于 2015-09-18 19:01:55

如果我正确理解你,你可以先从界面上删除ACL的应用程序,编辑或重写(复制粘贴)您的ACL并重新应用于接口。如果我把你弄对的话。

票数 0
EN

Network Engineering用户

发布于 2015-09-23 18:47:43

通过将防火墙上的返回路由添加到10.100.68.0网络,解决了此问题。不确定这是最好的解决办法。但是,vlan no有互联网连接。

票数 0
EN
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://networkengineering.stackexchange.com/questions/22626

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档