H3C 路由器禁止使用traceroute 探测路由

原理:禁止从外网回到本地的 icmp icmp-type ttl-exceeded 数据包

1、定义ACL

定义ACL抓取 icmp icmp-type ttl-exceeded 和icmp icmp-type timestamp-reply

acl num 3889

rule 2 permit icmp icmp-type timestamp-reply

 rule 3 permit icmp icmp-type ttl-exceeded

定义允许的目标,这样可以灵活增加某些目标可以实现traceroute

acl number 3888

 rule 0 permit ip destination 202.97.0.1 0

2、定义classifier

traffic classifier per-icmp operator and

 if-match acl 3888

traffic classifier deny-icmp operator and

 if-match acl 3889

3、定义behavior

traffic behavior per

 filter permit

traffic behavior deny

 filter deny

4、定义qos policy

qos policy icmp

 classifier per-icmp behavior per

 classifier deny-icmp behavior deny

 

 

5、在接口下应用 

 interface Tunnel222

 description shttbgp-gu-0423

 ip address 172.16.99.222 255.255.255.252

 source 10.127.29.1

 destination 172.16.99.201

 qos apply policy icmp inbound

测试是否成功

未应用QOS前

[jinan5500-2]trace -a 111.xxx.x.160  101.227.13.208 

 traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break

 1  10.100.10.2 3 ms 2 ms 1 ms

 2  172.16.99.221 21 ms 22 ms 22 ms

 3  10.100.222.13 25 ms 24 ms 25 ms

 4  222.44.86.129 23 ms 22 ms 22 ms

 5  172.16.30.1 22 ms 172.16.30.9 22 ms 172.16.30.1 22 ms

 6  222.44.1.33 23 ms 222.44.1.37 24 ms 222.44.1.33 22 ms

 7  61.237.0.238 22 ms 61.237.0.234 22 ms 61.237.0.238 32 ms

 8  202.97.15.77 27 ms 29 ms 27 ms

 9  202.97.48.209 27 ms 26 ms 27 ms

10  202.101.63.117 25 ms 26 ms 26 ms

11  * 101.95.207.18 28 ms *

应用QOS后

[jinan5500-2]trace -a 111.xxx.x.160  101.227.13.208

 traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break

 1  10.100.10.2 8 ms 3 ms 2 ms

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  * * *

 8  * * *

 9  * * *

10  * * *

11  * * *

12  * * *

13  * * *

14  101.227.13.208 31 ms 32 ms 30 ms

本文出自 “lihongweibj” 博客,请务必保留此出处http://lihongweibj.blog.51cto.com/6235038/1651692


发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注