A-A+
H3C 路由器禁止使用traceroute 探测路由
原理:禁止从外网回到本地的 icmp icmp-type ttl-exceeded 数据包
1、定义ACL
定义ACL抓取 icmp icmp-type ttl-exceeded 和icmp icmp-type timestamp-reply
acl num 3889
rule 2 permit icmp icmp-type timestamp-reply
rule 3 permit icmp icmp-type ttl-exceeded
定义允许的目标,这样可以灵活增加某些目标可以实现traceroute
acl number 3888
rule 0 permit ip destination 202.97.0.1 0
2、定义classifier
- traffic classifier per-icmp operator and
- if-match acl 3888
- traffic classifier deny-icmp operator and
- if-match acl 3889
3、定义behavior
- traffic behavior per
- filter permit
- traffic behavior deny
- filter deny
4、定义qos policy
qos policy icmp
classifier per-icmp behavior per
classifier deny-icmp behavior deny
5、在接口下应用
- interface Tunnel222
- description shttbgp-gu-0423
- ip address 172.16.99.222 255.255.255.252
- source 10.127.29.1
- destination 172.16.99.201
- qos apply policy icmp inbound
测试是否成功
未应用QOS前
- [jinan5500-2]trace -a 111.xxx.x.160 101.227.13.208
- traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
- 10.100.10.2 3 ms 2 ms 1 ms
- 172.16.99.221 21 ms 22 ms 22 ms
- 10.100.222.13 25 ms 24 ms 25 ms
- 222.44.86.129 23 ms 22 ms 22 ms
- 172.16.30.1 22 ms 172.16.30.9 22 ms 172.16.30.1 22 ms
- 222.44.1.33 23 ms 222.44.1.37 24 ms 222.44.1.33 22 ms
- 61.237.0.238 22 ms 61.237.0.234 22 ms 61.237.0.238 32 ms
- 202.97.15.77 27 ms 29 ms 27 ms
- 202.97.48.209 27 ms 26 ms 27 ms
- 202.101.63.117 25 ms 26 ms 26 ms
- * 101.95.207.18 28 ms *
应用QOS后
- [jinan5500-2]trace -a 111.xxx.x.160 101.227.13.208
- traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
- 10.100.10.2 8 ms 3 ms 2 ms
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- * * *
- 101.227.13.208 31 ms 32 ms 30 ms