H3C 路由器禁止使用traceroute 探测路由
原理:禁止从外网回到本地的 icmp icmp-type ttl-exceeded 数据包1、定义ACL
定义ACL抓取 icmp icmp-type ttl-exceeded 和icmp icmp-type timestamp-reply
acl num 3889
rule 2 permit icmp icmp-type timestamp-reply
rule 3 permit icmp icmp-type ttl-exceeded
定义允许的目标,这样可以灵活增加某些目标可以实现traceroute
acl number 3888
rule 0 permit ip destination 202.97.0.1 0
2、定义classifier
traffic classifier per-icmp operator and
if-match acl 3888
traffic classifier deny-icmp operator and
if-match acl 3889
3、定义behavior
traffic behavior per
filter permit
traffic behavior deny
filter deny
4、定义qos policy
qos policy icmp
classifier per-icmp behavior per
classifier deny-icmp behavior deny
5、在接口下应用
interface Tunnel222
description shttbgp-gu-0423
ip address 172.16.99.222 255.255.255.252
source 10.127.29.1
destination 172.16.99.201
qos apply policy icmp inbound
测试是否成功
未应用QOS前
trace -a 111.xxx.x.160101.227.13.208
traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
110.100.10.2 3 ms 2 ms 1 ms
2172.16.99.221 21 ms 22 ms 22 ms
310.100.222.13 25 ms 24 ms 25 ms
4222.44.86.129 23 ms 22 ms 22 ms
5172.16.30.1 22 ms 172.16.30.9 22 ms 172.16.30.1 22 ms
6222.44.1.33 23 ms 222.44.1.37 24 ms 222.44.1.33 22 ms
761.237.0.238 22 ms 61.237.0.234 22 ms 61.237.0.238 32 ms
8202.97.15.77 27 ms 29 ms 27 ms
9202.97.48.209 27 ms 26 ms 27 ms
10202.101.63.117 25 ms 26 ms 26 ms
11* 101.95.207.18 28 ms *
应用QOS后
trace -a 111.xxx.x.160101.227.13.208
traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
110.100.10.2 8 ms 3 ms 2 ms
2* * *
3* * *
4* * *
5* * *
6* * *
7* * *
8* * *
9* * *
10* * *
11* * *
12* * *
13* * *
14101.227.13.208 31 ms 32 ms 30 ms
页:
[1]