801x dacl、每用户acl、过滤器id和设备跟 踪的行为.pdf

1、802.1x DACL、每用户ACL、过滤器ID和设备跟踪的行为 目录简介设备跟踪的理论设备跟踪的配置跟踪测验的设备从版本12.2.33的调试， DHCP更新的IP设备跟踪监听监听的探测器和的ARP跟踪为版本12.2.55的IP设备-隐藏命令跟踪为版本12.2.55的IP设备-静态IP示例跟踪为版本15.x的IP设备跟踪为Cisco IOS XE 的IP设备跟踪与802.1x和DACL的IP设备版本12.2.55的跟踪与802.1x和DACL的IP设备版本15.x的特定ACL条目控制方向跟踪与802.1x和每用户ACL的IP设备版本15.x的差异，当与DACL比较跟踪与802.1x和过滤器ID

2、 ACL的IP设备版本15.x的IP设备跟踪-默认和最佳实践接口版本15.x的ACL重写用于802.1x的默认ACLOpen模式当接口ACL是必须在4500/6500的DACL802.1x的MAC地址状态故障排除相关信息简介本文如何描述IP设备跟踪功能工作，包括什么触发是添加并且删除主机。并且，跟踪设备的影响在可下载的802.1x访问控制表(DACL)解释。行为更改在版本和平台之间。本文的第二部分着重访问控制表(ACL)返回由验证、授权和统计(AAA)服务器和应用对802.1x会话。提交在DACL、每用户ACL和过滤器ID ACL之间的一个比较。并且，关于ACL重写的一些警告和默认ACL讨论。

3、设备跟踪的理论设备跟踪添加一个条目，当：它通过监听的DHCP了解新的条目。a71它通过地址解析协议(ARP)请求了解新的条目(读发送方MAC地址和发送方IP地址从ARP数据包)。功能有时呼叫ARP检查，但是它不是相同的象动态ARP检查(戴)。默认情况下功能启用并且不可能禁用。它也呼叫监听的ARP，但是调试不会显示它，在“监听的debug arp”启用后。监听默认情况下的ARP启用并且不可能禁用或被控制。a71设备跟踪删除条目，当没有ARP请求的时无响应(发送每台主机的探测器在跟踪表，默认情况下每30秒)的设备。设备跟踪的配置ip dhcp excluded-address 192.168.0.

4、1 192.168.0.240ip dhcp pool POOLnetwork 192.168.0.0 255.255.255.0!ip dhcp snooping vlan 1ip dhcp snoopingip device tracking!interface Vlan1ip address 192.168.0.2 255.255.255.0ip route 0.0.0.0 0.0.0.0 10.48.66.1!interface FastEthernet0/1description PC跟踪测验的设备BSNS-3560-1# show ip dhcp bindingIP address

5、 Client-ID/ Lease expiration TypeHardware address192.168.0.241 0100.5056.994e.a1 Mar 02 1993 02:31 AM AutomaticBSNS-3560-1# show ip device tracking allIP Device Tracking = Enabled-IP Address MAC Address Interface STATE -192.168.0.241 0050.5699.4ea1 FastEthernet0/1 ACTIVE从版本12.2.33的调试， DHCP更新的IP设备跟踪监

6、听监听的DHCP填充绑定表：BSNS-3560-1# show debuggingDHCP Snooping packet debugging is onDHCP Snooping event debugging is onDHCP server packet debugging is on.DHCP server event debugging is on.track:IP device-tracking redundancy events debugging is onIP device-tracking cache entry Creation debugging is onIP dev

7、ice-tracking cache entry Destroy debugging is onIP device-tracking cache events debugging is on02:30:57: DHCP_SNOOPING: checking expired snoop binding entries02:31:12: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/1 for pak. Was Vl102:31:12: DHCPSNOOP(hlfm_set_if_input): Setting if_input to

8、Vl1 for pak. Was Fa0/102:31:12: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/1 for pak. Was Vl102:31:12: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/1)02:31:12: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, inputinterface: Fa0/1, MAC da:

9、001f.27e6.cfc0, MAC sa: 0050.5699.4ea1, IP da: 192.168.0.2,IP sa: 192.168.0.241, DHCP ciaddr: 192.168.0.241, DHCP yiaddr: 0.0.0.0,DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.5699.4ea102:31:12: DHCP_SNOOPING: add relay information option.02:31:12: DHCP_SNOOPING_SW: Encoding opt82 CI

10、D in vlan-mod-port format02:31:12: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format02:31:12: DHCP_SNOOPING: binary dump of relay info option, length: 20 data0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x1 0x1 0x3 0x2 0x8 0x0 0x6 0x0 0x1F 0x27 0xE6 0xCF 0x8002:31:12: DHCP_SNOOPING_SW: bridge packet get i

11、nvalid mat entry: 001F.27E6.CFC0,packet is flooded to ingress VLAN: (1)02:31:12: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.02:31:12: DHCPD: DHCPREQUEST received from client 0100.5056.994e.a1.02:31:12: DHCPD: Sending DHCPACK to client 0100.5056.994e.a1 (192.168.0.241).02:31:12: D

12、HCPD: unicasting BOOTREPLY to client 0050.5699.4ea1 (192.168.0.241).02:31:12: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan1)02:31:12: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface:Vl1, MAC da: 0050.5699.4ea1, MAC sa: 001f.27e6.cfc0, IP da: 192.1

13、68.0.241,IP sa: 192.168.0.2, DHCP ciaddr: 192.168.0.241, DHCP yiaddr: 192.168.0.241,DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.5699.4ea102:31:12: DHCP_SNOOPING: add binding on port FastEthernet0/1.02:31:12: DHCP_SNOOPING: added entry to table (index 189)02:31:12: DHCP_SNOOPING: du

14、mp binding entry: Mac=00:50:56:99:4E:A1 Ip=192.168.0.241Lease=86400 ld Type=dhcp-snooping Vlan=1 If=FastEthernet0/1在DHCP绑定被添加到数据库后，触发设备跟踪的通知：02:31:12: sw_host_track-ev:host_track_notification: Add event for host 0050.5699.4ea1,192.168.0.241 on interface FastEthernet0/102:31:12: sw_host_track-ev:Asyn

15、c Add event for host 0050.5699.4ea1, 192.168.0.241on interface FastEthernet0/102:31:12: sw_host_track-ev:MSG = 202:31:12: DHCP_SNOOPING_SW no entry found for 0050.5699.4ea1 0.0.0.1 FastEthernet0/102:31:12: DHCP_SNOOPING_SW host tracking not found for update add dynamic(192.168.0.241, 0.0.0.0, 0050.5

16、699.4ea1) vlan 102:31:12: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet0/1.02:31:12: sw_host_track-ev:Add event: 0050.5699.4ea1, 192.168.0.241, FastEthernet0/102:31:12: sw_host_track-obj_create:0050.5699.4ea1(192.168.0.241) Cache entry created02:31:12: sw_host_track-ev:Activa

17、ting host 0050.5699.4ea1, 192.168.0.241 oninterface FastEthernet0/102:31:12: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds默认情况下ARP探测器被发送每30秒：02:41:12: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer02:41:12: sw_host_track-ev:0050.5699.4ea1: Send Host probe (0)02:41:12: sw_hos

18、t_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds02:41:42: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer02:41:42: sw_host_track-ev:0050.5699.4ea1: Send Host probe (1)02:41:42: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds02:42:12: sw_host_track-ev:0050.5699.4ea1 St

19、opping cache timer02:42:12: sw_host_track-ev:0050.5699.4ea1: Send Host probe (2)02:42:12: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds02:42:42: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer02:42:42: sw_host_track-obj_destroy:0050.5699.4ea1(192.168.0.241): Cache entry delet

20、ed02:42:42: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer在条目从跟踪表后的设备删除，对应的DHCP绑定条目仍然是那里：BSNS-3560-1#show ip device tracking allIP Device Tracking = Enabled-IP Address MAC Address Interface STATE -BSNS-3560-1#show ip dhcp bindingIP address Client-ID/ Lease expiration TypeHardware address192.16

21、8.0.241 0100.5056.994e.a1 Mar 02 1993 03:06 AM Automatic有问题，当您有一ARP响应时，但是跟踪条目的设备无论如何删除。bug在版本12.2.55或15.x软件方面看来在版本12.2.33和没出现。并且有一些差异，当处理用L2端口(access-port)时和L3端口(没有switchport)。监听的探测器和的ARP跟踪与ARP监听的功能的设备：BSNS-3560-1#show debuggingARP:ARP packet debugging is onArp Snoop:Arp Snooping debugging is on03:4

22、3:36: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer03:43:36: sw_host_track-ev:0050.5699.4ea1: Send Host probe (0)03:43:36: IP ARP: sent req src 0.0.0.0 001f.27e6.cf83,dst 192.168.0.241 0050.5699.4ea1 FastEthernet0/103:43:36: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds03:4

23、3:36: IP ARP: rcvd rep src 192.168.0.241 0050.5699.4ea1, dst 0.0.0.0 Vlan1跟踪为版本12.2.55的IP设备-隐藏命令对于版本12.2也许有需要使用隐藏命令为了激活它：BSNS-3560-1#show ip device tracking allIP Device Tracking = EnabledIP Device Tracking Probe Count = 2IP Device Tracking Probe Interval = 30IP Device Tracking Probe Delay Interval

24、= 0-IP Address MAC Address Vlan Interface STATE -192.168.0.244 0050.5699.4ea1 55 FastEthernet0/1 ACTIVETotal number interfaces enabled: 1Enabled interfaces:Fa0/1BSNS-3560-1#ip device tracking interface fa0/48BSNS-3560-1#show ip device tracking all IP Device Tracking = EnabledIP Device Tracking Probe

25、 Count = 2IP Device Tracking Probe Interval = 30IP Device Tracking Probe Delay Interval = 0-IP Address MAC Address Vlan Interface STATE -10.48.67.87 000c.2978.825d 1006 FastEthernet0/48 ACTIVE10.48.67.31 020a.dada.dada 1006 FastEthernet0/48 ACTIVE10.48.66.245 acf2.c5ed.8171 1006 FastEthernet0/48 ACT

26、IVE192.168.0.244 0050.5699.4ea1 55 FastEthernet0/1 ACTIVE10.48.66.193 000c.2997.4ca1 1006 FastEthernet0/48 ACTIVE10.48.66.186 0050.5699.3431 1006 FastEthernet0/48 ACTIVETotal number interfaces enabled: 2Enabled interfaces:Fa0/1, Fa0/48跟踪为版本12.2.55的IP设备-静态IP示例在本例中， PC配置与静态IP地址。调试显示，在您得到ARP响应(MSG=2)后，

27、跟踪条目的设备更新。01:03:16: sw_host_track-ev:0050.5699.4ea1 Stopping cache timer01:03:16: sw_host_track-ev:0050.5699.4ea1: Send Host probe (0)01:03:16: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds01:03:16: sw_host_track-ev:host_track_notification: Add event for host 0050.5699.4ea1,192.16

28、8.0.241 on interface FastEthernet0/1, vlan 101:03:16: sw_host_track-ev:Async Add event for host 0050.5699.4ea1, 192.168.0.241on interface FastEthernet0/101:03:16: sw_host_track-ev:MSG = 201:03:16: sw_host_track-ev:Add event: 0050.5699.4ea1, 192.168.0.241, FastEthernet0/101:03:16: sw_host_track-ev:00

29、50.5699.4ea1: Cache entry refreshed01:03:16: sw_host_track-ev:Activating host 0050.5699.4ea1, 192.168.0.241 oninterface FastEthernet0/101:03:16: sw_host_track-ev:0050.5699.4ea1 Starting cache timer: 30 seconds那么从PC的每个ARP请求更新跟踪表的设备(发送方MAC地址和发送方IP地址从ARP数据包)。跟踪为版本15.x的IP设备请记住例如802.1x的DACL LAN轻版本不支持某些功能

30、(请当心- Cisco Feature Navigator总是不显示正确信息)。从版本12.2的隐藏命令可以被执行，但是不会有效果。在软件版本15.x中，跟踪的IP设备(IPDT)默认情况下为有启用的802.1x的接口只启用：bsns-3750-5#show ip device tracking allIP Device Tracking = EnabledIP Device Tracking Probe Count = 3IP Device Tracking Probe Interval = 30IP Device Tracking Probe Delay Interval = 0-IP A

31、ddress MAC Address Vlan Interface STATE -192.168.10.12 0007.5032.6941 100 GigabitEthernet1/0/1 ACTIVE192.168.2.200 000c.29d7.0617 1 GigabitEthernet1/0/1 ACTIVETotal number interfaces enabled: 2Enabled interfaces:Gi1/0/1, Gi1/0/2bsns-3750-5#show run int g1/0/3Building configuration.Current configurat

32、ion : 38 bytes!interface GigabitEthernet1/0/3bsns-3750-5(config)#int g1/0/3bsns-3750-5(config-if)#switchport mode accessbsns-3750-5(config-if)#authentication port-control autobsns-3750-5(config-if)#do show ip device tracking allIP Device Tracking = EnabledIP Device Tracking Probe Count = 3IP Device

33、Tracking Probe Interval = 30IP Device Tracking Probe Delay Interval = 0-IP Address MAC Address Vlan Interface STATE -192.168.10.12 0007.5032.6941 100 GigabitEthernet1/0/1 ACTIVE192.168.2.200 000c.29d7.0617 1 GigabitEthernet1/0/1 ACTIVETotal number interfaces enabled: 3Enabled interfaces:Gi1/0/1, Gi1

34、/0/2, Gi1/0/3在802.1x配置以后删除从端口， IPDT从该端口也将删除。端口状态也许是“DOWN”，因此有“switchport mode access”和“authenticaion波尔特控制自动”为了有在该端口激活的IP设备跟踪是必要的。最大接口设备限制定到10 ：bsns-3750-5(config-if)#ip device tracking maximum ?Maximum devices跟踪为Cisco IOS XE 的IP设备再次，在Cisco IOS XE 3.3的行为更改，当与Cisco IOS版本15.x比较。从版本12.2的隐藏命令过时，但是此错误当前将返

35、回：3850-1# no ip device tracking int g1/0/48% Command accepted but obsolete, unreleased or unsupported; see documentation.在Cisco IOS XE，设备跟踪为所有接口(没有配置的802.1x)的那些激活：3850-1#show ip device tracking allGlobal IP Device Tracking for clients = EnabledGlobal IP Device Tracking Probe Count = 3Global IP Devic

36、e Tracking Probe Interval = 30Global IP Device Tracking Probe Delay Interval = 0-IP Address MAC Address Vlan Interface Probe-TimeoutState Source-10.48.39.29 000c.29bd.3cfa 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.28 0016.9dca.e4a7 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.76.117 0021.a0ff.5540 1

37、 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.21 00c0.9f87.7471 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.16 0050.5699.1093 1 GigabitEthernet1/0/48 30ACTIVE ARP10.76.191.247 0024.9769.58cf 20 GigabitEthernet1/0/48 30ACTIVE ARP192.168.99.4 d48c.b52f.4a1e 99 GigabitEthernet1/0/12 30INACTIVE ARP10.48.

38、39.13 000c.296e.8dbc 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.15 0050.5699.128d 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.9 0012.da20.8c00 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.8 6c20.560e.1b64 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.11 000c.29e9.db25 1 GigabitEthernet1/0/48 30ACT

39、IVE ARP10.48.39.5 0014.f15f.f7ca 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.4 000c.2972.57bc 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.7 5475.d029.74cf 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.76.108 001c.58de.9340 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.1 0006.f62a.c4a3 1 GigabitEthernet

40、1/0/48 30ACTIVE ARP10.48.39.3 0050.5699.1bee 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.76.84 0015.58c5.e8b7 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.56 0015.fa13.9a40 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.59 0050.5699.1bf4 1 GigabitEthernet1/0/48 30ACTIVE ARP10.48.39.58 000c.2957.c7ad 1 G

41、igabitEthernet1/0/48 30ACTIVE ARPTotal number interfaces enabled: 57Enabled interfaces:Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7,Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14,Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21,Gi1/0/22, Gi1/0

42、/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28,Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35,Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42,Gi1/0/43, Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47, Gi1/0/48, Gi1/1/1,Gi1/1/2, Gi1/1/3, Gi1/1/4, Te1/1/1, Te1/

43、1/2, Te1/1/3, Te1/1/43850-1#$3850-1#sh run int g1/0/48Building configuration.Current configuration : 39 bytes!interface GigabitEthernet1/0/48end3850-1(config-if)#ip device tracking maximum ?Maximum devices (0 means disabled)并且，没有最大条目的限额每个端口(0含义已禁用)。跟踪与802.1x和DACL的IP设备版本12.2.55的如果802.1x配置与DACL，跟踪条目的设

44、备用于为了填装设备的IP地址。此示例显示设备跟踪的静态工作配置的IP的：BSNS-3560-1#show ip device tracking allIP Device Tracking = EnabledIP Device Tracking Probe Count = 2IP Device Tracking Probe Interval = 30IP Device Tracking Probe Delay Interval = 0-IP Address MAC Address Vlan Interface STATE -192.168.0.244 0050.5699.4ea1 2 FastE

45、thernet0/1 ACTIVETotal number interfaces enabled: 1Enabled interfaces:Fa0/1这是用“permit icmp建立的802.1x会话所有任何” DACL ：BSNS-3560-1# sh authentication sessions interface fa0/1Interface: FastEthernet0/1MAC Address: 0050.5699.4ea1IP Address: 192.168.0.244User-Name: ciscoStatus: Authz SuccessDomain: DATASecurity Policy: Should SecureSecurity Status: UnsecureOper host mode: single-hostOper control dir: bothAuthorized By: