XS3700 SNMP Config問題

請問我在XS3700的設定檔中有以下四行關於SNMP的設定不太清楚其用意,請問可以說明一下嗎?謝謝

classifier "snmp securityip" destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp 

classifier "snmp securityip24" destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp 

policy snmpsecurityip classifier "snmp securityip" egress-port 1 priority 0 dscp 0 tos 0 bndwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward 

policy snmpsecurityip24 classifier "snmp securityip24" egress-port 24 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward

另外,還有這兩行DHCP RELAY的設定

dhcp relay 1 helper-address 163.19.149.38  

dhcp relay 1 source-address 120.104.77.254

Tagged:

All Replies

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 51  mod
    edited January 30, 2020 3:20PM

    Hi KBWang


    關於您提到的設定是屬於ACL的設定

    一個classifier搭配一個policy rule等於一個ACL

    以您的設定為例,從classifier name "snmp securityip"得知

    classifier "snmp securityip" destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp

    是與

    policy snmpsecurityip classifier "snmp securityip" egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward 

    搭配,只要進來的封包有踩中 classifier 的設定也就是有符合您設定的"destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp" 就會去看設定的 policy 為何,也就是 egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward,而採取下一步動作,以此類推。

    關於 dhcp relay 1 helper-address 163.19.149.38 是指當client與server在不同domain時,將DHCP封包relay到此IP Server

    關於 dhcp relay 1 source-address 120.104.77.254 是指若有多個IP interface時,由此IP發DHCP封包去要IP


    Best regards

    Zyxel_Derrick

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 51  mod
    edited January 30, 2020 5:42PM

    補充說明一下

    以上述提到的第一組config為例

    classifier "snmp securityip" destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp 

    policy snmpsecurityip classifier "snmp securityip" egress-port 1 priority 0 dscp 0 tos 0 bndwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward 

    若進來的封包有符合destination socket 161,source ip 為 IPv6 2001:288:0000::1 prefix-length 128區間且ipv6-next-header udp,此封包就會被執行policy "Send the packet to the egress port" ,根據您的設定封包會被送到port 1


    以第二組config為例

    classifier "snmp securityip24" destination-socket 161 ipv6-source-ip 2001:288:0000::1 prefix-length 128 ipv6-next-header udp 

    policy snmpsecurityip24 classifier "snmp securityip24" egress-port 24 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0 forward-action forward outgoing-eport out-of-profile-action forward

    若進來的封包有符合destination socket 161,source ip 為 IPv6 2001:288:0000::1 prefix-length 128區間且ipv6-next-header udp,此封包就會被執行policy "Send the packet to the egress port" ,根據您的設定封包會被送到port 24


    由於兩組classifier條件相同,只會執行名字比較長的那筆,也就是第二組config會被執行,因此,有符合條件的封包會被送到 port 24


    Best regards,

    Zyxel_Derrick

Sign In to comment.