原理:禁止从外网回到本地的 icmp icmp-type ttl-exceeded 数据包
1、定义ACL
定义ACL抓取 icmp icmp-type ttl-exceeded 和icmp icmp-type timestamp-reply
acl num 3889
rule 2 permit icmp icmp-type timestamp-reply
rule 3 permit icmp icmp-type ttl-exceeded
定义允许的目标,这样可以灵活增加某些目标可以实现traceroute
acl number 3888
rule 0 permit ip destination 202.97.0.1 0
2、定义classifier
traffic classifier per-icmp operator and
if-match acl 3888
traffic classifier deny-icmp operator and
if-match acl 3889
3、定义behavior
traffic behavior per
filter permit
traffic behavior deny
filter deny
4、定义qos policy
qos policy icmp
classifier per-icmp behavior per
classifier deny-icmp behavior deny
5、在接口下应用
interface Tunnel222
description shttbgp-gu-0423
ip address 172.16.99.222 255.255.255.252
source 10.127.29.1
destination 172.16.99.201
qos apply policy icmp inbound
测试是否成功
未应用QOS前
[jinan5500-2]trace -a 111.xxx.x.160 101.227.13.208
traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
1 10.100.10.2 3 ms 2 ms 1 ms
2 172.16.99.221 21 ms 22 ms 22 ms
3 10.100.222.13 25 ms 24 ms 25 ms
4 222.44.86.129 23 ms 22 ms 22 ms
5 172.16.30.1 22 ms 172.16.30.9 22 ms 172.16.30.1 22 ms
6 222.44.1.33 23 ms 222.44.1.37 24 ms 222.44.1.33 22 ms
7 61.237.0.238 22 ms 61.237.0.234 22 ms 61.237.0.238 32 ms
8 202.97.15.77 27 ms 29 ms 27 ms
9 202.97.48.209 27 ms 26 ms 27 ms
10 202.101.63.117 25 ms 26 ms 26 ms
11 * 101.95.207.18 28 ms *
应用QOS后
[jinan5500-2]trace -a 111.xxx.x.160 101.227.13.208
traceroute to 101.227.13.208(101.227.13.208) 30 hops max,40 bytes packet, press CTRL_C to break
1 10.100.10.2 8 ms 3 ms 2 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 101.227.13.208 31 ms 32 ms 30 ms