Zyxel Employee
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
GS2210 限制某port只允許校時
設定了2個Classifier及policy rule如下:
classifier match-order manual
classifier match-order manual
classifier AI-NTP weight 32700 source-port 31 ip-protocol udp source-ip 172.32.24.0 mask-bits 24 source-socket 123 destination-ip 172.32.22.1 mask-bits 32 count
classifier AI-Other weight 30000 source-port 31 count
policy AI-Deny-Other classifier AI-Other vlan 1 egress-port 1 priority 0 bandwidth 0 forward-action drop
policy AI-NTP classifier AI-NTP vlan 1 egress-port 1 priority 0 bandwidth 0
觀察classifier status,只有classifier AI-Other有count 數,classifier AI-NTP count數都是 0
但明明定了classifier match-order manual並將classifier AI-NTP的weight > AI-Other,請問各位先進上述指令是哪出錯了
觀察classifier status,只有classifier AI-Other有count 數,classifier AI-NTP count數都是 0
但明明定了classifier match-order manual並將classifier AI-NTP的weight > AI-Other,請問各位先進上述指令是哪出錯了
0
All Replies
-
Hi @ysfan,
Welcome to Zyxel community!classifier AI-NTP weight 32700 source-port 31 ip-protocol udp source-ip 172.32.24.0 mask-bits 24 source-socket 123 destination-ip 172.32.22.1 mask-bits 32 count這筆看起來是設定source-socket=123,請幫忙改成destination-socket=123再試試看
因為從client發出來的NTP封包應該是destination socket=123
設定最後應該如下:classifier AI-NTP weight 32700 source-port 31 ip-protocol udp source-ip 172.32.24.0 mask-bits 24 destination-ip 172.32.22.1 mask-bits 32 destination-socket 123 count
Hope it helps.
Jason
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community0 -
其實destination-socket 123及source-socket 123兩者都試過了,都不行耶~ 在port 31的設備上執行 w32tm /resync 但classifier: AI-NTP 的count 都是00
-
請問以上個classifier除了權重以外,還有什麼因素能決定執行的優先序呢?若將套用AI-Other的Policy Rule inactive,AI-NTP Match Count就會有值,顯見AI-NTP的weight 雖高於AI-Other,但仍然先執行AI-Other?是何原因呢?請各位大大不吝指教,謝謝~0 -
Hi @ysfan,
請再確認一下port 31設備上設定的NTP server是什麼IP,是172.32.22.1嗎?
如果port 31接的設備是PC的話,Windows預設的NTP server應該是time.windows.com
IP是20.189.79.72
再把此IP設定在classifier的destination IP
如果您的PC是有加入網域被公司控管,建議你可以安裝Wireshark抓取PC上的封包
看一下在做w32tm /resync時,PC發出的封包內,實際的destination IP是什麼
另外一種選擇是不設定destination IP(=Any),也就是不限制NTP server,直接允許所有NTP封包
設定會像這樣:classifier AI-NTP weight 32700 source-port 24 ip-protocol udp source-ip 172.32.24.0 mask-bits 24 destination-socket 123 count
Hope it helps.
Jason
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community0 -
Hi Jason
謝謝您的答覆,由於已使用w32tm /config /update /manualpeerlist 指定 172.31.22.1,並且在inactive deny rule的情形下,是可以resync的,但一旦active deny policy 就無法resync,而且也測試了您提供的方法2,在不指定destination ip的情形下依然不行,所以懷疑GS2210可能沒有按照weight權值的次序執行policy rule(或者在某種情形下weight是失效的)0 -
Hi @ysfan,
我這邊有按照你上面貼的設定在我手邊的GS2210測試
但並沒有看到你描述的問題
(我的AI-NTP,count值有正常增加)
我會再私訊你請你提供GS2210完整的config還有你的NTP封包,我這邊再做測試
Thanks.Jason
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community0 -
Hi @ysfan,
謝謝~我已經收到您的私訊
關於Wirshark的操作,我在下面列了步驟給您:
1. 開啟Wireshark,選取網卡開始抓封包
2. 在上方的filer bar輸入"ntp"做過濾
3. 執行PC上的NTP resync
4. 看到NTP封包後按下昨上角的停止按鈕停止抓封包
5. 選取NTP封包(該封包應該會反灰),到File > Export Specific packet
下面是我在網路上搜尋的影片給你參考:
How to export a specific Packet on Wireshark - YouTube
希望可以幫助您~
Jason
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community0 -
Hi @Jason:
已按您的說明,將擷取的封包檔傳給您了唷~0 -
Jason
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community0
