ESX 호스트에서 다음 단계를 수행하여 NSX DFW(분산 방화벽) 데이터 경로 문제를 해결합니다.
ESXi 호스트의 VM 및 관련 필터 이름 목록 가져오기
이 ESXi 호스트의 모든 VM이 나열됩니다. "이름" 필드의 값을 기록하고 후속 명령에서 사용하여 지정된 VM에 대한 관련 출력을 가져옵니다.
[root@esxcomp-2a:~] summarize-dvfilter | grep -A 3 vmm world 1371516 vmm0:PROD-MRS-DB-01 vcUuid:'50 20 92 e1 11 b7 10 d3-56 c5 e0 da 46 87 b5 d2' port 67108881 PROD-MRS-DB-01.eth0 vNic slot 2 name: nic-1371516-eth0-vmware-sfw.2 -- world 1622816 vmm0:DEV-MRS-DB-01 vcUuid:'50 2d f3 a3 96 a4 f4 94-6e 55 84 85 c1 bd 05 2c' port 67108883 DEV-MRS-DB-01.eth0 vNic slot 2 name: nic-1622816-eth0-vmware-sfw.2 -- world 7014985 vmm0:PROD-MRS-APP-01 vcUuid:'50 20 9b 5f cd b7 43 de-ab bb 8d 0e f5 bb ca 99' port 67108895 PROD-MRS-APP-01.eth0 vNic slot 2 name: nic-7014985-eth0-vmware-sfw.2 -- world 7022287 vmm0:PROD-MRS-APP-02 vcUuid:'50 20 4a 44 17 fb 21 cf-fb 62 1e a3 d0 3c 7d cf' port 67108896 PROD-MRS-APP-02.eth0 vNic slot 2 name: nic-7022287-eth0-vmware-sfw.2 [root@esxcomp-2a:~]
VM에 적용된 방화벽 규칙 가져오기
위 출력의 VM과 연결된 필터 이름을 사용하여 해당 VM의 vNIC에 적용되는 모든 방화벽 규칙을 가져옵니다.
[root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2 ruleset mainrs { # generation number: 0 # realization time : 2020-12-16T23:41:30 # PRE_FILTER rules rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow'; rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default'; rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test'; rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test'; rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test'; rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default'; rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default'; # FILTER (APP Category) rules rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept; rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept; rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept; rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept; rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept; rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept; rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept; rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept; rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule'; } ruleset mainrs_L2 { # generation number: 0 # realization time : 2020-12-16T23:41:30 # FILTER rules rule 1 at 1 inout ethertype any stateless from any to any accept; } [root@esxcomp-2a:~]
VM VNIC당 FW 규칙별 통계 가져오기
위 명령에 "-s"를 사용하여 VM 방화벽 규칙과 연결된 방화벽 통계를 가져옵니다.
[root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2 -s ruleset mainrs { # PRE_FILTER rules rule 5134 at 1, 68 evals, 68 hits, 68 sessions, in 1120 out 1120 pkts, in 113952 out 114184 bytes rule 5133 at 2, 24 evals, 24 hits, 24 sessions, in 16 out 8 pkts, in 896 out 768 bytes rule 5132 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5132 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5132 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5130 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5130 at 7, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes # FILTER (APP Category) rules rule 5102 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5126 at 2, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5127 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5128 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5129 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5103 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5135 at 7, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5135 at 8, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5124 at 9, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5123 at 10, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 5125 at 11, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes rule 2 at 12, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes } ruleset mainrs_L2 { # FILTER rules rule 1 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes } [root@esxcomp-2a:~]
VM의 방화벽 규칙에 사용되는 addrset/그룹을 가져오기
방화벽 규칙은 소스 또는 대상에 그룹/addrset을 사용합니다. 이 출력은 그룹화 구성에 따라 규칙에 사용되는 모든 addrset을 가져옵니다.
[root@esxcomp-2a:~] vsipioctl getaddrset -f nic-1371516-eth0-vmware-sfw.2 addrset is shared for this filter global addrset addrset 98abd76f-351b-4a4a-857f-1d91416b0798 { ip 7.7.7.7, ip 8.8.8.8, } addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 { ip 10.1.0.0, ip 10.2.0.2, ip 10.114.217.26, ip 172.16.202.2, ip 172.16.202.22, ip 192.168.202.2, ip 2001::172:16:202:2, ip 2001::172:16:202:22, mac 00:50:56:a0:0e:25, mac 00:50:56:a0:26:dc, mac 00:50:56:a0:2d:c0, mac 00:50:56:a0:8d:90, } addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 { ip 7.7.7.7, ip 8.8.8.8, } addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d { ip 3.3.3.3, ip 4.4.4.4, } addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 { ip 172.16.202.2, ip 172.16.202.22, ip 2001::172:16:202:2, ip 2001::172:16:202:22, mac 00:50:56:a0:26:dc, mac 00:50:56:a0:8d:90, } addrset rdst5128 { ip 3.3.3.3, ip 4.4.4.4, ip 7.7.7.7, ip 8.8.8.8, } addrset rdst5130 { ip 1.1.1.1, ip 1.1.1.2, ip 100.100.100.100, } addrset rsrc5102 { ip 1.1.1.1, ip 1.1.1.2, } addrset rsrc5127 { ip 1.1.1.1, ip 1.1.1.2, ip 3.3.3.3, ip 4.4.4.4, } addrset rsrc5128 { ip 1.1.1.1, ip 1.1.1.2, ip 3.3.3.3, ip 4.4.4.4, ip 7.7.7.7, ip 8.8.8.8, } local addrset No address sets. [root@esxcomp-2a:~]
VM당 활성 방화벽 흐름 가져오기
NSX DFW는 VNIC당 활성 흐름을 유지합니다. 이 출력은 해당 VNIC에 대한 모든 활성 흐름을 가져옵니다.
[root@esxcomp-2a:~] vsipioctl getflows -f nic-7014985-eth0-vmware-sfw.2 Count retrieved from kernel active=6, inactive=0, drop=0 ecbd448200000001 Active ipv6-icmp 86dd IN 5134 0 0 2001::172:16:202:22 -> 2001::172:16:202:2 128 0 1039376 1039376 9994 9994 tmo 9 ecbd4482000000b9 Active tcp 0800 OUT 5134* 0 0 (est) 172.16.202.2:Unknown(39914) -> 172.16.202.22:ssh(22) 305 EST:EST rtt 21020 retrans 0/0 4409 3725 23 25 tmo 43195 ecbd4482000000ba Active ipv6-icmp 86dd OUT 5134* 0 0 fe80::250:56ff:fea0:8d90 -> 2001::172:16:202:22 135 0 64 72 1 1 ecbd4482000000bb Active igmp 0800 IN 5133* 0 0 (D) 0.0.0.0 -> 224.0.0.1 36 0 1 0 tmo 51 ecbd4482000000bc Active ipv6-icmp 86dd IN 5133* 0 0 (D) fe80::ffff:ffff:ffff:ffff -> ff02::1 130 0 76 0 1 0 tmo 11 ecbd4482000000bd Active ipv6-icmp 86dd OUT 5133* 0 0 (D) fe80::250:56ff:fea0:8d90 -> ff02::16 143 0 0 96 0 1 tmo 11 [root@esxcomp-2a:~]
VM당 활성 전체 방화벽 구성 가져오기
이 출력은 VNIC별로 전체 방화벽 구성(사용된 규칙, Addrset 및 프로파일)을 제공합니다.
[root@esxcomp-2a:~] vsipioctl getfwconfig -f nic-7014985-eth0-vmware-sfw.2 ruleset mainrs { # generation number: 0 # realization time : 2020-12-16T23:41:30 # PRE_FILTER rules rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow'; rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default'; rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test'; rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test'; rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test'; rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default'; rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default'; # FILTER (APP Category) rules rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept; rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept; rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept; rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept; rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept; rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept; rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept; rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept; rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept; rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule'; } ruleset mainrs_L2 { # generation number: 0 # realization time : 2020-12-16T23:41:30 # FILTER rules rule 1 at 1 inout ethertype any stateless from any to any accept; } addrset is shared for this filter global addrset addrset 98abd76f-351b-4a4a-857f-1d91416b0798 { ip 7.7.7.7, ip 8.8.8.8, } addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 { ip 10.1.0.0, ip 10.2.0.2, ip 10.114.217.26, ip 172.16.202.2, ip 172.16.202.22, ip 192.168.202.2, ip 2001::172:16:202:2, ip 2001::172:16:202:22, ip fe80::250:56ff:fea0:26dc, ip fe80::250:56ff:fea0:8d90, mac 00:50:56:a0:0e:25, mac 00:50:56:a0:26:dc, mac 00:50:56:a0:2d:c0, mac 00:50:56:a0:8d:90, } addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 { ip 7.7.7.7, ip 8.8.8.8, } addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d { ip 3.3.3.3, ip 4.4.4.4, } addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 { ip 172.16.202.2, ip 172.16.202.22, ip 2001::172:16:202:2, ip 2001::172:16:202:22, ip fe80::250:56ff:fea0:26dc, ip fe80::250:56ff:fea0:8d90, mac 00:50:56:a0:26:dc, mac 00:50:56:a0:8d:90, } addrset rdst5128 { ip 3.3.3.3, ip 4.4.4.4, ip 7.7.7.7, ip 8.8.8.8, } addrset rdst5130 { ip 1.1.1.1, ip 1.1.1.2, ip 100.100.100.100, } addrset rsrc5102 { ip 1.1.1.1, ip 1.1.1.2, } addrset rsrc5127 { ip 1.1.1.1, ip 1.1.1.2, ip 3.3.3.3, ip 4.4.4.4, } addrset rsrc5128 { ip 1.1.1.1, ip 1.1.1.2, ip 3.3.3.3, ip 4.4.4.4, ip 7.7.7.7, ip 8.8.8.8, } local addrset No address sets. containers are shared for this filter global containers container 13e599b5-dd2d-420f-8473-9d45f0d324ac { # generation number: 21208 # realization time : 2020-12-16T23:41:30 FQDN : login\.microsoft\.com(3940c0d7-cbfc-abbb-35b4-786fc4199684), } container 8774c654-0f9e-43ad-a803-4aa720e590cf { # generation number: 21208 # realization time : 2020-12-16T23:41:30 FQDN : outlook\.office365\.com(6e465c1d-7d81-9672-00e1-76ddfc280b8b), } container 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 { # generation number: 21208 # realization time : 2020-12-16T23:41:30 APP_ID : APP_360ANTIV, } container acf76e7d-400b-438b-966f-8d5c10bebbda { # generation number: 21208 # realization time : 2020-12-16T23:41:30 APP_ID : APP_ACTIVDIR, } container e4be8d7e-e4ab-4466-8f2e-998445ead95d { # generation number: 21208 # realization time : 2020-12-16T23:41:30 FQDN : play\.google\.com(c44ef0fc-a922-eb1b-f155-4f0625271198), } local containers No containers. [root@esxcomp-2a:~]
FW 문제 해결을 위한 기타 출력
위 명령 옵션 외에도 NSX에서는 ESX에서 NSX FW 데이터 경로를 디버깅할 수 있는 다른 옵션이 허용됩니다. 아래와 같이 [도움말] 메뉴를 사용합니다.
[root@esxcomp-2a:~] vsipioctl -h Usage: help <cmd> <options> below is a list of available cmd: getfilters : get list of filters getfwconfig : get rules, addrsets and containers of a filter getrules : get rules of a filter getaddrsets : get addrsets of a filter getcontainers : get containers of a filter getspoofguard : get spoofguard setting of a filter getflows : get flows of a filter getconncount : get active connection count getconnections : get active connections getsisvmstats : get service insertion service VM stats getsisvctable : dump service insertion service table getsinshtable : display service insertion nsh table getsiproxytable : display service insertion proxy table getsifailedspis : get service insertion failed spi table getsiflowprogtable : get service insertion flow programming table getsislotid : get service insertion slot id getsilbenablestatus: get service insertion load balance enable status getmeminfo : get meminfo data initvsiplogging : init vsip logger getfqdnentries : get fqdn entries getdnsconfigprofile : get dns config profile for a filter getfilterstat : get statistics of a filter gettimeout : get connection timeout setting of a filter getfloodstat : get flood protection status getsidcache : get sid cache of a filter help : this help message run `vsipioctl <cmd> -h' to find out available options of a cmd. [root@esxcomp-2a:~]
FW 문제 해결을 위한 NSX CLI
ESXi에서 "nsxcli"를 입력하여 nsxcli 옵션을 ESX cli의 대체 옵션으로 사용할 수 있으며 사용자는 "방화벽 가져오기" 명령 트리를 사용하여 위와 유사한 출력을 가져올 수 있습니다.
[root@esxcomp-2a:~] nsxcli esxcomp-2a.dg.vsphere.local> esxcomp-2a.dg.vsphere.local> get firewall % Command not found: get firewall Possible alternatives: get firewall <vifuuid> addrsets get firewall <vifuuid> profile get firewall <vifuuid> ruleset rules get firewall exclusion get firewall ipfix-containers get firewall ipfix-filters get firewall ipfix-profiles get firewall ipfix-stats get firewall packetlog get firewall packetlog last <lines> get firewall rule-stats get firewall rule-stats total get firewall status get firewall thresholds get firewall vifs esxcomp-2a.dg.vsphere.local> get firewall packetlog last 10 Wed Dec 16 2020 UTC 23:53:55.693 2020-12-16T23:53:23.878Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow 2020-12-16T23:53:23.878Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow 2020-12-16T23:53:29.234Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:29.234Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:30.234Z fd2e9266 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:30.234Z 5f46e9b1 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:35.239Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:35.241Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow 2020-12-16T23:53:51.876Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow 2020-12-16T23:53:51.876Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow esxcomp-2a.dg.vsphere.local> get firewall exclusion Wed Dec 16 2020 UTC 23:53:57.731 Firewall Exclusion ---------------------------------------------------------------------- Exclusion count: 7 00894e3c-8948-4b6b-a4cd-acd3a2c21205 15f077e9-4492-4391-9f63-a99b6c978003 2936443e-128c-4b6d-9fcf-3b2fad778b08 3602f84a-8333-44f3-a3c2-e04fbf5e848f 8149b7ec-553d-48e1-af04-1ee2f5ae266e d615679c-092e-4bfe-8c17-803fe8b3315d da619e9d-48a0-4c82-a831-bf580d3bec05 esxcomp-2a.dg.vsphere.local> get firewall thresholds Wed Dec 16 2020 UTC 23:53:59.905 Firewall Threshold Monitors ------------------------------------------------------------------------------------------- # Name Raised Threshold CurrValue CurrSize MaxSize PeakEver EverTime(ago) 1 dfw-cpu False 60 0 -- -- 0 --:--:-- 2 vsip-attr False 60 3 4 MB 128 MB 3 4d 23:35:06 3 vsip-flow False 60 0 0 MB 312 MB 0 --:--:-- 4 vsip-fprules False 60 0 0 MB 128 MB 0 --:--:-- 5 vsip-fqdn False 60 0 0 MB 128 MB 0 --:--:-- 6 vsip-module False 60 15 153 MB 1024 MB 15 4d 23:35:06 7 vsip-rules False 60 0 0 MB 512 MB 0 --:--:-- 8 vsip-si False 60 0 0 MB 128 MB 0 --:--:-- 9 vsip-state False 60 0 0 MB 384 MB 0 --:--:-- esxcomp-2a.dg.vsphere.local>
DFW L2 규칙에 알 수 없는 MAC 주소가 표시됨
하나의 MAC 집합을 소스로 사용하고 다른 MAC 집합을 대상으로 사용하여 계층 2 방화벽 규칙을 구성한 후 호스트에 대해 getrules 명령을 실행하면 대상 MAC 집합이 01:00:00:00:00:00/01:00:00:00:00:00으로 표시됩니다. 예를 들면 다음과 같습니다.
[root@host1:~] vsipioctl getrules -f nic-1000052822-eth1-vmware-sfw.2 ruleset mainrs { # generation number: 0 # realization time : 2018-07-26T12:42:28 rule 1039 at 1 inout protocol tcp from any to any port 1521 accept as oracle; # internal # rule 1039 at 2 inout protocol tcp from any to any port 1521 accept; rule 1039 at 3 inout protocol icmp from any to any accept; rule 2 at 4 inout protocol any from any to any accept with log; } ruleset mainrs_L2 { # generation number: 0 # realization time : 2018-07-26T12:42:28 rule 1040 at 1 inout ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept; # internal # rule 1040 at 2 in ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept; # internal # rule 1040 at 3 out ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to mac 01:00:00:00:00:00/01:00:00:00:00:00 accept; rule 1 at 4 inout ethertype any stateless from any to any accept; }
주소가 01:00:00:00:00:00/01:00:00:00:00:00인 내부 아웃 규칙은 기본적으로 아웃바운드 브로드캐스트 패킷을 처리하도록 생성되며 문제를 나타내지 않습니다. 방화벽 규칙은 구성된 대로 작동합니다.