zoukankan      html  css  js  c++  java
  • 华为设备acl配置

    拓扑图:

    需求:

    1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器
    2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
    3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
    4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
    5、-PublicServer服务器对vlan30-server和vlan40-server仅仅提供http服务
    6、-PublicServer服务器对所有pc提供dns服务
    7、-所有节点和主机均能够ping通


    配置:

     三层交换机SW1-left

    sw-left:
    [sw1]sys sw-left
    [sw-left]vlan batch 10 20 50
    [sw-left]port-group group-member g0/0/1 g0/0/2
    [sw-left-port-group]port link-type access
    [sw-left-GigabitEthernet0/0/1]port link-type access
    [sw-left-GigabitEthernet0/0/2]port link-type access
    [sw-left-port-group]port default vlan 10
    [sw-left-GigabitEthernet0/0/1]port default vlan 10
    [sw-left-GigabitEthernet0/0/2]port default vlan 10
    [sw-left-port-group]q
    [sw-left]port-group group-member g0/0/3 g0/0/4
    [sw-left-port-group]port link-type access
    [sw-left-GigabitEthernet0/0/3]port link-type access
    [sw-left-GigabitEthernet0/0/4]port link-type access
    [sw-left-port-group]port default vlan 20
    [sw-left-GigabitEthernet0/0/3]port default vlan 20
    [sw-left-GigabitEthernet0/0/4]port default vlan 20
    [sw-left-port-group]q
    [sw-left]int g0/0/10
    [sw-left-GigabitEthernet0/0/10]port link-type access
    [sw-left-GigabitEthernet0/0/10]port default vlan 50
    [sw-left-GigabitEthernet0/0/10]q
    [sw-left]int vlanif 10
    [sw-left-Vlanif10]ip add 192.168.10.1 24
    [sw-left-Vlanif10]int vlanif 20
    [sw-left-Vlanif20]ip add 192.168.20.1 24
    [sw-left-Vlanif20]int vlanif 50
    [sw-left-Vlanif50]ip add 192.168.50.2 24
    [sw-left-Vlanif50]q
    [sw-left]rip
    [sw-left-rip-1]version 2
    [sw-left-rip-1]undo summary
    [sw-left-rip-1]network 192.168.10.0
    [sw-left-rip-1]network 192.168.20.0
    [sw-left-rip-1]network 192.168.50.0

    [sw-left-rip-1]

    路由器: R1

    <Huawei>sys
    [Huawei]sys R1
    [R1]int g0/0/1
    [R1-GigabitEthernet0/0/1]ip add 192.168.60.1 24
    [R1-GigabitEthernet0/0/1]int g0/0/2
    [R1-GigabitEthernet0/0/2]ip add 192.168.100.1 24
    [R1-GigabitEthernet0/0/2]int g0/0/0
    [R1-GigabitEthernet0/0/0]ip add 192.168.50.1 24
    [R1-GigabitEthernet0/0/0]q
    [R1]rip
    [R1-rip-1]version 2
    [R1-rip-1]undo summary
    [R1-rip-1]network 192.168.50.0
    [R1-rip-1]network 192.168.60.0
    [R1-rip-1]network 192.168.100.0
    [R1-rip-1]

    交换机: SW2-right

    <Huawei>sys
    [Huawei]sys sw-right
    [sw-right]vlan batch 30 40 60
    [sw-right]port-group group-member g0/0/1 g0/0/2
    [sw-right-port-group]port link-type access
    [sw-right-GigabitEthernet0/0/1]port link-type access
    [sw-right-GigabitEthernet0/0/2]port link-type access
    [sw-right-GigabitEthernet0/0/1]port default vlan 30
    [sw-right-GigabitEthernet0/0/2]port default vlan 30
    [sw-right-port-group]q
    [sw-right]port-group group-member g0/0/3 g0/0/4
    [sw-right-port-group]port link-type access
    [sw-right-GigabitEthernet0/0/3]port link-type access
    [sw-right-GigabitEthernet0/0/4]port link-type access
    [sw-right-port-group]port default vlan 40
    [sw-right-GigabitEthernet0/0/3]port default vlan 40
    [sw-right-GigabitEthernet0/0/4]port default vlan 40
    [sw-right-port-group]q
    [sw-right]int g0/0/10
    [sw-right-GigabitEthernet0/0/10]port link-type access
    [sw-right-GigabitEthernet0/0/10]port default vlan 60
    [sw-right-GigabitEthernet0/0/10]q
    [sw-right]int vlanif 30
    [sw-right-Vlanif30]ip add 192.168.30.1 24
    [sw-right-Vlanif30]int vlanif 40
    [sw-right-Vlanif40]ip add 192.168.40.1 24
    [sw-right-Vlanif40]int vlanif 60
    [sw-right-Vlanif60]ip add 192.168.60.2 24
    [sw-right-Vlanif60]q
    [sw-right]rip
    [sw-right-rip-1]version 2
    [sw-right-rip-1]undo summary
    [sw-right-rip-1]network 192.168.30.0
    [sw-right-rip-1]network 192.168.40.0
    [sw-right-rip-1]network 192.168.60.0

    [sw-right-rip-1]

    测试所有终端设备全部ping通后继续ing...

    分析规则: 

    1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

    192.168.10.0 0.0.0.255 网段要带掩码, 192.168.30.200 0 ip 掩码可简写为 0
    rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
    rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
    返回规则
    rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255

    2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
    rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
    rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
    返回规则
    rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0

    3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
    rule deny ip source 192.168.30.100 0 destination 192.168.20.200 0
    vlan30 和vlan40 不跨路由器规则 无需设置规则
    返回规则

    4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
    rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
    rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
    返回规则
    rule permit ip source 192.168.100.200 0 destination 192.168.10.0 0.0.0.255
    rule permit ip source 192.168.100.200 0 destination 192.168.20.0 0.0.0.255

    5、-PublicServer服务器对vlan30和vlan40-server仅仅提供http服务
    rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
    rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
    返回规则
    rule permit ip source 192.168.100.200 0 destination 192.168.30.0 0.0.0.255
    rule permit ip source 192.168.100.200 0 destination 192.168.40.0 0.0.0.255

    6、-PublicServer服务器对所有pc提供dns服务
    rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
    返回规则
    rule permit ip source 192.168.100.200 0 destination any

    7、-所有节点和主机均能够ping通
    rule permit icmp source any destination any

    以上规则在三个路由接口的outbound(出站)总结为:

    int g0/0/1: acl3000

    即是:vlan10,vlan20及PublicServer服务器,在int g0/0/1的outbound规则
    rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
    rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
    rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
    rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
    rule permit icmp source any destination any
    rule deny ip source any destination any


    int g0/0/0: acl3001

    即是:vlan30,vlan40及PublicServer服务器,在int g0/0/0的outbound规则
    rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255
    rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0
    rule permit ip source 192.168.100.200 0 destination any
    rule permit icmp source any destination any
    rule deny ip source any destination any


    int g0/0/2 acl3002

    即是:vlan10,vlan20,vlan30,vlan40,在int g0/0/2的outbound规则
    rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
    rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
    rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
    rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
    rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
    rule permit icmp source any destination any
    rule deny ip source any destination any

     在路由器R1上分别是创建并应用acl规则

    [R1]acl 3000
    [R1-acl-adv-3000]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
    68.30.200 0 destination-port eq 80
    [R1-acl-adv-3000]
    [R1-acl-adv-3000]rule permit ip source 192.168.20.100 0 destination 192.168.40.2
    00 0
    [R1-acl-adv-3000]
    [R1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.
    40.200 0.0.0.0
    [R1-acl-adv-3000]
    [R1-acl-adv-3000]rule deny ip source 192.168.20.100 0 destination 192.168.30.200
    0
    [R1-acl-adv-3000]
    [R1-acl-adv-3000]rule permit icmp source any destination any
    [R1-acl-adv-3000]
    [R1-acl-adv-3000]rule deny ip source any destination any
    [R1-acl-adv-3000]acl 3001
    [R1-acl-adv-3001]rule permit ip source 192.168.30.200 0 destination 192.168.10.0
    0.0.0.255
    [R1-acl-adv-3001]
    [R1-acl-adv-3001]rule permit ip source 192.168.40.200 0 destination 192.168.20.1
    00 0
    [R1-acl-adv-3001]
    [R1-acl-adv-3001]rule permit ip source 192.168.100.200 0 destination any
    [R1-acl-adv-3001]
    [R1-acl-adv-3001]rule permit icmp source any destination any
    [R1-acl-adv-3001]
    [R1-acl-adv-3001]rule deny ip source any destination any
    [R1-acl-adv-3001]acl 3002
    [R1-acl-adv-3002]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
    68.100.200 0 destination-port eq 21
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.1
    68.100.200 0 destination-port eq 21
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.1
    68.100.200 0 destination-port eq 80
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule permit tcp source 192.168.40.200 0 destination 192.168.100
    .200 0 destination-port eq 80
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule permit udp source any destination 192.168.100.200 0 destin
    ation-port eq 53
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule permit icmp source any destination any
    [R1-acl-adv-3002]
    [R1-acl-adv-3002]rule deny ip source any destination any
    [R1-acl-adv-3002]q
    [R1]int g0/0/1
    [R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
    [R1-GigabitEthernet0/0/1]int g0/0/0
    [R1-GigabitEthernet0/0/0]traffic-filter outbound acl 3001
    [R1-GigabitEthernet0/0/0]int g0/0/2
    [R1-GigabitEthernet0/0/2]traffic-filter outbound acl 3002
    [R1-GigabitEthernet0/0/2]

     测试:

    1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

    vlan10 只能通过http访问vlan30-server服务器

    vlan10 访问vlan30-server的http正常

    6、-PublicServer服务器对所有pc提供dns服务

    当pc通过域名解析访问服务器时,必须满足其它规则里也不冲突.

    1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

  • 相关阅读:
    给文章生成二维码
    用HTML5 Canvas做一个画图板
    失败多少次不要紧,人们只会记住你成功的那一次
    关于读大学的意义
    卸载Anaconda
    Anaconda基本命令
    plt.imshow()
    matplotlib不显示图片
    在Anaconda环境下使用Jupyter Notebook
    join()
  • 原文地址:https://www.cnblogs.com/xccjmpc/p/11029528.html
Copyright © 2011-2022 走看看