华为设备acl配置

拓扑图：

需求：

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器
2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
5、-PublicServer服务器对vlan30-server和vlan40-server仅仅提供http服务
6、-PublicServer服务器对所有pc提供dns服务
7、-所有节点和主机均能够ping通

配置:

 三层交换机SW1-left

sw-left:
[sw1]sys sw-left
[sw-left]vlan batch 10 20 50
[sw-left]port-group group-member g0/0/1 g0/0/2
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/1]port link-type access
[sw-left-GigabitEthernet0/0/2]port link-type access
[sw-left-port-group]port default vlan 10
[sw-left-GigabitEthernet0/0/1]port default vlan 10
[sw-left-GigabitEthernet0/0/2]port default vlan 10
[sw-left-port-group]q
[sw-left]port-group group-member g0/0/3 g0/0/4
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/3]port link-type access
[sw-left-GigabitEthernet0/0/4]port link-type access
[sw-left-port-group]port default vlan 20
[sw-left-GigabitEthernet0/0/3]port default vlan 20
[sw-left-GigabitEthernet0/0/4]port default vlan 20
[sw-left-port-group]q
[sw-left]int g0/0/10
[sw-left-GigabitEthernet0/0/10]port link-type access
[sw-left-GigabitEthernet0/0/10]port default vlan 50
[sw-left-GigabitEthernet0/0/10]q
[sw-left]int vlanif 10
[sw-left-Vlanif10]ip add 192.168.10.1 24
[sw-left-Vlanif10]int vlanif 20
[sw-left-Vlanif20]ip add 192.168.20.1 24
[sw-left-Vlanif20]int vlanif 50
[sw-left-Vlanif50]ip add 192.168.50.2 24
[sw-left-Vlanif50]q
[sw-left]rip
[sw-left-rip-1]version 2
[sw-left-rip-1]undo summary
[sw-left-rip-1]network 192.168.10.0
[sw-left-rip-1]network 192.168.20.0
[sw-left-rip-1]network 192.168.50.0

[sw-left-rip-1]

路由器: R1

<Huawei>sys
[Huawei]sys R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.60.1 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.100.1 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[R1-GigabitEthernet0/0/0]q
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]undo summary
[R1-rip-1]network 192.168.50.0
[R1-rip-1]network 192.168.60.0
[R1-rip-1]network 192.168.100.0
[R1-rip-1]

交换机: SW2-right

<Huawei>sys
[Huawei]sys sw-right
[sw-right]vlan batch 30 40 60
[sw-right]port-group group-member g0/0/1 g0/0/2
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/1]port link-type access
[sw-right-GigabitEthernet0/0/2]port link-type access
[sw-right-GigabitEthernet0/0/1]port default vlan 30
[sw-right-GigabitEthernet0/0/2]port default vlan 30
[sw-right-port-group]q
[sw-right]port-group group-member g0/0/3 g0/0/4
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/3]port link-type access
[sw-right-GigabitEthernet0/0/4]port link-type access
[sw-right-port-group]port default vlan 40
[sw-right-GigabitEthernet0/0/3]port default vlan 40
[sw-right-GigabitEthernet0/0/4]port default vlan 40
[sw-right-port-group]q
[sw-right]int g0/0/10
[sw-right-GigabitEthernet0/0/10]port link-type access
[sw-right-GigabitEthernet0/0/10]port default vlan 60
[sw-right-GigabitEthernet0/0/10]q
[sw-right]int vlanif 30
[sw-right-Vlanif30]ip add 192.168.30.1 24
[sw-right-Vlanif30]int vlanif 40
[sw-right-Vlanif40]ip add 192.168.40.1 24
[sw-right-Vlanif40]int vlanif 60
[sw-right-Vlanif60]ip add 192.168.60.2 24
[sw-right-Vlanif60]q
[sw-right]rip
[sw-right-rip-1]version 2
[sw-right-rip-1]undo summary
[sw-right-rip-1]network 192.168.30.0
[sw-right-rip-1]network 192.168.40.0
[sw-right-rip-1]network 192.168.60.0

[sw-right-rip-1]

测试所有终端设备全部ping通后继续ing...

分析规则: 

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

192.168.10.0 0.0.0.255 网段要带掩码, 192.168.30.200 0 ip 掩码可简写为 0
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
返回规则
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255

2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
返回规则
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0

3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
rule deny ip source 192.168.30.100 0 destination 192.168.20.200 0
vlan30 和vlan40 不跨路由器规则 无需设置规则
返回规则
无

4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
返回规则
rule permit ip source 192.168.100.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.20.0 0.0.0.255

5、-PublicServer服务器对vlan30和vlan40-server仅仅提供http服务
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
返回规则
rule permit ip source 192.168.100.200 0 destination 192.168.30.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.40.0 0.0.0.255

6、-PublicServer服务器对所有pc提供dns服务
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
返回规则
rule permit ip source 192.168.100.200 0 destination any

7、-所有节点和主机均能够ping通
rule permit icmp source any destination any

以上规则在三个路由接口的outbound(出站)总结为:

int g0/0/1: acl3000

即是:vlan10,vlan20及PublicServer服务器,在int g0/0/1的outbound规则
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
rule permit icmp source any destination any
rule deny ip source any destination any

int g0/0/0: acl3001

即是:vlan30,vlan40及PublicServer服务器,在int g0/0/0的outbound规则
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0
rule permit ip source 192.168.100.200 0 destination any
rule permit icmp source any destination any
rule deny ip source any destination any

int g0/0/2 acl3002

即是:vlan10,vlan20,vlan30,vlan40,在int g0/0/2的outbound规则
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
rule permit icmp source any destination any
rule deny ip source any destination any

 在路由器R1上分别是创建并应用acl规则

[R1]acl 3000
[R1-acl-adv-3000]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.30.200 0 destination-port eq 80
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit ip source 192.168.20.100 0 destination 192.168.40.2
00 0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.
40.200 0.0.0.0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.20.100 0 destination 192.168.30.200
0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit icmp source any destination any
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source any destination any
[R1-acl-adv-3000]acl 3001
[R1-acl-adv-3001]rule permit ip source 192.168.30.200 0 destination 192.168.10.0
0.0.0.255
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.40.200 0 destination 192.168.20.1
00 0
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.100.200 0 destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit icmp source any destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule deny ip source any destination any
[R1-acl-adv-3001]acl 3002
[R1-acl-adv-3002]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.40.200 0 destination 192.168.100
.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit udp source any destination 192.168.100.200 0 destin
ation-port eq 53
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit icmp source any destination any
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule deny ip source any destination any
[R1-acl-adv-3002]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter outbound acl 3001
[R1-GigabitEthernet0/0/0]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter outbound acl 3002
[R1-GigabitEthernet0/0/2]

 测试:

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

vlan10 只能通过http访问vlan30-server服务器

vlan10 访问vlan30-server的http正常

6、-PublicServer服务器对所有pc提供dns服务

当pc通过域名解析访问服务器时,必须满足其它规则里也不冲突.

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器