碼上快樂

相關內容    簡體    繁體

華為設備acl配置

本文轉載自   查看原文   2019-06-16 14:40   5480    華為設備

拓撲圖:

需求:

1、-vlan10內所有的主機,只能通過http訪問vlan30-server的服務器;不能訪問vlan40-server服務器
2、-vlan20-pc1主機,可以訪問vlan40-server服務器,不能訪問vlan30-server服務器
3、-vlan30-pc1主機,不能訪問vlan20-server服務器,可以訪問vlan40-server服務器
4、-PublicServer服務器對vlan10和vlan20 僅僅提供ftp服務
5、-PublicServer服務器對vlan30-server和vlan40-server僅僅提供http服務
6、-PublicServer服務器對所有pc提供dns服務
7、-所有節點和主機均能夠ping通


配置:

 三層交換機SW1-left

sw-left:
[sw1]sys sw-left
[sw-left]vlan batch 10 20 50
[sw-left]port-group group-member g0/0/1 g0/0/2
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/1]port link-type access
[sw-left-GigabitEthernet0/0/2]port link-type access
[sw-left-port-group]port default vlan 10
[sw-left-GigabitEthernet0/0/1]port default vlan 10
[sw-left-GigabitEthernet0/0/2]port default vlan 10
[sw-left-port-group]q
[sw-left]port-group group-member g0/0/3 g0/0/4
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/3]port link-type access
[sw-left-GigabitEthernet0/0/4]port link-type access
[sw-left-port-group]port default vlan 20
[sw-left-GigabitEthernet0/0/3]port default vlan 20
[sw-left-GigabitEthernet0/0/4]port default vlan 20
[sw-left-port-group]q
[sw-left]int g0/0/10
[sw-left-GigabitEthernet0/0/10]port link-type access
[sw-left-GigabitEthernet0/0/10]port default vlan 50
[sw-left-GigabitEthernet0/0/10]q
[sw-left]int vlanif 10
[sw-left-Vlanif10]ip add 192.168.10.1 24
[sw-left-Vlanif10]int vlanif 20
[sw-left-Vlanif20]ip add 192.168.20.1 24
[sw-left-Vlanif20]int vlanif 50
[sw-left-Vlanif50]ip add 192.168.50.2 24
[sw-left-Vlanif50]q
[sw-left]rip
[sw-left-rip-1]version 2
[sw-left-rip-1]undo summary
[sw-left-rip-1]network 192.168.10.0
[sw-left-rip-1]network 192.168.20.0
[sw-left-rip-1]network 192.168.50.0

[sw-left-rip-1]

路由器: R1

<Huawei>sys
[Huawei]sys R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.60.1 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.100.1 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[R1-GigabitEthernet0/0/0]q
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]undo summary
[R1-rip-1]network 192.168.50.0
[R1-rip-1]network 192.168.60.0
[R1-rip-1]network 192.168.100.0
[R1-rip-1]

 

交換機: SW2-right

 

<Huawei>sys
[Huawei]sys sw-right
[sw-right]vlan batch 30 40 60
[sw-right]port-group group-member g0/0/1 g0/0/2
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/1]port link-type access
[sw-right-GigabitEthernet0/0/2]port link-type access
[sw-right-GigabitEthernet0/0/1]port default vlan 30
[sw-right-GigabitEthernet0/0/2]port default vlan 30
[sw-right-port-group]q
[sw-right]port-group group-member g0/0/3 g0/0/4
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/3]port link-type access
[sw-right-GigabitEthernet0/0/4]port link-type access
[sw-right-port-group]port default vlan 40
[sw-right-GigabitEthernet0/0/3]port default vlan 40
[sw-right-GigabitEthernet0/0/4]port default vlan 40
[sw-right-port-group]q
[sw-right]int g0/0/10
[sw-right-GigabitEthernet0/0/10]port link-type access
[sw-right-GigabitEthernet0/0/10]port default vlan 60
[sw-right-GigabitEthernet0/0/10]q
[sw-right]int vlanif 30
[sw-right-Vlanif30]ip add 192.168.30.1 24
[sw-right-Vlanif30]int vlanif 40
[sw-right-Vlanif40]ip add 192.168.40.1 24
[sw-right-Vlanif40]int vlanif 60
[sw-right-Vlanif60]ip add 192.168.60.2 24
[sw-right-Vlanif60]q
[sw-right]rip
[sw-right-rip-1]version 2
[sw-right-rip-1]undo summary
[sw-right-rip-1]network 192.168.30.0
[sw-right-rip-1]network 192.168.40.0
[sw-right-rip-1]network 192.168.60.0

[sw-right-rip-1]

測試所有終端設備全部ping通后繼續ing...

 

分析規則: 

1、-vlan10內所有的主機,只能通過http訪問vlan30-server的服務器;不能訪問vlan40-server服務器

192.168.10.0 0.0.0.255 網段要帶掩碼, 192.168.30.200 0 ip 掩碼可簡寫為 0
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
返回規則
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255

2、-vlan20-pc1主機,可以訪問vlan40-server服務器,不能訪問vlan30-server服務器
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
返回規則
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0

3、-vlan30-pc1主機,不能訪問vlan20-server服務器,可以訪問vlan40-server服務器
rule deny ip source 192.168.30.100 0 destination 192.168.20.200 0
vlan30 和vlan40 不跨路由器規則 無需設置規則
返回規則

4、-PublicServer服務器對vlan10和vlan20 僅僅提供ftp服務
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
返回規則
rule permit ip source 192.168.100.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.20.0 0.0.0.255

5、-PublicServer服務器對vlan30和vlan40-server僅僅提供http服務
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
返回規則
rule permit ip source 192.168.100.200 0 destination 192.168.30.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.40.0 0.0.0.255

6、-PublicServer服務器對所有pc提供dns服務
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
返回規則
rule permit ip source 192.168.100.200 0 destination any

7、-所有節點和主機均能夠ping通
rule permit icmp source any destination any

 

以上規則在三個路由接口的outbound(出站)總結為:

int g0/0/1: acl3000

即是:vlan10,vlan20及PublicServer服務器,在int g0/0/1的outbound規則
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
rule permit icmp source any destination any
rule deny ip source any destination any


int g0/0/0: acl3001

即是:vlan30,vlan40及PublicServer服務器,在int g0/0/0的outbound規則
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0
rule permit ip source 192.168.100.200 0 destination any
rule permit icmp source any destination any
rule deny ip source any destination any

 


int g0/0/2 acl3002

即是:vlan10,vlan20,vlan30,vlan40,在int g0/0/2的outbound規則
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
rule permit icmp source any destination any
rule deny ip source any destination any

 在路由器R1上分別是創建並應用acl規則

[R1]acl 3000
[R1-acl-adv-3000]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.30.200 0 destination-port eq 80
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit ip source 192.168.20.100 0 destination 192.168.40.2
00 0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.
40.200 0.0.0.0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.20.100 0 destination 192.168.30.200
0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit icmp source any destination any
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source any destination any
[R1-acl-adv-3000]acl 3001
[R1-acl-adv-3001]rule permit ip source 192.168.30.200 0 destination 192.168.10.0
0.0.0.255
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.40.200 0 destination 192.168.20.1
00 0
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.100.200 0 destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit icmp source any destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule deny ip source any destination any
[R1-acl-adv-3001]acl 3002
[R1-acl-adv-3002]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.40.200 0 destination 192.168.100
.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit udp source any destination 192.168.100.200 0 destin
ation-port eq 53
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit icmp source any destination any
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule deny ip source any destination any
[R1-acl-adv-3002]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter outbound acl 3001
[R1-GigabitEthernet0/0/0]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter outbound acl 3002
[R1-GigabitEthernet0/0/2]

 測試:

1、-vlan10內所有的主機,只能通過http訪問vlan30-server的服務器;不能訪問vlan40-server服務器

vlan10 只能通過http訪問vlan30-server服務器

 

vlan10 訪問vlan30-server的http正常

 

6、-PublicServer服務器對所有pc提供dns服務

當pc通過域名解析訪問服務器時,必須滿足其它規則里也不沖突.

1、-vlan10內所有的主機,只能通過http訪問vlan30-server的服務器;不能訪問vlan40-server服務器

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 華為交換機ACL基礎配置 華為交換機高級ACL配置 華為設備配置ssh 華為設備靜態路由的配置 華為設備ospf路由重分布的配置 配置標准ACL,擴展ACL,命名ACL 基本ACL和高級ACL原理與配置 華為設備設置本地console登錄密碼,記得保存配置! 記一次華為eNSP設備網絡項目基本配置過程 華為交換機ACL如何使用及原則
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM