华为设备acl配置

拓扑图:

需求:

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器
2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
5、-PublicServer服务器对vlan30-server和vlan40-server仅仅提供http服务
6、-PublicServer服务器对所有pc提供dns服务
7、-所有节点和主机均能够ping通

配置:

 三层交换机SW1-left

sw-left:
[sw1]sys sw-left
[sw-left]vlan batch 10 20 50
[sw-left]port-group group-member g0/0/1 g0/0/2
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/1]port link-type access
[sw-left-GigabitEthernet0/0/2]port link-type access
[sw-left-port-group]port default vlan 10
[sw-left-GigabitEthernet0/0/1]port default vlan 10
[sw-left-GigabitEthernet0/0/2]port default vlan 10
[sw-left-port-group]q
[sw-left]port-group group-member g0/0/3 g0/0/4
[sw-left-port-group]port link-type access
[sw-left-GigabitEthernet0/0/3]port link-type access
[sw-left-GigabitEthernet0/0/4]port link-type access
[sw-left-port-group]port default vlan 20
[sw-left-GigabitEthernet0/0/3]port default vlan 20
[sw-left-GigabitEthernet0/0/4]port default vlan 20
[sw-left-port-group]q
[sw-left]int g0/0/10
[sw-left-GigabitEthernet0/0/10]port link-type access
[sw-left-GigabitEthernet0/0/10]port default vlan 50
[sw-left-GigabitEthernet0/0/10]q
[sw-left]int vlanif 10
[sw-left-Vlanif10]ip add 192.168.10.1 24
[sw-left-Vlanif10]int vlanif 20
[sw-left-Vlanif20]ip add 192.168.20.1 24
[sw-left-Vlanif20]int vlanif 50
[sw-left-Vlanif50]ip add 192.168.50.2 24
[sw-left-Vlanif50]q
[sw-left]rip
[sw-left-rip-1]version 2
[sw-left-rip-1]undo summary
[sw-left-rip-1]network 192.168.10.0
[sw-left-rip-1]network 192.168.20.0
[sw-left-rip-1]network 192.168.50.0

[sw-left-rip-1]

路由器: R1

<Huawei>sys
[Huawei]sys R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.60.1 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.100.1 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[R1-GigabitEthernet0/0/0]q
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]undo summary
[R1-rip-1]network 192.168.50.0
[R1-rip-1]network 192.168.60.0
[R1-rip-1]network 192.168.100.0
[R1-rip-1]

交换机: SW2-right

<Huawei>sys
[Huawei]sys sw-right
[sw-right]vlan batch 30 40 60
[sw-right]port-group group-member g0/0/1 g0/0/2
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/1]port link-type access
[sw-right-GigabitEthernet0/0/2]port link-type access
[sw-right-GigabitEthernet0/0/1]port default vlan 30
[sw-right-GigabitEthernet0/0/2]port default vlan 30
[sw-right-port-group]q
[sw-right]port-group group-member g0/0/3 g0/0/4
[sw-right-port-group]port link-type access
[sw-right-GigabitEthernet0/0/3]port link-type access
[sw-right-GigabitEthernet0/0/4]port link-type access
[sw-right-port-group]port default vlan 40
[sw-right-GigabitEthernet0/0/3]port default vlan 40
[sw-right-GigabitEthernet0/0/4]port default vlan 40
[sw-right-port-group]q
[sw-right]int g0/0/10
[sw-right-GigabitEthernet0/0/10]port link-type access
[sw-right-GigabitEthernet0/0/10]port default vlan 60
[sw-right-GigabitEthernet0/0/10]q
[sw-right]int vlanif 30
[sw-right-Vlanif30]ip add 192.168.30.1 24
[sw-right-Vlanif30]int vlanif 40
[sw-right-Vlanif40]ip add 192.168.40.1 24
[sw-right-Vlanif40]int vlanif 60
[sw-right-Vlanif60]ip add 192.168.60.2 24
[sw-right-Vlanif60]q
[sw-right]rip
[sw-right-rip-1]version 2
[sw-right-rip-1]undo summary
[sw-right-rip-1]network 192.168.30.0
[sw-right-rip-1]network 192.168.40.0
[sw-right-rip-1]network 192.168.60.0

[sw-right-rip-1]

测试所有终端设备全部ping通后继续ing...

分析规则: 

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
返回规则
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255

2、-vlan20-pc1主机,可以访问vlan40-server服务器,不能访问vlan30-server服务器
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
返回规则
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0

3、-vlan30-pc1主机,不能访问vlan20-server服务器,可以访问vlan40-server服务器
rule deny ip source 192.168.30.100 0 destination 192.168.20.200 0
vlan30 和vlan40 不跨路由器规则 无需设置规则
返回规则

4、-PublicServer服务器对vlan10和vlan20 仅仅提供ftp服务
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
返回规则
rule permit ip source 192.168.100.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.20.0 0.0.0.255

5、-PublicServer服务器对vlan30和vlan40-server仅仅提供http服务
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
返回规则
rule permit ip source 192.168.100.200 0 destination 192.168.30.0 0.0.0.255
rule permit ip source 192.168.100.200 0 destination 192.168.40.0 0.0.0.255

6、-PublicServer服务器对所有pc提供dns服务
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
返回规则
rule permit ip source 192.168.100.200 0 destination any

7、-所有节点和主机均能够ping通
rule permit icmp source any destination any

以上规则在三个路由接口的outbound(出站)总结为:

int g0/0/1: acl3000

即是:vlan10,vlan20及PublicServer服务器,在int g0/0/1的outbound规则
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.200 0 destination-port eq 80
rule permit ip source 192.168.20.100 0 destination 192.168.40.200 0
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.200 0.0.0.0
rule deny ip source 192.168.20.100 0 destination 192.168.30.200 0
rule permit icmp source any destination any
rule deny ip source any destination any

int g0/0/0: acl3001

即是:vlan30,vlan40及PublicServer服务器,在int g0/0/0的outbound规则
rule permit ip source 192.168.30.200 0 destination 192.168.10.0 0.0.0.255
rule permit ip source 192.168.40.200 0 destination 192.168.20.100 0
rule permit ip source 192.168.100.200 0 destination any
rule permit icmp source any destination any
rule deny ip source any destination any

int g0/0/2 acl3002

即是:vlan10,vlan20,vlan30,vlan40,在int g0/0/2的outbound规则
rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 21
rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.100.200 0 destination-port eq 80
rule permit tcp source 192.168.40.200 0 destination 192.168.100.200 0 destination-port eq 80
rule permit udp source any destination 192.168.100.200 0 destination-port eq 53
rule permit icmp source any destination any
rule deny ip source any destination any

在路由器R1上分别是创建并应用acl规则

[R1]acl 3000
[R1-acl-adv-3000]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.30.200 0 destination-port eq 80
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit ip source 192.168.20.100 0 destination 192.168.40.2
00 0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.
40.200 0.0.0.0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source 192.168.20.100 0 destination 192.168.30.200
0
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule permit icmp source any destination any
[R1-acl-adv-3000]
[R1-acl-adv-3000]rule deny ip source any destination any
[R1-acl-adv-3000]acl 3001
[R1-acl-adv-3001]rule permit ip source 192.168.30.200 0 destination 192.168.10.0
0.0.0.255
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.40.200 0 destination 192.168.20.1
00 0
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit ip source 192.168.100.200 0 destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule permit icmp source any destination any
[R1-acl-adv-3001]
[R1-acl-adv-3001]rule deny ip source any destination any
[R1-acl-adv-3001]acl 3002
[R1-acl-adv-3002]rule permit tcp source 192.168.10.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.20.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 21
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.30.0 0.0.0.255 destination 192.1
68.100.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit tcp source 192.168.40.200 0 destination 192.168.100
.200 0 destination-port eq 80
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit udp source any destination 192.168.100.200 0 destin
ation-port eq 53
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule permit icmp source any destination any
[R1-acl-adv-3002]
[R1-acl-adv-3002]rule deny ip source any destination any
[R1-acl-adv-3002]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter outbound acl 3001
[R1-GigabitEthernet0/0/0]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter outbound acl 3002
[R1-GigabitEthernet0/0/2]

测试:

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

vlan10 只能通过http访问vlan30-server服务器

vlan10 访问vlan30-server的http正常

6、-PublicServer服务器对所有pc提供dns服务

当pc通过域名解析访问服务器时,必须满足其它规则里也不冲突.

1、-vlan10内所有的主机,只能通过http访问vlan30-server的服务器;不能访问vlan40-server服务器

原文地址:https://www.cnblogs.com/xccjmpc/p/11029528.html

时间: 2024-11-09 02:43:32

华为设备acl配置的相关文章

华为设备RIP配置

实验名称:在华为设备上配置RIP实验环境:3台路由器,2台PC机实验拓扑图:实验步骤:1.先新建拓扑图添加设备,以及连接设备2.配置路由器,配置路由器上接口的IP地址,如下图标识:3.配置RIP协议,AR-1命令如下:[Huawei]rip //启用RIP协议[Huawei-rip-1]version 2 //配置路由器使用 RIP 版本2[Huawei-rip-1]network 192.168.1.0 //宣告网络192.168.1.0进入RIP协议[Huawei-rip-1]network

关于windows2003 radius与华为设备认证配置方式

网上对于windows2003 raidus与华为设备认证的配置资料非常至少(反正我找了1天没找到一个正确),所以参照之前windows server与cisco的radius认证配置,成功的配置出了针对windows 2003与华为设备的radius认证.关于一般的windows 2003 radius的基础配置我就不详细说明了,只把重要需要注意的地方标注出来. NAS-port-Type:端口类型必须选择Ethernet和Virtual(VPN)两者缺一不可. 2. 编辑配置文件->编辑拨入

漫谈在华为设备上配置PPPoE

本文目录 一.前言 二.PPPoE配置的主要思路 (一)PPPoE客户端的配置 (二)PPPoE服务器端的配置 三.配置查看 四.与本文相关的知识点与书籍 一.前言 在网上,与PPPoE配置相关的文章浩如烟海:与之相关的书籍更是汗牛充栋.但是,更多的文章看了让人感到一头雾水.摸不着头脑:缺少那种一看即懂的篇幅.因此,笔者觉得有必要写一篇这样的文章,作为各位学习网络工程这门技术的重要补充.当然,限于笔者的水平,如文中有不足之处,还望各位指出. 本文,主要探讨的是如何在华为设备上,用命令配置实现PP

在华为设备上配置一个SSH登录案例

SSH是常用的安全的远程管理协议.配置如下: 服务器端:user-interface vty 0 4authentication-mode aaa //认证模式采用aaa,即调用aaa下的用户名和密码protocol inbound ssh //该虚拟线缆允许使用ssh连接#aaalocal-user client001 password cipher qytang //创建用户名以及对应密码local-user client001 privilege level 3 //给该客户端最高权限lo

华为设备SNMP配置

snmp-agent snmp-agent local-engineid 80007DB037C1CF1F4E8C00 snmp-agent community read cipher %^%#<Yu(YXlw}D}oIk6tx0;LBC",%vZc36h'KAU,mTn+N1O+9$amTYpR^=-L#0SBb#[email protected]<fjbp%H`[-)%^%# snmp-agent sys-info version all snmp-agent trap sour

【基础】华为设备基本和高级ACL配置实战

实验拓扑: 使用ENSP模拟器(版本V100R002C00 1.2.00.350)   实验要求: 1.在华为设备上配置标准ACL实现vlan 10主机不能和vlan20主机互访,但可以正常上网. 2. 在华为设备上配置扩展ACL实现vlan 10主机不能和vlan 20主机互访,但可以正常上网:vlan 10中C2需要和vlan 20中C3通信,vlan 10中C1不能打开网页,其他不受影响: 3. 在华为设备上配置命名ACL实现路由器R1只能被192.168.1.10主机远程管理. ACL原

华为ACL配置

实验拓扑:   实验要求: 1.在华为设备上配置标准ACL实现vlan 10主机不能和vlan20主机互访,但可以正常上网. 2. 在华为设备上配置扩展ACL实现vlan 10主机不能和vlan 20主机互访,但可以正常上网:vlan 10中C2需要和vlan 20中C3通信,vlan 10中C1不能打开网页,其他不受影响: 3. 在华为设备上配置命名ACL实现路由器R1只能被192.168.1.10主机远程管理. ACL原理: 1.ACL是从上至下逐条匹配,一旦匹配成功则不再向下匹配. 2.A

【基础】华为设备NAT功能配置实战全集

实验拓扑: 使用ENSP模拟器(版本V100R002C00 1.2.00.350)   实验要求: 1.在华为设备上部署静态NAT技术实现公司员工(私网)访问Intetnet(公网) 2. 在华为设备上部署动态NAT技术实现公司员工(私网)访问Intetnet(公网) 3. 在华为设备上部署PAT技术实现公司员工(私网)访问Intetnet(公网) 4. 在华为设备上部署静态端口映射技术实现公网用户访问私网的服务器(R3). 实验步骤及验证: 1.ip地址规划: Client1:192.168.

华为设备的简单配置

让老谭教你如何简单地配置常见华为设备,简单的几条指令,你即可快速上手. -----------虚拟接口--------------------------- 1)管理地址 interface Vlanif1 description Management ip address 192.168.250.197 255.255.255.0 dhcp select relay dhcp relay server-select dhcpgroup1 # 2)核心交换虚拟网关接口 interface Vla