网络流量控制---ACL与traffic-filter

原创

wo1v10 2019-01-19 21:30:37 ©著作权

文章标签 ACL traffic-filter TCP80 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者wo1v10的原创作品，请联系作者获取转载授权，否则将追究法律责任

一．要求 1）R1只允许WG登录，WG能ping通Server1和Client1 2）YF和CW之间不能互通，但都可以和WG互通 3）YF可以访问Client1 4）CW不能访问Client1 5）YF和CW只能访问Server1的WWW服务 6）只有WG才能访问Server1的所有服务二．拓扑图三．配置 WG：IP 192.168.1.1/24 网关192.168.1.254 YF： IP 192.168.2.1/24 网关192.168.2.254 CW：IP 192.168.3.1/24 网关192.168.3.254 server1：IP 192.168.4.1/24 网关192.168.4.254 Client1: IP192.168.10.1/24 网关192.168.10.254

wg sys sys wg int g0/0/0 ip addr 192.168.1.1 24 q ip route-s 0.0.0.0 0.0.0.0 192.168.1.254

r1 sys sys r1 int g0/0/0 ip addr 192.168.20.254 24 q int g0/0/1 ip addr 192.168.30.254 24 q int g0/0/2 ip addr 192.168.10.254 24 q

r2 sys sys r2 int g0/0/0 ip addr 192.168.30.1 24 q int g0/0/1 ip addr 192.168.1.254 24 q int g0/0/2 ip addr 192.168.2.254 24 q

r3 sys sys r3 int g0/0/0 ip addr 192.168.20.1 24 q int g0/0/1 ip addr 192.168.3.254 24 q int g0/0/2 ip addr 192.168.4.254 24 q

r1 ip route-s 192.168.1.0 24 192.168.30.1 ip route-s 192.168.2.0 24 192.168.30.1 ip route-s 192.168.3.0 24 192.168.20.1 ip route-s 192.168.4.0 24 192.168.20.1

r2 ip route-s 192.168.10.0 24 192.168.30.254 ip route-s 192.168.3.0 24 192.168.30.254 ip route-s 192.168.4.0 24 192.168.30.254

r3 ip route-s 192.168.10.0 24 192.168.20.254 ip route-s 192.168.1.0 24 192.168.20.254 ip route-s 192.168.2.0 24 192.168.20.254

r1 acl 2000 rule 5 permit source 192.168.1.1 0.0.0.0 rule 10 deny source any q user-interface vty 0 4 acl 2000 inbound user privilege level 3 authentication-mode aaa aaa local-user jing password cipher 123 local-user jing service-type telnet q

r2 acl 3000 rule 5 permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0 rule 10 permit tcp source 192.168.2.1 0.0.0.0 destination 192.168.4.1 0.0.0.0 destination-port eq 80 rule 15 permit ip source 192.168.2.1 0.0.0.0 destination 192.168.10.1 0.0.0.0 rule 20 deny ip source any q int g0/0/2 traffic-filter inbound acl 3000

r3 acl 3000 rule 5 permit ip source 192.168.3.1 0.0.0.0 destination 192.168.1.1 0.0.0.0 rule 10 permit tcp source 192.168.3.1 0.0.0.0 destination 192.168.4.1 0.0.0.0 destination-port eq 80 rule 20 deny ip source any q int g0/0/1 traffic-filter inbound acl 3000 四．验证 YF成功访问server1 的www服务 YF ping访问server1 失败 YF ping访问Client1成功 YF ping访问WG成功 YF ping访问CW失败 CW ping访问WG成功 CW ping访问YF失败 CW ping访问server1失败