在企业当中需要实现对流量的过滤,ACL就是必须要使用的,
本文为大家详细介绍华为acl的综合应用。
实验要去如下:
1.R1只允许IT登录; 2.YF和CW之间不能互通,但都可以与IT互通; 3.IT和YF可以访问Client1; 4.CW不能访问Client1; 5.YF和CW只能访问Server1的WWW服务; 6.只有IT才能访问Server1的所有服务。
实验分析如下:
CW 1.YF和CW之间不能互通,但都可以与IT互通; 2.CW不能访问Client1; 3.CW只能访问Server1的WWW服务; YF 1.YF和CW之间不能互通,但都可以与IT互通; 2.YF可以访问Client1; 3.YF只能访问Server1的WWW服务; IT 1.R1只允许IT登录; 2.IT可以访问Client1; 3.只有IT才能访问Server1的所有服务。
基本网络配置如下:
R1 sysname R1 interface GigabitEthernet0/0/0 ip address 1.1.1.254 255.255.255.0 interface GigabitEthernet0/0/1 ip address 192.168.12.1 255.255.255.0 interface GigabitEthernet0/0/2 ip address 192.168.13.1 255.255.255.0 ip route-static 192.168.10.0 255.255.255.0 192.168.12.2 ip route-static 192.168.20.0 255.255.255.0 192.168.12.2 ip route-static 192.168.30.0 255.255.255.0 192.168.13.2 ip route-static 192.168.40.0 255.255.255.0 192.168.13.2 R2 sysname R2 interface GigabitEthernet0/0/0 ip address 192.168.12.2 255.255.255.0 interface GigabitEthernet0/0/1 ip address 192.168.10.254 255.255.255.0 interface GigabitEthernet0/0/2 ip address 192.168.20.254 255.255.255.0 traffic-filter inbound acl 3000 ip route-static 0.0.0.0 0.0.0.0 192.168.12.1 R3 sysname R3 interface GigabitEthernet0/0/0 ip address 192.168.13.2 255.255.255.0 interface GigabitEthernet0/0/1 ip address 192.168.30.254 255.255.255.0 traffic-filter inbound acl 3000 interface GigabitEthernet0/0/2 ip address 192.168.40.254 255.255.255.0 ip route-static 0.0.0.0 0.0.0.0 192.168.13.1
ACL配置如下:
财务部ACL设置
R3
acl name cw
rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
rule 20 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 30 permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.40.1 0 destination-port eq www
rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.1 0
interface GigabitEthernet0/0/1
traffic-filter inbound acl name cw
研发部ACL设置
R2
acl name yf
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 20 permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.40.1 0 destination-port eq www
rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
interface GigabitEthernet0/0/2
traffic-filter inbound acl 3name yf
IT部ACL设置
R1
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
user-interface vty 0 4
acl 2000 inbound
authentication-mode password
123
acl number 3000
rule 10 permit tcp source 1.1.1.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 destination-port eq www
rule 20 deny ip source 1.1.1.0 0.0.0.255 destination 192.168.40.1 0
interface GigabitEthernet0/0/0
traffic-filter inbound acl 200
最后进行验证即可!!!!!!