网络

三层交换机配置ACL

作者ericwong,发布于 留下评论

1.项目要求

VLAN 1 能够访问Internet
VLAN 2和3不能访问Internet和VLAN1
VLAN 2和3之间能够相互访问

2.配置环境

image-20250606152622916

AR1

<Huawei>interface g    
<Huawei>sys
[Huawei]user-interface console 0
[Huawei-ui-console0]authentication-mode aaa
[Huawei-ui-console0]aaa

[Huawei-aaa]local-user zhao password cipher 123456
[Huawei-aaa]local-user zhao privilege level 3
[Huawei-aaa]local-user wong password cipher 123456
[Huawei-aaa]local-user wong privilege level 3
[Huawei-aaa]local-user wong service-type ssh
[Huawei-aaa]quit

[Huawei]ssh user wong authentication-type password
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]protocol inbound ssh
[Huawei-ui-vty0-4]quit
[Huawei]stelnet server enable

[Huawei]interface GigabitEthernet 0/0/0    
[Huawei-GigabitEthernet0/0/0]ip address 192.168.4.1 24
[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 137.107.0.1 24
[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ip route-static 0.0.0.0 0 192.168.4.2

LSW1

<Huawei>sys

[Huawei]vlan batch 1 2 3

[Huawei]undo info-center enable

[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 1
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]interface vlanif 1
[Huawei-Vlanif1]ip address 192.168.1.1 24
[Huawei-Vlanif1]quit

[Huawei]interface GigabitEthernet 0/0/2    
[Huawei-GigabitEthernet0/0/2]port link-type access 
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei-GigabitEthernet0/0/2]quit
[Huawei]interface Vlanif 2
[Huawei-Vlanif2]ip address 192.168.2.1 24
[Huawei-Vlanif2]quit

[Huawei]interface GigabitEthernet 0/0/3    
[Huawei-GigabitEthernet0/0/3]port link-type access 
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]quit

[Huawei]interface vlanif 3
[Huawei-Vlanif3]ip address 192.168.3.1 24
[Huawei-Vlanif3]quit

[Huawei]vlan 4
[Huawei-vlan4]quit
[Huawei]interface GigabitEthernet 0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 4
[Huawei-GigabitEthernet0/0/4]quit
[Huawei]interface Vlanif 4
[Huawei-Vlanif4]ip address 192.168.4.2 24

[Huawei]ip route-static 137.107.0.0 16 192.168.4.1

3.配置ACL

#设置ACL规则
<Huawei>sys
[Huawei]acl 3001
[Huawei-acl-adv-3001]
[Huawei-acl-adv-3001]display acl all

[Huawei-acl-adv-3001]rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192
.168.2.0 0.0.0.255
[Huawei-acl-adv-3001]rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 19
2.168.3.0 0.0.0.255

[Huawei-acl-adv-3001]rule 15 permit ip source 192.168.1.0 0.0.0.255
[Huawei-acl-adv-3001]rule 20 permit ip source 192.168.2.0 0.0.0.255 destination 
192.168.3.0 0.0.0.255
[Huawei-acl-adv-3001]rule 30 permit ip source 192.168.3.0 0.0.0.255 destination 
192.168.2.0 0.0.0.255

[Huawei-acl-adv-3001]rule 40 deny ip

#显示ACL规则
[Huawei-acl-adv-3001]display acl all
 Total quantity of nonempty ACL number is 1 

Advanced ACL 3001, 6 rules
Acl's step is 5
 rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 
 rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 
 rule 15 permit ip source 192.168.1.0 0.0.0.255 
 rule 20 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 
 rule 30 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 
 rule 40 deny ip 
 
#绑定
[Huawei]traffic-filter vlan 1 inbound acl 3001
[Huawei]traffic-filter vlan 2 inbound acl 3001
[Huawei]traffic-filter vlan 3 inbound acl 3001

4.测试

image-20250606154942553

image-20250606155028262

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注