华为交换机使用高级ACL限制不同网段的用户互访案例

华为交换机使用高级ACL限制不同网段的用户互访案例

引用

CSDN

1.

https://m.blog.csdn.net/zqyqdn2021/article/details/143688858

本文通过一个具体的组网需求场景，详细介绍了如何使用华为交换机的高级ACL（访问控制列表）来限制不同网段用户之间的互访。文章内容专业且具有很强的实用性，适合网络工程师或相关技术人员阅读。

组网需求

某公司通过交换机LSW1实现各部门之间的互连。为方便管理网络，管理员为公司的研发部和市场部规划了两个网段的IP地址。同时为了隔离广播域，又将两个部门划分在不同VLAN之中。现要求LSW1既能够限制两个网段之间互访，又不影响两个部门访问外网。

配置思路

按如下思路在上图中的S5700交换机上进行配置：

1. 配置高级ACL
2. 配置基于ACL的流分类，对研发部与市场部互访的报文进行过滤。
3. 配置流行为，拒绝匹配上ACL的报文通过。
4. 配置并应用流策略，使ACL和流行为生效。

配置步骤

交换机LSW1配置

<Huawei>system-view
[Huawei]sysname LSW1
[LSW1]un in en //关闭信息显示
[LSW1]vlan batch 10 20 //新建VLAN
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 10
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 20
[LSW1-GigabitEthernet0/0/2]quit
[LSW1]int vlanif 10
[LSW1-Vlanif10]ip address 10.1.1.1 24
[LSW1-Vlanif10]int vlanif 20
[LSW1-Vlanif20]ip add 10.1.2.1 24
[LSW1-Vlanif20]q
[LSW1]acl 3001 //配置ACL
[LSW1-acl-adv-3001]rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[LSW1-acl-adv-3001]rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[LSW1-acl-adv-3001]q
[LSW1]traffic classifier mycon3001 //配置流分类
[LSW1-classifier-mycon3001]if-match acl 3001
[LSW1-classifier-mycon3001]q
[LSW1]traffic behavior mybh3001 //配置流行为，拒绝报文通过
[LSW1-behavior-mybh3001]deny
[LSW1-behavior-mybh3001]q
[LSW1]traffic policy mypo3001 //配置流策略，关联流分类和流行为
[LSW1-trafficpolicy-mypo3001]classifier mycon3001 behavior mybh3001
[LSW1-trafficpolicy-mypo3001]q
[LSW1]int g0/0/1 //应用流策略
[LSW1-GigabitEthernet0/0/1]traffic-policy mypo3001 inbound
[LSW1-GigabitEthernet0/0/1]q
[LSW1]int g0/0/2 //应用流策略
[LSW1-GigabitEthernet0/0/2]traffic-policy mypo3001 inbound
[LSW1-GigabitEthernet0/0/2]q
[LSW1]vlan batch 100
[LSW1]int g0/0/24
[LSW1-GigabitEthernet0/0/24]port link-type access
[LSW1-GigabitEthernet0/0/24]port default vlan 100
[LSW1-GigabitEthernet0/0/24]int vlanif100
[LSW1-Vlanif100]ip add 10.1.100.254 24
[LSW1-Vlanif100]q
[LSW1]q
<LSW1>save

路由R1配置

<Huawei>sys
[Huawei]sys R1
[R1]un in en
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 10.1.100.1 24
[R1-GigabitEthernet0/0/1]q
[R1]ip route-static 0.0.0.0 0.0.0.0 10.1.100.254 //配置静态路由
[R1]q
<R1>sa

结果验证

PC1 ping PC2

PC>ping 10.1.2.10
Ping 10.1.2.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.1.2.10 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

PC1 ping出口路由网关地址

PC>ping 10.1.100.1
Ping 10.1.100.1: 32 data bytes, Press Ctrl_C to break
From 10.1.100.1: bytes=32 seq=1 ttl=254 time=109 ms
From 10.1.100.1: bytes=32 seq=2 ttl=254 time=46 ms
From 10.1.100.1: bytes=32 seq=3 ttl=254 time=31 ms
From 10.1.100.1: bytes=32 seq=4 ttl=254 time=32 ms
From 10.1.100.1: bytes=32 seq=5 ttl=254 time=47 ms
--- 10.1.100.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/53/109 ms

PC2 ping PC1

PC>ping 10.1.1.10
Ping 10.1.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.1.1.10 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

PC2 ping出口路由网关地址

PC>ping 10.1.100.1
Ping 10.1.100.1: 32 data bytes, Press Ctrl_C to break
From 10.1.100.1: bytes=32 seq=1 ttl=254 time=31 ms
From 10.1.100.1: bytes=32 seq=2 ttl=254 time=63 ms
From 10.1.100.1: bytes=32 seq=3 ttl=254 time=31 ms
From 10.1.100.1: bytes=32 seq=4 ttl=254 time=31 ms
From 10.1.100.1: bytes=32 seq=5 ttl=254 time=32 ms
--- 10.1.100.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/37/63 ms

通过上述配置和验证结果可以看出，研发部和市场部之间的互访被成功限制，但两个部门仍然可以正常访问外网。