华为交换机acl配置实例,华为交换机acl详解

首页 > 数码 > 作者:YD1662022-11-01 12:37:07

实验目标

通过华为S5700系列交换机搭建实验拓扑,测试验证基于端口的ACL配置。实验主要用的设备有LSW2交换机、测试PC1、测试PC2、测试PC5。IP地址及VLAN的规划如图中所示。

实验拓扑

华为交换机acl配置实例,华为交换机acl详解(1)

华为交换机基于端口的ACL配置

配置步骤

[LSW2]acl 2000

[LSW2]rule 10 deny source 192.168.20.20 0 logging

[LSW2]rule 20 permit source any

[LSW2]int g0/0/4

[LSW2-GigabitEthernet0/0/4]traffic-filter inbound acl 200

完整配置命令

LSW2的完整配置:

[LSW2]dis cur

#

sysname LSW2

#

router id 1.1.1.1

#

vlan batch 10 20 30 100

#

cluster enable

ntdp enable

ndp enable

#

drop illegal-mac alarm

#

diffserv domain default

#

acl number 2000

rule 10 deny source 192.168.20.20 0 logging

rule 20 permit

#

drop-profile default

#

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

#

interface Vlanif1

#

interface Vlanif10

ip address 192.168.10.1 255.255.255.0

#

interface Vlanif20

ip address 192.168.20.1 255.255.255.0

#

interface Vlanif30

ip address 192.168.30.254 255.255.255.0

#

interface Vlanif100

ip address 192.168.100.1 255.255.255.0

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 30

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 20

traffic-filter inbound acl 2000

#

interface GigabitEthernet0/0/5

port link-type access

port default vlan 100

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface GigabitEthernet0/0/9

#

interface GigabitEthernet0/0/10

#

interface GigabitEthernet0/0/11

#

interface GigabitEthernet0/0/12

#

interface GigabitEthernet0/0/13

#

interface GigabitEthernet0/0/14

#

interface GigabitEthernet0/0/15

#

interface GigabitEthernet0/0/16

#

interface GigabitEthernet0/0/17

#

interface GigabitEthernet0/0/18

#

interface GigabitEthernet0/0/19

#

interface GigabitEthernet0/0/20

#

interface GigabitEthernet0/0/21

#

interface GigabitEthernet0/0/22

#

interface GigabitEthernet0/0/23

#

interface GigabitEthernet0/0/24

#

interface NULL0

#

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

#

ospf 1 router-id 1.1.1.1

area 0.0.0.0

network 1.1.1.1 0.0.0.0

network 192.168.10.1 0.0.0.0

network 192.168.20.1 0.0.0.0

network 192.168.30.254 0.0.0.0

#

user-interface con 0

user-interface vty 0 4

#

return

测试验证

未配置ACL之前,测试PC1和PC5之间能否互通:

华为交换机acl配置实例,华为交换机acl详解(2)

PC1与PC5 PING测试

未配置ACL之前,测试PC2和PC5之间能否互通:

华为交换机acl配置实例,华为交换机acl详解(3)

PC2与PC5 PING测试

配置ACL之后,测试PC1、PC2和PC5之间能否互通:

华为交换机acl配置实例,华为交换机acl详解(4)

首页 12下一页

栏目热文

文档排行

本站推荐

Copyright © 2018 - 2021 www.yd166.com., All Rights Reserved.