Ribbons

高级ACL典型组网配置案例

组网及说明

组网说明:

 本案例采用H3C HCL模拟器来模拟高级ACL典型组网配置。服务器在网络拓扑图中已有明确的标识。要求VLAN 10仅能访问server1,VLAN 20仅能访问server2。R1与SW1运行OSPF路由协议。

 配置步骤

1、按照网络拓扑图正确配置IP地址

2、SW1与R1运行OSPF路由协议

3、在SW1配置高级ACL,VLAN 10仅能访问server1,VLAN 20仅能访问server2。 

配置关键点

第一阶段调试(基础网络配置):

SW1:

SW1:

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname SW1

[SW1]int loopback 0

[SW1-LoopBack0]ip address 1.1.1.1 32

[SW1-LoopBack0]quit

[SW1]router id 1.1.1.1

[SW1]vlan 10

[SW1-vlan10]quit

[SW1]vlan 20

[SW1-vlan20]quit

[SW1]int vlan 10

[SW1-Vlan-interface10]ip address 172.16.10.1 24

[SW1-Vlan-interface10]quit

[SW1]int vlan 20

[SW1-Vlan-interface20]ip address 172.16.20.1 24

[SW1-Vlan-interface20]quit

[SW1]int gi 1/0/2

[SW1-GigabitEthernet1/0/2]port link-type access

[SW1-GigabitEthernet1/0/2]port access vlan 10

[SW1-GigabitEthernet1/0/2]quit

[SW1]int gi 1/0/3

[SW1-GigabitEthernet1/0/3]port link-type access

[SW1-GigabitEthernet1/0/3]port access vlan 20

[SW1-GigabitEthernet1/0/3]quit

[SW1]int gi 1/0/1

[SW1-GigabitEthernet1/0/1]port link-mode route

[SW1-GigabitEthernet1/0/1]des

[SW1-GigabitEthernet1/0/1]ip address 10.0.0.1 30

[SW1-GigabitEthernet1/0/1]quit

[SW1]ospf 1 router-id 1.1.1.1

[SW1-ospf-1]area 0.0.0.0

[SW1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0

[SW1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0

[SW1-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255

[SW1-ospf-1-area-0.0.0.0]network 172.16.20.0 0.0.0.255

[SW1-ospf-1-area-0.0.0.0]quit

[SW1-ospf-1]quit

[SW1]

 

R1:

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname R1

[R1]int gi 0/0

[R1-GigabitEthernet0/0]des

[R1-GigabitEthernet0/0]ip address 10.0.0.2 30

[R1-GigabitEthernet0/0]quit

[R1]int gi 0/1

[R1-GigabitEthernet0/1]ip address 192.168.1.1 24

[R1-GigabitEthernet0/1]quit

[R1]int gi 0/2

[R1-GigabitEthernet0/2]ip address 192.168.2.1 24

[R1-GigabitEthernet0/2]quit

[R1]int loopback 0

[R1-LoopBack0]ip address 2.2.2.2 32

[R1-LoopBack0]quit

[R1]router id 2.2.2.2

[R1]ospf 1 router-id 2.2.2.2

[R1-ospf-1]area 0.0.0.0

[R1-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0

[R1-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0

[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]quit

[R1-ospf-1]quit

第一阶段测试:

所有PC都填写IP地址,且都能互通:

 

 

 

 

 

 

 

 第二阶段调试(高级ACL关键配置点):

SW1:

[SW1]acl advanced 3000

[SW1-acl-ipv4-adv-3000]rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[SW1-acl-ipv4-adv-3000]rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[SW1-acl-ipv4-adv-3000]rule 3 deny ip source 172.16.10.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[SW1-acl-ipv4-adv-3000]rule 4 deny ip source 172.16.20.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[SW1-acl-ipv4-adv-3000]quit

[SW1]int gi 1/0/1

[SW1-GigabitEthernet1/0/1]packet-filter 3000 outbound

[SW1-GigabitEthernet1/0/1]quit

第二阶段测试: 

VLAN 10的终端能PING通server1,无法Ping通server2: 

 Vlan 20的终端能PING通server2,PING不通server1: 

 Server1能PING通VLAN 10的终端,PING不通VLAN 20的终端:

 Server2能PING通VLAN 20的终端,PING不通VLAN 10的终端:

 查看ACL的匹配情况:

 至此,高级ACL典型组网配置案例已完成!

posted @ 2022-11-19 12:37  爱学习滴小朋友  阅读(482)  评论(0编辑  收藏  举报