h3c acl配置一列

1. acl number 3004 
2. rule 0 permit ip source 10.2.1.4 0 
3. rule 1 deny ip source 192.168.1.91 0 
4. rule 2 deny ip source 192.168.9.6 0 
5. rule 3 deny ip source 192.168.1.94 0 
6. rule 4 deny ip source 10.1.3.240 0 
7. rule 5 permit ip source 10.2.1.40 0 
8. rule 7 deny ip source 10.2.12.8 0 
9. rule 8 deny ip source 192.168.2.69 0 
10. rule 9 deny ip source 10.1.1.20 0 
11. rule 15 deny ip source 10.2.1.0 0.0.0.255 
12. rule 20 deny ip source 10.2.17.0 0.0.0.255 
13. rule 25 deny ip source 10.2.18.0 0.0.0.255 
14. rule 30 deny ip source 10.2.19.0 0.0.0.255 
15. rule 35 deny ip source 10.2.16.0 0.0.0.255 
16. rule 36 deny ip source 192.168.9.2 0 
17. rule 100 deny ip source 192.168.19.6 0 
18. rule 200 deny ip source 192.168.9.99 0 
19. rule 250 deny ip source 192.168.19.5 0 
20. rule 260 deny ip source 192.168.9.1 0 
21. # 
22. acl number 3005 
23. rule 50 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.9.0 0.0.0.255 
24. rule 60 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.1.91 0 
25. rule 70 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.1.90 0 
26. rule 80 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.1.92 0 
27. rule 90 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.1.95 0 
28. rule 100 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.1.7 0 
29. rule 110 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.19.6 0 
30. rule 120 deny ip source 10.1.0.0 0.0.255.255 destination 192.168.19.5 0 

 

1. interface Vlan-interface999 
2. ip address 10.20.20.254 255.255.255.0 
3. packet-filter 3005 inbound 
4. # 
5. interface Vlan-interface1000 
6. ip address 10.10.10.254 255.255.255.0 
7. packet-filter 3004 outbound 

关于怎么区分inbound 与 outbound ,:都看成网关, 出网关的是outbound，source ip 是内部ip

inbound是进网关，source ip是来源ip

 

注意2层协议时inbound,outbound刚好相反

 

-------------------

 

老的S5600 只支持网口做 inboud包过滤，下面是只允许指定电脑进行远程桌面