华为命令配置访问控制列表ACL(Access Control List)
模拟场景
服务器:192.168.3.100
销售部:192.168.1.1
开发部:192.168.2.1
模拟互联网:1.1.1.1
要求1:销售部不允许访问服务器
要求2:开发部可以访问服务器
要求3:互联网不可以访问服务器
拓扑图
路由器配置
进入系统视图
更改路由器设备名称router
为各个部门指定网关
<Huawei> system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]
[Huawei]
[Huawei]sysname router
[router]interface gigabitethernet 0/0/0
[router-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[router-GigabitEthernet0/0/0]interface gigabitethernet 0/0/1
[router-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[router-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[router-GigabitEthernet0/0/2]ip address 1.1.1.254 24
[router-GigabitEthernet0/0/2]interface ethernet 0/0/0
[router-Ethernet0/0/0]ip address 192.168.3.254 24
[router-Ethernet0/0/0
模拟互联网路由器配置
进入系统视图
进入端口g0/0/0
设置网关
添加一条默认静态路由,让流量可以传给1.1.1.254,这个时候所有设备可以访问互联网。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 1.1.1.1 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0 0 1.1.1.254
^
Error: Wrong parameter found at '^' position.
[Huawei]ip route-static 0.0.0.0 0 1.1.1.254
[Huawei]ACL配置
创建3条acl规则
1.拒绝销售访问192.168.3.100
2.允许开发访问192.168.3.100
3.拒绝互联网访问192.168.3.100
最后在路由器的e0/0/0 接口上应用alc3000。
<router>
<router>sys
Enter system view, return user view with Ctrl+Z.
[router]acl 3000
[router-acl-adv-3000]rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192
.168.3.100 0.0.0.0
[router-acl-adv-3000]rule 2 permit ip source 192.168.2.0 0.0.0.255 destination 1
92.168.3.100 0.0.0.0
[router-acl-adv-3000]rule 3 deny ip souce any destination 192.168.3.100 0.0.0.0
^
Error:Too many parameters found at '^' position.
[router-acl-adv-3000]rule 3 deny ip source any destination 192.168.3.100 0.0.0.0
[router-acl-adv-3000]q
[router]interface ethernet 0/0/0
[router-Ethernet0/0/0]traffic-filter outbound acl 3000
评论区