华为配置命令 | 您所在的位置:网站首页 › 路由器部署acl的命令 › 华为配置命令 |
假设有公司有财务部,研发部,总裁办以及其他的外部网络,财务部且只有一台主机。用ACL设置,仅总裁办能够访问财务部,其它没有权限。 1.拓扑如下: 2.首先在AR3上设置各个网关以及默认静态路由(让外部Internet能够访问内部主机) system-view [Huawei]sysname Router [Router]interface g0/0/0 [Router-GigabitEthernet0/0/0]ip address 192.168.1.254 24 [Router-GigabitEthernet0/0/0]interface g0/0/1 [Router-GigabitEthernet0/0/1]ip address 192.168.2.254 24 [Router-GigabitEthernet0/0/1]interface g2/0/0 [Router-GigabitEthernet2/0/0]ip address 1.1.1.254 24 [Router-GigabitEthernet2/0/0]interface g1/0/0 [Router-GigabitEthernet1/0/0]ip address 192.168.3.254 243.在R5上配置,如下: system-view [Huawei]sysname Internet [Internet]interface g0/0/0 [Internet-GigabitEthernet0/0/0]ip address 1.1.1.1 24 [Internet-GigabitEthernet0/0/0]quit [Internet]ip route-static 0.0.0.0 0 1.1.1.254//设置静态默认路由 [Internet]ping 192.168.3.100//与内网可以ping通 PING 192.168.3.100: 56 data bytes, press CTRL_C to break Reply from 192.168.3.100: bytes=56 Sequence=1 ttl=254 time=20 ms Reply from 192.168.3.100: bytes=56 Sequence=2 ttl=254 time=20 ms Reply from 192.168.3.100: bytes=56 Sequence=3 ttl=254 time=20 ms Reply from 192.168.3.100: bytes=56 Sequence=4 ttl=254 time=20 ms Reply from 192.168.3.100: bytes=56 Sequence=5 ttl=254 time=30 ms4.在R3上设置ACL并运用到g1/0/0端口 [Router]acl 3000 [Router-acl-adv-3000]rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.100 0 [Router-acl-adv-3000]rule 20 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.100 0 [Router-acl-adv-3000]rule 30 deny ip source any destination 192.168.3.100 0 [Router-acl-adv-3000]interface g1/0/0 [Router-GigabitEthernet1/0/0]traffic-filter outbound acl 3000 [Router-GigabitEthernet1/0/0]5.在各个网段上测试,只有总裁办可以ping通过,设置成功。 记录ACL。 |
CopyRight 2018-2019 实验室设备网 版权所有 |