一、組網(wǎng)需求:
1.通過(guò)配置基本訪問(wèn)控制列表,實(shí)現(xiàn)在每天8:00~18:00時(shí)間段內(nèi)對(duì)源IP為10.1.1.2主機(jī)發(fā)出報(bào)文的過(guò)濾; m.survivalescaperooms.com
2.要求配置高級(jí)訪問(wèn)控制列表,禁止研發(fā)部門與技術(shù)支援部門之間互訪,并限制研發(fā)部門在上班時(shí)間8:00至18:00訪問(wèn)工資查詢服務(wù)器;
3.通過(guò)二層訪問(wèn)控制列表,實(shí)現(xiàn)在每天8:00~18:00時(shí)間段內(nèi)對(duì)源MAC為00e0-fc01-0101的報(bào)文進(jìn)行過(guò)濾。
二、組網(wǎng)圖:
三、配置步驟:
H3C 3600 5600 5100系列交換機(jī)典型訪問(wèn)控制列表配置
共用配置
1.根據(jù)組網(wǎng)圖,創(chuàng)建四個(gè)vlan,對(duì)應(yīng)加入各個(gè)端口
<H3C>system-view
[H3C]vlan 10
[H3C-vlan10]port GigabitEthernet 1/0/1
[H3C-vlan10]vlan 20
[H3C-vlan20]port GigabitEthernet 1/0/2
[H3C-vlan20]vlan 30
[H3C-vlan30]port GigabitEthernet 1/0/3
[H3C-vlan30]vlan 40
[H3C-vlan40]port GigabitEthernet 1/0/4
[H3C-vlan40]quit
2.配置各VLAN虛接口地址
[H3C]interface vlan 10
[H3C-Vlan-interface10]ip address 10.1.1.1 24
[H3C-Vlan-interface10]quit
[H3C]interface vlan 20
[H3C-Vlan-interface20]ip address 10.1.2.1 24
[H3C-Vlan-interface20]quit
[H3C]interface vlan 30
[H3C-Vlan-interface30]ip address 10.1.3.1 24
[H3C-Vlan-interface30]quit
[H3C]interface vlan 40
[H3C-Vlan-interface40]ip address 10.1.4.1 24
[H3C-Vlan-interface40]quit
3.定義時(shí)間段
[H3C] time-range huawei 8:00 to 18:00 working-day
需求1配置(基本ACL配置)
1.進(jìn)入2000號(hào)的基本訪問(wèn)控制列表視圖
[H3C-GigabitEthernet1/0/1] acl number 2000
2.定義訪問(wèn)規(guī)則過(guò)濾10.1.1.2主機(jī)發(fā)出的報(bào)文
[H3C-acl-basic-2000] rule 1 deny source 10.1.1.2 0 time-range Huawei
3.在接口上應(yīng)用2000號(hào)ACL
[H3C-acl-basic-2000] interface GigabitEthernet1/0/1
[H3C-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000
[H3C-GigabitEthernet1/0/1] quit
需求2配置(高級(jí)ACL配置)
1.進(jìn)入3000號(hào)的高級(jí)訪問(wèn)控制列表視圖
[H3C] acl number 3000
2.定義訪問(wèn)規(guī)則禁止研發(fā)部門與技術(shù)支援部門之間互訪
[H3C-acl-adv-3000]rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
3.定義訪問(wèn)規(guī)則禁止研發(fā)部門在上班時(shí)間8:00至18:00訪問(wèn)工資查詢服務(wù)器
[H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei
[H3C-acl-adv-3000] quit
4.在接口上用3000號(hào)ACL
[H3C-acl-adv-3000] interface GigabitEthernet1/0/2
[H3C-GigabitEthernet1/0/2] packet-filter inbound ip-group 3000
需求3配置(二層ACL配置)
1.進(jìn)入4000號(hào)的二層訪問(wèn)控制列表視圖
[H3C] acl number 4000
2.定義訪問(wèn)規(guī)則過(guò)濾源MAC為00e0-fc01-0101的報(bào)文
[H3C-acl-ethernetframe-4000] rule 1 deny source 00e0-fc01-0101 ffff-ffff-ffff time-range Huawei
3.在接口上應(yīng)用4000號(hào)ACL
[H3C-acl-ethernetframe-4000] interface GigabitEthernet1/0/4
[H3C-GigabitEthernet1/0/4] packet-filter inbound link-group 4000
2 H3C 5500-SI 3610 5510系列交換機(jī)典型訪問(wèn)控制列表配置
需求2配置
1.進(jìn)入3000號(hào)的高級(jí)訪問(wèn)控制列表視圖
[H3C] acl number 3000
2.定義訪問(wèn)規(guī)則禁止研發(fā)部門與技術(shù)支援部門之間互訪
[H3C-acl-adv-3000]rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
3.定義訪問(wèn)規(guī)則禁止研發(fā)部門在上班時(shí)間8:00至18:00訪問(wèn)工資查詢服務(wù)器
[H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei
[H3C-acl-adv-3000] quit
4.定義流分類
[H3C] traffic classifier abc
[H3C-classifier-abc]if-match acl 3000
[H3C-classifier-abc]quit
5.定義流行為,確定禁止符合流分類的報(bào)文
[H3C] traffic behavior abc
[H3C-behavior-abc] filter deny
[H3C-behavior-abc] quit
6.定義Qos策略,將流分類和流行為進(jìn)行關(guān)聯(lián)
[H3C]qos policy abc
[H3C-qospolicy-abc] classifier abc behavior abc
[H3C-qospolicy-abc] quit
7.在端口下發(fā)Qos policy
[H3C] interface g1/1/2
[H3C-GigabitEthernet1/1/2] qos apply policy abc inbound
8.補(bǔ)充說(shuō)明:
l acl只是用來(lái)區(qū)分?jǐn)?shù)據(jù)流,permit與deny由filter確定;
l 如果一個(gè)端口同時(shí)有permit和deny的數(shù)據(jù)流,需要分別定義流分類和流行為,并在同一QoS策略中進(jìn)行關(guān)聯(lián);
l QoS策略會(huì)按照配置順序?qū)?bào)文和classifier相匹配,當(dāng)報(bào)文和某一個(gè)classifier匹配后,執(zhí)行該classifier所對(duì)應(yīng)的behavior,然后策略執(zhí)行就結(jié)束了,不會(huì)再匹配剩下的classifier;
l 將QoS策略應(yīng)用到端口后,系統(tǒng)不允許對(duì)應(yīng)修改義流分類、流行為以及QoS策略,直至取消下發(fā)。
四、配置關(guān)鍵點(diǎn):
1.time-name 可以自由定義;
2.設(shè)置訪問(wèn)控制規(guī)則以后,一定要把規(guī)則應(yīng)用到相應(yīng)接口上,應(yīng)用時(shí)注意inbound方向應(yīng)與rule中source和destination對(duì)應(yīng);
3.S5600系列交換機(jī)只支持inbound方向的規(guī)則,所以要注意應(yīng)用接口的選擇;
