【eNSP实战】三层交换机使用ACL实现网络安全
拓图
要求:
- vlan1可以访问Internet
- vlan2和vlan3不能访问Internet和vlan1
- vlan2和vlan3之间可以互相访问
- PC配置如图所示,这里不展示
LSW1接口vlan配置
vlan batch 10 20 30
#
interface Vlanif1
ip address 192.168.40.2 255.255.255.0
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.1
AR1接口配置
interface GigabitEthernet0/0/0
ip address 92.168.40.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.2
下面开始配置三层交换机ACL
LSW1配置ACL:
[LSW1]acl 3000
[LSW1-acl-adv-3000]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 15 permit ip source 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[LSW1-acl-adv-3000]rule 25 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[LSW1-acl-adv-3000]rule 30 deny ip
[LSW1-acl-adv-3000]quit
把配置好的ACL策略应用到vlan上
[LSW1]traffic-filter vlan 10 inbound acl 3000
[LSW1]traffic-filter vlan 20 inbound acl 3000
[LSW1]traffic-filter vlan 30 inbound acl 3000
至此ACL配置完成,下面测试PC2与Internet互联测试
PC2与PC3互联测试
