华为ACL配置
需求:
公司保证财务部数据安全,禁止研发部门和互联网访问财务服务器,但总裁办不受影响
R1:
<Huawei>sys
[Huawei]sys Router1
[Router1]undo info-center enable
[Router1]int g1/0/0
[Router1-GigabitEthernet1/0/0]ip add 20.20.20.254 24
[Router1-GigabitEthernet1/0/0]int g2/0/0
[Router1GigabitEthernet2/0/0]ip add 30.30.30.254 24
[Router1-GigabitEthernet2/0/0]int g0/0/0
[Router1-GigabitEthernet0/0/0]ip add 172.16.1.254 24
[Router1-GigabitEthernet2/0/0]int g0/0/1
[Router1-GigabitEthernet0/0/1]ip add 10.10.10.254 24
[Router1-GigabitEthernet0/0/1]quit
//配置静态路由
[Router1]ip route-static 192.168.1.0 24 172.16.1.254
//2000-2999初级ACL,3000-3999高级ACL
[Router1]acl 3000
//允许20.20.20.0网段的地址访问30.30.30.3主机(反掩码中0表示精准匹配,1表示模糊匹配)
[Router1-acl-adv-3000]rule 10 permit ip source 20.20.20.0 0.0.0.255 destination 30.30.30.3 0.0.0.0
//禁止10.10.10.0网段的地址访问30.30.30.3主机(0.0.0.0可以简写成0)
[Router1-acl-adv-3000]rule 20 deny ip source 10.10.10.0 0.0.0.255 destination 30.30.30.3 0
//拒绝所有网段访问30.30.30.3主机(规则顺序很重要,从小到大匹配)
[Router1-acl-adv-3000]rule 30 deny ip source any destination 30.30.30.3 0
[Router1-acl-adv-3000]int g2/0/0
//g2/0/0出口应用acl(数据包从这个口出来)
[Router1-GigabitEthernet2/0/0]traffic-filter outbound acl 3000R2:
[Huawei]sys Router2
[Router2]int g0/0/0
[Router2-GigabitEthernet0/0/0]ip add 172.16.1.1 24
[Router2-GigabitEthernet0/0/0]quit
//配置默认路由
[Router2]ip route-static 0.0.0.0 0 172.16.1.254总裁办访问财务部
研发部访问财务部
互联网访问财务部
