实验要求
1.通过ACL 使PC1无法访问PC3
实验结构
实验步骤
基础环境配置: PC间互通
1. PC1 2 3 配置IP网关
2. LSW2 创建三个vlan ,g0/0/2 g0/0/3 g/0/04 类型配置为Access 分别加入三个vlan g0/0/1 配置为trunk 并允许所有vlan通过
3. LSW1 g0/0/1 配置trunk 并允许所有vlan通过,创建三个VLAN,分别为三个vlan配置ip
<Huawei>system-view
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/1]q
[Huawei]vlan batch 10 20 30
[Huawei-vlan20]int vlan 20
[Huawei-Vlanif20]ip address 192.168.20.254 255.255.255.0
[Huawei-Vlanif20]int vlan 30
[Huawei-Vlanif30]ip address 192.168.30.254 255.255.255.0
[Huawei-Vlanif30]int vlan 10
[Huawei-Vlanif10]ip address 192.168.10.254 255.255.255.0ACL配置: LSW1
创建一个ACL 名字叫test
增加两条规则 拒绝 源ip 192.168.10 段的 访问 192.168.30 段
允许 其他网段可以正常访问
进入到要限制的端口 g0/0/1 应用acl
[Huawei]acl name test advance
[Huawei-acl-adv-test]rule deny ip source 192.168.10.0 0.0.0.255 destination 192
.168.30.0 0.0.0.255
[Huawei-acl-adv-test]rule permit ip source any destination any
[Huawei-acl-adv-test]dis this
#
acl name test 3999
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 10 permit ip
#
return
[Huawei-acl-adv-test]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl name test
[Huawei-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-filter inbound acl name test
#
return
[Huawei-GigabitEthernet0/0/1]测试
实验目的
1. 学习ACL
相关指令
查看vlan
查看接口列表
...
dis acl all
