设为首页收藏本站
切换到窄版

博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
博威---云架构决胜云计算»广场 云计算 华为技术 如何配置华为3928-SI的ACL,实现VLAN隔断
返回列表 发新帖
查看: 1868|回复: 2

如何配置华为3928-SI的ACL,实现VLAN隔断

[复制链接]
发表于 2008-1-10 18:08:25 | 显示全部楼层 |阅读模式
如何配置华为3928-SI的ACL,实现VLAN隔断


华为3928-SI的ACL,实现VLAN隔断.

有1个3928 软件版本如下:
<HG-B502>display ver
Huawei-3Com Versatile Routing Platform Software
VRP (R) Software, Version 3.10, RELEASE 0013A
Copyright (c) 1998-2006 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights reserved.
Quidway S3928P-SI uptime is 2 weeks,0 day,18 hours,33 minutes

Quidway S3928P-SI with 1 MIPS Processor
64M bytes DRAM
8196K bytes Flash Memory
Config Register points to FLASH

Hardware Version is SI_REV.C
CPLD Version is CPLD 001
Bootrom Version is 226
[Subslot 0] 24 FE Hardware Version is REV.C
[Subslot 1] 4 GE Hardware Version is REV.C


目前需要配置一个客户VLAN (地址段为10.1.113/24),不能访问内部局域网(地址段为10.1.119/24),
只能得到DHCP SERVER的IP地址和使用内网的DNS服务(dhcp服务器和DNS服务器均为10.1.119.1),
可以直接上INTERNET.目前配置如下:

1.配置ACL
<HG-B502>disp acl all
Advanced ACL 3000, 8 rules
custom-acl
Acl's step is 1
rule 10 permit udp destination-port eq bootpc // 可以得到DHCP SERVER的IP地址
rule 20 permit udp destination-port eq bootps // 可以得到DHCP SERVER的IP地址
rule 30 permit udp destination-port eq dns // 可以使用内网的DNS服务
rule 40 deny tcp destination 10.1.119.0 0.0.0.255 //不能访问内部局域网(地址段为10.1.119/24)
rule 50 deny udp destination 10.1.119.0 0.0.0.255 //不能访问内部局域网(地址段为10.1.119/24)
rule 60 permit tcp //可以直接上INTERNET
rule 70 permit udp
rule 80 permit icmp

2.应用到端口
#
interface Ethernet1/0/2
port access vlan 70
packet-filter outbound ip-group 3000 rule 10
packet-filter outbound ip-group 3000 rule 20
packet-filter outbound ip-group 3000 rule 30
packet-filter outbound ip-group 3000 rule 40
packet-filter outbound ip-group 3000 rule 50
packet-filter outbound ip-group 3000 rule 60
packet-filter outbound ip-group 3000 rule 70
packet-filter outbound ip-group 3000 rule 80

目前结果是:
1.DHCP地址可以得到
2.INTERNET可以访问
3. 内部intranet也可以访问.

为何不能实现与内网通信隔断??
之前一直使用的是 ,使用3550 SI的时候很容易就实现了.不知道华为的如何设置了??
请各位指教.谢谢!!




网友1:


你用的ACL其实太多了,你想实现的是三层交换机的内部三层VLAN 虚借口之间的访问控制,就是说你虽然用了三层交换机,但是不想让某些VLAN之间互通,是 不是这样呢?
如果是,那你只需要在ACL 3000 里面写上 deny 源地址(10.1.113/24) 目标地址(10.1.119/24)就可以了,然后在相应的接口上用packet-filter outbound ip-group命令下发,但是要注意这样你可能就不能和DHCP服务器通信了,在增加一条专门给DHCP的ACL 注意....在写ACL 的时候一定要选择AUTO 模式,(深度匹配优先) 而不是"CONFIG"配置模式


<TuSuGuan-S3928TP-SI>
%Apr 3 12:37:14:795 2000 TuSuGuan-S3928TP-SI SHELL/5/LOGIN:- 1 - VTY(192.168.1.
1) in unit1 login
<TuSuGuan-S3928TP-SI>
<TuSuGuan-S3928TP-SI>sys
System View: return to User View with Ctrl+Z.
[TuSuGuan-S3928TP-SI]dis cu
#
local-server nas-ip 127.0.0.1 key huawei
#
domain default enable system
#
queue-scheduler wrr 1 2 3 4 5 9 13 15
#
radius scheme system
#
domain system
#
acl number 3000
rule 0 deny ip source 192.168.12.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 deny ip source 192.168.13.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 3 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 4 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 5 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 6 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.11.0 0.0.0.255
rule 7 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.12.0 0.0.0.255
rule 8 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.13.0 0.0.0.255
rule 9 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.13.0 0.0.0.255
rule 10 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.12.0 0.0.0.255
rule 11 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.11.0 0.0.0.255
#
vlan 1
#
vlan 2
description 2
#
vlan 5
description chaxunji
#
vlan 6
description dakaji
#
vlan 11
description 201jifang
#
vlan 12
#
vlan 13
description 410jifang
#
vlan 100
#
interface Vlan-interface1
ip address 192.168.1.254 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.254 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.5.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.6.1 255.255.255.0
#
interface Vlan-interface11
ip address 192.168.11.254 255.255.255.0
#
interface Vlan-interface13
ip address 192.168.13.254 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
port access vlan 2
#
interface Ethernet1/0/2
port access vlan 2
#
interface Ethernet1/0/3
port access vlan 2
#
interface Ethernet1/0/4
port access vlan 2
#
interface Ethernet1/0/5
port access vlan 2
#
interface Ethernet1/0/6
port access vlan 2
#
interface Ethernet1/0/7
port access vlan 2
#
interface Ethernet1/0/8
port access vlan 2
#
interface Ethernet1/0/9
port access vlan 2
#
interface Ethernet1/0/10
port access vlan 2
#
interface Ethernet1/0/11
port access vlan 2
#
interface Ethernet1/0/12
port access vlan 2
#
interface Ethernet1/0/13
port access vlan 2
#
interface Ethernet1/0/14
port access vlan 2
#
interface Ethernet1/0/15
port access vlan 2
#
interface Ethernet1/0/16
port access vlan 2
#
interface Ethernet1/0/17
port access vlan 2
#
interface Ethernet1/0/18
port access vlan 2
#
interface Ethernet1/0/19
port access vlan 2
#
interface Ethernet1/0/20
port access vlan 2
#
interface Ethernet1/0/21
description 305-to-410
port link-type trunk
port trunk permit vlan all
packet-filter inbound ip-group 3000 rule 0
packet-filter inbound ip-group 3000 rule 1
packet-filter inbound ip-group 3000 rule 2
packet-filter inbound ip-group 3000 rule 3
packet-filter inbound ip-group 3000 rule 4
packet-filter inbound ip-group 3000 rule 5
packet-filter inbound ip-group 3000 rule 6
packet-filter inbound ip-group 3000 rule 7
packet-filter inbound ip-group 3000 rule 8
packet-filter inbound ip-group 3000 rule 9
packet-filter inbound ip-group 3000 rule 10
packet-filter inbound ip-group 3000 rule 11
#
interface Ethernet1/0/22
description 3900-to-jifang201
port link-type trunk
port trunk permit vlan all
packet-filter inbound ip-group 3000 rule 0
packet-filter inbound ip-group 3000 rule 1
packet-filter inbound ip-group 3000 rule 2
packet-filter inbound ip-group 3000 rule 3
packet-filter inbound ip-group 3000 rule 4
packet-filter inbound ip-group 3000 rule 5
packet-filter inbound ip-group 3000 rule 6
packet-filter inbound ip-group 3000 rule 7
packet-filter inbound ip-group 3000 rule 8
packet-filter inbound ip-group 3000 rule 9
packet-filter inbound ip-group 3000 rule 10
packet-filter inbound ip-group 3000 rule 11
#
interface Ethernet1/0/23
description 3900-to-3500
port link-type trunk
port trunk permit vlan all
packet-filter inbound ip-group 3000 rule 0
packet-filter inbound ip-group 3000 rule 1
packet-filter inbound ip-group 3000 rule 2
packet-filter inbound ip-group 3000 rule 3
packet-filter inbound ip-group 3000 rule 4
packet-filter inbound ip-group 3000 rule 5
packet-filter inbound ip-group 3000 rule 6
packet-filter inbound ip-group 3000 rule 7
packet-filter inbound ip-group 3000 rule 8
packet-filter inbound ip-group 3000 rule 9
packet-filter inbound ip-group 3000 rule 10
packet-filter inbound ip-group 3000 rule 11
#
interface Ethernet1/0/24
description 3900-to-2100
port link-type trunk
port trunk permit vlan all
packet-filter inbound ip-group 3000 rule 0
packet-filter inbound ip-group 3000 rule 1
packet-filter inbound ip-group 3000 rule 2
packet-filter inbound ip-group 3000 rule 3
packet-filter inbound ip-group 3000 rule 4
packet-filter inbound ip-group 3000 rule 5
packet-filter inbound ip-group 3000 rule 6
packet-filter inbound ip-group 3000 rule 7
packet-filter inbound ip-group 3000 rule 8
packet-filter inbound ip-group 3000 rule 9
packet-filter inbound ip-group 3000 rule 10
packet-filter inbound ip-group 3000 rule 11
#
interface GigabitEthernet1/1/1
#
interface GigabitEthernet1/1/2
#
interface GigabitEthernet1/1/3
#
interface GigabitEthernet1/1/4
#
sysname TuSuGuan-S3928TP-SI
undo irf-fabric authentication-mode
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60
#
user-interface aux 0 7
user-interface vty 0 4
user privilege level 3
set authentication password simple huawei
#
return
[TuSuGuan-S3928TP-SI]

[TuSuGuan-S3928TP-SI]dis ver
Huawei-3Com Versatile Routing Platform Software
VRP (R) Software, Version 3.10, RELEASE 0013A
Copyright (c) 1998-2006 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights reserved.
Quidway S3928TP-SI uptime is 0 week,1 day,12 hours,44 minutes
Quidway S3928TP-SI with 1 MIPS Processor
64M bytes DRAM
8196K bytes Flash Memory
Config Register points to FLASH
Hardware Version is SI_REV.B
CPLD Version is CPLD 003
Bootrom Version is 226
[Subslot 0] 24 FE Hardware Version is REV.B
[Subslot 1] 4 GE Hardware Version is REV.B

[TuSuGuan-S3928TP-SI]



网友2:

理论上我加在TRUNK口上和你加在ACCESS口上都是一样的,你用3928做三层交换,肯定要起好几个VLAN 虚接口,与实际物理接口上状态因该没有什么关


网友3:


我今天实际也实施了一个,交换机3928-SI起了2个Vlan接口:vlan1:192.168.1.9 255.255.255.0 vlan30 :192.168.2.30 255.255.255.0
我用了acl 3000 是
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

我在接口上实施了packet-filter inbound ip-group 3000 rule 0


如果你是从交换机的CON 口上的超级终端PING 永远是通的,你在交换机的接口上实际的测试一下 ,我开始也是从终端上ping的,后来用PC 在实施了策略的接口上用1网段的ping 2 网段的就不通了.很简单的.
回复

使用道具 举报

 楼主| 发表于 2008-1-10 18:57:48 | 显示全部楼层
回复 支持 反对

使用道具 举报

 楼主| 发表于 2008-1-31 07:38:05 | 显示全部楼层
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 12:08 , Processed in 0.091415 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表