华为交换机配置acl规则

华为交换机配置acl规则

1、实验拓扑

2、设备IP配置

3、基础环境组网配置
进入核心交换机
system-view
[Huawei]sysname jigui-sw
[jigui-sw]vlan batch 10 20 30
[jigui-sw]interface GigabitEthernet 0/0/1
[jigui-sw-GigabitEthernet0/0/1]port link-type access
[jigui-sw-GigabitEthernet0/0/1]port default vlan 10
[jigui-sw-GigabitEthernet0/0/1]quit
[jigui-sw]interface GigabitEthernet 0/0/2
[jigui-sw-GigabitEthernet0/0/2]port link-type access
[jigui-sw-GigabitEthernet0/0/2]port default vlan 20
[jigui-sw-GigabitEthernet0/0/2]quit
[jigui-sw]interface GigabitEthernet 0/0/3
[jigui-sw-GigabitEthernet0/0/3]port link-type access
[jigui-sw-GigabitEthernet0/0/3]port default vlan 30
[jigui-sw-GigabitEthernet0/0/3]quit
[jigui-sw]interface GigabitEthernet 0/0/24
[jigui-sw-GigabitEthernet0/0/24]port link-type trunk
[jigui-sw-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 20 30 40
[jigui-sw-GigabitEthernet0/0/24]quit

进入核心sw
system-view
[Huawei]sysname hexin
[hexin]vlan 40
[hexin]interface GigabitEthernet 0/0/1
[hexin-GigabitEthernet0/0/1]port link-type access
[hexin-GigabitEthernet0/0/1]port default vlan 40
[hexin-GigabitEthernet0/0/1]quit
[hexin]interface GigabitEthernet 0/0/24
[hexin-GigabitEthernet0/0/24]port link-type trunk
[hexin-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 20 30 40
[hexin-GigabitEthernet0/0/24]quit

进入7508E
system-view
[Huawei]sysname 7508E
[7508E]vlan batch 10 20 30 40
[7508E]interface Vlanif 10
[7508E-Vlanif10]ip address 192.168.1.1 24
[7508E-Vlanif10]quit
[7508E]interface Vlanif 20
[7508E-Vlanif20]ip address 192.168.2.1 24
[7508E-Vlanif20]quit
[7508E]interface Vlanif 30
[7508E-Vlanif30]ip address 192.168.3.1 24
[7508E-Vlanif30]quit
[7508E]interface Vlanif 40
[7508E-Vlanif40]ip address 192.168.4.1 24
[7508E-Vlanif40]quit
[7508E]interface GigabitEthernet 0/0/23
[7508E-GigabitEthernet0/0/23]port link-type trunk
[7508E-GigabitEthernet0/0/23]port trunk allow-pass vlan 10 20 30 40
[7508E-GigabitEthernet0/0/23]quit

[7508E]interface GigabitEthernet 0/0/24
[7508E-GigabitEthernet0/0/24]port link-type trunk
[7508E-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 20 30 40
[7508E-GigabitEthernet0/0/24]quit

用PC-4 ping PC-1 PC-2 PC-3

4、配置acl规则，只允许PC-2可以连接PC-4 ,其他IP均不能访问PC-4
进入7508E配置
[7508E]acl number 3001
[7508E-acl-adv-3001]rule 5 permit ip source 192.168.4.2 0 destination 192.168.2.2 0
[7508E-acl-adv-3001]rule 100 deny ip
[7508E-acl-adv-3001]quit
[7508E]interface GigabitEthernet 0/0/24
[7508E-GigabitEthernet0/0/24]traffic-filter outbound acl 3001
检验过程
用PC-4 ping PC-2

用PC-3与PC-1 ping PC4


目前仅PC-4可以通PC-2，与PC-3 PC-1均无法连接