H3C 5500-SI Vlan间TCP单向访问配置

Vlan 1 人事行政  192.168.1.0/24
Vlan 2 IT管理    192.168.2.0/24
Vlan 3 财务部门  192.168.3.0/24
Vlan 4 业务部门  192.168.4.0/24
Vlan 5 业务部门  192.168.5.0/24

要求:各部门之间不能互访
Vlan1 单向访问Vlan2、4、5
Vlan3 单向访问Vlan2、4、5

配置过程:
1、建立规则(不允许互访)
[H3C5500-SI] acl number 3001
[H3C -acl-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 2 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 3 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 4 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 5 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 6 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 7 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 8 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001]quit

2、建立规则(不允许TCP)

[H3C5500-SI] acl number 3002
[H3C -acl-adv-3002] rule 0 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 1 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 2 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002] rule 3 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 4 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 5 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002]quit

3、建立规则(单向TCP)

[H3C5500-SI] acl number 3003
[H3C -acl-adv-3003] rule 0 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 1 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 2 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003] rule 3 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 4 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 5 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003]quit

4、配置流分类

[H3C] traffic classifier denyip
[H3C-classifier-denyip] if-match acl 3001
[H3C-classifier-denyip] quit


[H3C] traffic classifier denytcp
[H3C-classifier-denytcp] if-match acl 3002
[H3C-classifier-denytcp] quit

[H3C] traffic classifier permitTCPest
[H3C-classifier-permitTCPest] if-match acl 3003
[H3C-classifier-permitTCPest] quit

5、定义的流分类的行为

[H3C] traffic behavior  denyip
[H3C- behavior -denyip] filter deny
[H3C- behavior -denyip] quit


[H3C] traffic behavior  denytcp
[H3C- behavior -denytcp] filter deny
[H3C- behavior -denytcp] quit

[H3C] traffic behavior  permitTCPest
[H3C- behavior - permitTCPest] filter permit
[H3C- behavior - permitTCPest] quit

6、应用到QOS

[H3C] qos policy 1
[H3C-qospolicy-1] classifier denyip behavior denyip
[H3C-qospolicy-1] classifier denytcp behavior denytcp
[H3C-qospolicy-1] classifier permitTCPest behavior permitTCPest
[H3C-qospolicy-1] quit

7、在接口上应用QOS策略policy 1

[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] qos apply policy 1 inbound
[H3C-GigabitEthernet1/0/1] quit

8、在Vlan上应用Qos策略

[H3C] qos vlan-policy 1 Vlan 1 2 3 4 5 inbound
 
 
http://www.itfarmer.cn/post/131

你可能感兴趣的:(tcp,职场,访问,VLAN,休闲)