2024-01-16_22-44-17.png

[Huawei]vlan batch 100 200 300
#
[Huawei]interface Vlanif 100
[Huawei-Vlanif100]ip address 192.168.1.1 255.255.255.0
#
[Huawei]interface Vlanif 200
[Huawei-Vlanif200]ip address 192.168.2.1 255.255.255.0
#
[Huawei]interface Vlanif 300
[Huawei-Vlanif300]ip address 192.168.3.1 255.255.255.0
#
[Huawei]acl number 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]rule 6 permit source 192.168.2.1 0
[Huawei-acl-basic-2000]rule 7 permit source 192.168.3.1 0
[Huawei-acl-basic-2000]rule 50 deny
#
[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 100
#
[Huawei]interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 200
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
#
[Huawei]interface GigabitEthernet 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 300
[Huawei-GigabitEthernet0/0/3]traffic-filter outbound acl 2000

没错,配置完192.168.2.0/24不能访问192.168.3.0/24,反过来192.168.3.0/24 ping 192.168.2.0/24也不通了。因为通信是相互的,icmp和tcp协议都存在一个对方要回信号(TCP三次握手)

下面是一个实现精确单向控制的ACL

交换机V100R005以后版本可以通过下面的方法配置针对ICMP和TCP报文的单向访问。

下面是交换机实现从A不能访问B,但能从B访问A需求的示例:
假设192.168.10.0是A的地址段(属于VLAN10),192.168.20.0是B的地址段(属于VLAN20)

  1. 创建ACL,制定访问控制规则(默认是permit) 
    acl 3000 
rule 5 deny icmp source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 icmp-type echo   //配置ICMP单向访问规则  注解一下ehco的意思是第一个请求包,规则拒绝的是icmp中10请求20,
rule 10 deny tcp source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 tcp-flag syn       //配置TCP单向访问规则  注解一下syn是三次握手的第一个动作,就被deny了
quit
  2. 配置流分类,匹配ACL
    traffic classifier c1 
if-match acl 3000 
quit
  3. 配置流行为
    traffic behavior b1 
quit
  4. 配置流策略,关联流分类和流行为
    traffic policy p1 
classifier c1 behavior b1 
quit
  5. 应用流策略
    应用到接口上
    interface gigabitethernet 1/0/1 
traffic-policy p1 inbound

    或者应用到vlan上

    vlan 10 
traffic-policy p1 inbound

    或者在全局应用

    traffic-policy p1 global inbound