华为设备配置通过流策略实现VLAN间三层隔离

1.配置VLAN并将各接口加入VLAN,PC、服务器间二层隔离 [LSW2]vlan 10 [LSW2-GigabitEthernet0/0/2]port link-type access [LSW2-GigabitEthernet0/0/2]port default vlan 10 [LSW2-GigabitEthernet0/0/1]port link-type trunk [LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 [LSW3]vlan 20 [LSW3-GigabitEthernet0/0/2]port link-type access [LSW3-GigabitEthernet0/0/2]port default vlan 20 [LSW3-GigabitEthernet0/0/3]port link-type access    [LSW3-GigabitEthernet0/0/3]port default vlan 20     [LSW3-GigabitEthernet0/0/1]port link-type trunk [LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 [LSW4]vlan 30 [LSW4-GigabitEthernet0/0/2]port link-type access [LSW4-GigabitEthernet0/0/2]port default vlan 30 [LSW4-GigabitEthernet0/0/1]port link-type trunk [LSW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 30 [LSW1]vlan batch 10 20 30 100 [LSW1-GigabitEthernet0/0/2]port link-type trunk [LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 [LSW1-GigabitEthernet0/0/3]port link-type trunk [LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 20             [LSW1-GigabitEthernet0/0/4]port link-type trunk [LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 30 [LSW1-GigabitEthernet0/0/1]port link-type trunk [LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 [LSW1-GigabitEthernet0/0/1]port trunk pvid vlan 100 2.配置VLANIF接口及其IP地址,使PC、服务器间可以三层互通 [LSW1]int Vlanif 10 [LSW1-Vlanif10]ip add 10.1.1.1 24 [LSW1-Vlanif10]int Vlanif 20     [LSW1-Vlanif20]ip add 10.1.2.1 24 [LSW1-Vlanif20]int Vlanif 30 [LSW1-Vlanif30]ip add 10.1.3.1 24 [LSW1-Vlanif30]int Vlanif 100 [LSW1-Vlanif100]ip add 10.1.100.1 24 3.配置上行路由,使PC、服务器均可通过LSW1访问Internet [LSW1]ospf 1 [LSW1-ospf-1]area 0 [LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255 [LSW1-ospf-1-area-0.0.0.0]network 10.1.100.0 0.0.0.255 4.配置AR1 [AR1-GigabitEthernet0/0/0]ip add 10.1.100.2 24 [AR1]ospf 1 [AR1-ospf-1]area 0 [AR1-ospf-1-area-0.0.0.0]network 10.1.100.0 0.0.0.255 5.配置PC和服务器 6. 配置并应用流策略,控制PC、服务器之间的访问 (1)通过ACL定义每个流 [LSW1]acl 3000  //禁止访问PC2、PC3和服务器 [LSW1-acl-adv-3000]rule deny ip destination 10.1.2.0 0.0.0.255 [LSW1-acl-adv-3000]rule deny ip destination 10.1.3.0 0.0.0.255 [LSW1]acl 3001  //使PC2可以访问服务器的所有资源,其他PC只能访问服务器的21端口 [LSW1-acl-adv-3001]rule permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255 [LSW1-acl-adv-3001]rule permit tcp destination 10.1.3.2 0 destination-port eq 21 [LSW1-acl-adv-3001]rule deny ip destination 10.1.3.0 0.0.0.255 (2)配置流分类,区分不同的流 [LSW1]traffic classifier c1 [LSW1-classifier-c1]if-match acl 3000 [LSW1-classifier-c1]traffic classifier c2 [LSW1-classifier-c2]if-match acl 3001 (3)配置流行为,指定流动作为允许 [LSW1]traffic behavior b1 [LSW1-behavior-b1]permit (4)配置流策略,关联流分类和流行为 [LSW1]traffic policy p1 [LSW1-trafficpolicy-p1]classifier c1 behavior b [LSW1]traffic policy p2 [LSW1-trafficpolicy-p2]classifier c2 behavior b1 (5)应用流策略,实现PC、服务器之间的访问控制 [LSW1]vlan 10 [LSW1-vlan10]traffic-policy p1 inbound [LSW1]vlan 20 [LSW1-vlan20]traffic-policy p2 inbound 7.验证配置

提供全面的网站源码学习交流,小程序、APP、H5、支付、游戏、区块链、商城、直播、影音、小说、公众号等源码学习交流。
精品源码资源网 » 华为设备配置通过流策略实现VLAN间三层隔离
赞助VIP 享更多特权,立即登录下载海量资源
喜欢我嘛?喜欢就按“ctrl+D”收藏我吧!♡