Server2
IP:192.168.40.2
掩码:255.255.255.0
网关:192.168.40.254
1.5、测试
PC1到server1和server2都通。
PC2到server1和server2都通。
2.1、需求
2.1.1、配置acl定义192.168.10.0/24与192.168.20.0/24网段不允许互相访问;
2.2.2、两个网段都可以访问192.168.30.1/24(server1-web),但是不能访问192.168.30.2/24(server2-ftp);
2.2、配置ACL
2.2.1、定义允许的ACL规则
[sw1]acl number 3001
[sw1-acl-adv-3001]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.1
68.40.1 0
[sw1-acl-adv-3001]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.1
68.40.1 0
2.2.2、定义禁止的ACL规则
[sw1]acl number 3002
[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168
.30.0 0.0.0.255
[sw1-acl-adv-3002]rule deny ip source 192.138.30.0 0.0.0.255 destination 192.168
.20.0 0.0.0.255
[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168
.40.2 0
[sw1-acl-adv-3002]rule deny ip source 192.168.30.0 0.0.0.255 destination 192.168
.40.2 0
2.2.3、定义流分类
[sw1]traffic classifier tc1 operator and
[sw1-classifier-tc1]if-match acl 3001
[sw1]traffic classifier tc2 operator and
[sw1-classifier-tc2]if-match acl 3002
2.2.4、定义流行为,这里才是真正决定是允许还是禁止
[sw1]traffic behavior tb1
[sw1-behavior-tc1]permit
[sw1]traffic behavior tb2
[sw1-behavior-tc2]deny
2.2.5、定义流策略 (这里最好注意顺序,避免一些问题发生)
[sw1]traffic policy tp
[sw1-trafficpolicy-tp]classifier tc1 behavior tb1
[sw1-trafficpolicy-tp]classifier tc2 behavior tb2
2.2.6、靠近源地址端接口(下行)入方向下发
[sw1]vlan 20
[sw1-vlan20]traffic-policy tp inbound
[sw1-vlan20]vlan 30
[sw1-vlan30]traffic-policy tp inbound
2.3、测试
PC1到server1通,到server2不通
