H3C 5500-SI Vlan间TCP单向访问配置
2010-04-26 14:29
357 查看
Vlan 1 人事行政 192.168.1.0/24
Vlan 2 IT管理 192.168.2.0/24
Vlan 3 财务部门 192.168.3.0/24
Vlan 4 业务部门 192.168.4.0/24
Vlan 5 业务部门 192.168.5.0/24
要求:各部门之间不能互访
Vlan1 单向访问Vlan2、4、5
Vlan3 单向访问Vlan2、4、5
配置过程:
1、建立规则(不允许互访)
[H3C5500-SI] acl number 3001
[H3C -acl-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 2 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 3 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 4 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 5 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 6 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 7 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 8 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001]quit
2、建立规则(不允许TCP)
[H3C5500-SI] acl number 3002
[H3C -acl-adv-3002] rule 0 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 1 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 2 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002] rule 3 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 4 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 5 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002]quit
3、建立规则(单向TCP)
[H3C5500-SI] acl number 3003
[H3C -acl-adv-3003] rule 0 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 1 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 2 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003] rule 3 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 4 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 5 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003]quit
4、配置流分类
[H3C] traffic classifier denyip
[H3C-classifier-denyip] if-match acl 3001
[H3C-classifier-denyip] quit
[H3C] traffic classifier denytcp
[H3C-classifier-denytcp] if-match acl 3002
[H3C-classifier-denytcp] quit
[H3C] traffic classifier permitTCPest
[H3C-classifier-permitTCPest] if-match acl 3003
[H3C-classifier-permitTCPest] quit
5、定义的流分类的行为
[H3C] traffic behavior denyip
[H3C- behavior -denyip] filter deny
[H3C- behavior -denyip] quit
[H3C] traffic behavior denytcp
[H3C- behavior -denytcp] filter deny
[H3C- behavior -denytcp] quit
[H3C] traffic behavior permitTCPest
[H3C- behavior - permitTCPest] filter permit
[H3C- behavior - permitTCPest] quit
6、应用到QOS
[H3C] qos policy 1
[H3C-qospolicy-1] classifier denyip behavior denyip
[H3C-qospolicy-1] classifier denytcp behavior denytcp
[H3C-qospolicy-1] classifier permitTCPest behavior permitTCPest
[H3C-qospolicy-1] quit
7、在接口上应用QOS策略policy 1
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] qos apply policy 1 inbound
[H3C-GigabitEthernet1/0/1] quit
8、在Vlan上应用Qos策略
[H3C] qos vlan-policy 1 Vlan 1 2 3 4 5 inbound
http://www.itfarmer.cn/post/131
Vlan 2 IT管理 192.168.2.0/24
Vlan 3 财务部门 192.168.3.0/24
Vlan 4 业务部门 192.168.4.0/24
Vlan 5 业务部门 192.168.5.0/24
要求:各部门之间不能互访
Vlan1 单向访问Vlan2、4、5
Vlan3 单向访问Vlan2、4、5
配置过程:
1、建立规则(不允许互访)
[H3C5500-SI] acl number 3001
[H3C -acl-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 2 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 3 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 4 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
[H3C -acl-adv-3001] rule 5 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 6 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001] rule 7 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3001] rule 8 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3001]quit
2、建立规则(不允许TCP)
[H3C5500-SI] acl number 3002
[H3C -acl-adv-3002] rule 0 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 1 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 2 permit tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002] rule 3 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3002] rule 4 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3002] rule 5 permit tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3002]quit
3、建立规则(单向TCP)
[H3C5500-SI] acl number 3003
[H3C -acl-adv-3003] rule 0 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 1 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 2 permit established tcp source 192.168.1.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003] rule 3 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[H3C -acl-adv-3003] rule 4 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.4.0 0.0.0.255
[H3C -acl-adv-3003] rule 5 permit established tcp source 192.168.3.0 0.0.0.255 dest 192.168.5.0 0.0.0.255
[H3C -acl-adv-3003]quit
4、配置流分类
[H3C] traffic classifier denyip
[H3C-classifier-denyip] if-match acl 3001
[H3C-classifier-denyip] quit
[H3C] traffic classifier denytcp
[H3C-classifier-denytcp] if-match acl 3002
[H3C-classifier-denytcp] quit
[H3C] traffic classifier permitTCPest
[H3C-classifier-permitTCPest] if-match acl 3003
[H3C-classifier-permitTCPest] quit
5、定义的流分类的行为
[H3C] traffic behavior denyip
[H3C- behavior -denyip] filter deny
[H3C- behavior -denyip] quit
[H3C] traffic behavior denytcp
[H3C- behavior -denytcp] filter deny
[H3C- behavior -denytcp] quit
[H3C] traffic behavior permitTCPest
[H3C- behavior - permitTCPest] filter permit
[H3C- behavior - permitTCPest] quit
6、应用到QOS
[H3C] qos policy 1
[H3C-qospolicy-1] classifier denyip behavior denyip
[H3C-qospolicy-1] classifier denytcp behavior denytcp
[H3C-qospolicy-1] classifier permitTCPest behavior permitTCPest
[H3C-qospolicy-1] quit
7、在接口上应用QOS策略policy 1
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] qos apply policy 1 inbound
[H3C-GigabitEthernet1/0/1] quit
8、在Vlan上应用Qos策略
[H3C] qos vlan-policy 1 Vlan 1 2 3 4 5 inbound
http://www.itfarmer.cn/post/131
相关文章推荐
- H3c S5500-EI交换机利用ACL实现TCP单向访问的配置
- VLAN间单向访问控制配置实例
- H3C 5500 实现单向访问
- H3C s5500-SI-EI系列交换机 WEB界面登录配置
- Cisco 扩展访问控制列表配置 (结合不同vlan间通信)
- H3C 单向访问控制
- H3C S3600 交换机 VLAN中不同类型端口的配置
- H3C_S5500三层交换机VLAN的访问控制
- H3C S3600-28TP-SI配置命令
- 如何配置H3C S5500每个VLAN配一个DHCP池
- H3C VLAN的配置 VLAN配置实例
- 配置PostgreSQL实现TCP/IP访问连接
- 配置SSH单向无密码访问
- H3C VLAN 配置
- h3c qos在vlan上的配置
- TCP/IP?UDP编程之客户端访问服务端的数据库(数据库配置)
- CentOS配置SSH单向无密码访问
- 配置H3C5500交换机支持web管理
- H3C S5500上层接路由,VLAN IP作网站配置实例
- ssl单向tomcat配置webservice访问方法