华为交换机上ACL的应用

client 1  192.168.10.10/24     gateway  192.168.10.254

client 2 192.168.20.20/24      gateway 192.168.20.254

client3  192.168.30.30/24      gateway 192.168.30.254

client     192.168.40.40/24     gateway   192.168.40.254

[Huawei]dis cu

#

sysname Huawei

#

vlan batch 10 20 30 40          //批量创建vlan 10 ，vlan 20 ，vlan 30，vlan 40

#

cluster enable

ntdp enable

ndp enable

#

drop illegal-mac alarm

#

diffserv domain default

#

acl number 3000    

 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.40.40 0

 rule 30 permit ip destination 192.168.40.40 0

 rule 35 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

 rule 40 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

//定义一个acl高级规则3000 

#

traffic classifier k1 operator and       //定义流分类K1 其实这里的命令是traffic classifier                                             k1

 if-match acl 3000                       //如果匹配acl 3000

#

traffic behavior k2                      //配置流行为K2

 permit                                  //流行为动作为permit

#

traffic policy k3                        //配置流策略K3

 classifier k1 behavior k2               //将流分类与流行为相关联

#

drop-profile default

#

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password simple admin

 local-user admin service-type http

#

interface Vlanif1

#

interface Vlanif10                                  \\各vlan网关

 ip address 192.168.10.254 255.255.255.0

#

interface Vlanif20

 ip address 192.168.20.254 255.255.255.0

#

interface Vlanif30

 ip address 192.168.30.254 255.255.255.0

#

interface Vlanif40

 ip address 192.168.40.254 255.255.255.0

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1                     \\

 port hybrid pvid vlan 10                          \\端口模式为hybrid，并且端口的PVID为10

 port hybrid untagged vlan 10 40                   \\发送vlan 10 40 的数据不带标签

 traffic-policy k3 inbound                         \\应用流策略K3在入方向

#

interface GigabitEthernet0/0/2

 port hybrid pvid vlan 20

 port hybrid untagged vlan 20 40

#

interface GigabitEthernet0/0/3

 port hybrid pvid vlan 30

 port hybrid untagged vlan 30 40

#

interface GigabitEthernet0/0/4

 port hybrid pvid vlan 40

 port hybrid untagged vlan 10 40

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface GigabitEthernet0/0/9

#

interface GigabitEthernet0/0/10

#

interface GigabitEthernet0/0/11

#

interface GigabitEthernet0/0/12

#

interface GigabitEthernet0/0/13

#

interface GigabitEthernet0/0/14

#

interface GigabitEthernet0/0/15

#

interface GigabitEthernet0/0/16

#

interface GigabitEthernet0/0/17

#

interface GigabitEthernet0/0/18

#

interface GigabitEthernet0/0/19

#

interface Gigabi#

interface Gigabi#

interface GigabitEthernet0/0/22

#

interface GigabitEthernet0/0/23

#

interface GigabitEthernet0/0/24

#

interface NULL0

#

user-interface con 0

user-interface vty 0 4

#

Return

 下面是结果在client1上ping cilent3

下面是在client1上ping模拟服务器

华为交换机上ACL的应用