S7500E系列交换机下发ACL限制访问服务器特定端口功能的配置
一、 组网需求:
两台服务器分别接在S7506E的两个端口,要求互相访问对端特定的端口范围,如20~25,其他端口则都不能访问。
二、 组网图:
三、 配置步骤:
# 定义ACL分别匹配服务器主动发送请求以及回应对端服务器请求的数据流,此外通过定义deny any的acl过滤其他报文。
[S7500E] acl number 3000
[S7500E-acl-adv-3000] rule 0 permit tcp destination 10.1.1.2 0 destination-port range ftp-data smtp
[S7500E-acl-adv-3000] rule 5 permit tcp source-port range ftp-data smtp destination 10.1.1.2 0
[S7500E-acl-adv-3000] acl number 3002
[S7500E-acl-adv-3002] rule 0 permit tcp destination 10.1.1.1 0 destination-port range ftp-data smtp
[S7500E-acl-adv-3002] rule 5 permit tcp source-port range ftp-data smtp destination 10.1.1.1 0
[S7500E-acl-adv-3002] acl number 3001
[S7500E-acl-adv-3001] rule 0 deny ip
# 根据所定义的ACL规则,创建分别下发在服务器连接接口的Qos策略。
[S7500E] traffic classifier right-permit operator and
[S7500E-classifier-right-permit] if-match acl 3000
[S7500E-classifier-right-permit] traffic classifier denyall operator and
[S7500E-classifier-denyall] if-match acl 3001
[S7500E-classifier-denyall] traffic classifier left-permit operator and
[S7500E-classifier-left-permit] if-match acl 3002
[S7500E-classifier-left-permit] traffic behavior permit
[S7500E-behavior-permit] filter permit
[S7500E-behavior-permit] traffic behavior deny
[S7500E-behavior-deny] filter deny
[S7500E-behavior-deny] qos policy right-policy
[S7500E-qospolicy-right-policy] classifier right-permit behavior permit
[S7500E-qospolicy-right-policy] classifier denyall behavior deny
[S7500E-qospolicy-right-policy] qos policy left-policy
[S7500E-qospolicy-left-policy] classifier left-permit behavior permit
[S7500E-qospolicy-left-policy] classifier denyall behavior deny
[S7500E-qospolicy-left-policy] qos policy denyall
[S7500E-qospolicy-denyall] classifier denyall behavior deny
# 将所生成的Qos策略分别下发在两个服务器连接的端口上实现上述组网需求。
[S7500E]interface GigabitEthernet2/0/3
[S7500E-GigabitEthernet2/0/3] qos apply policy left-policy inbound
[S7500E-GigabitEthernet2/0/3] interface GigabitEthernet2/0/5
[S7500E-GigabitEthernet2/0/5] qos apply policy right-policy inbound
四、 配置关键点:
无
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作