问题描述:
网络架构:s5560是内部网络的三层核心。s5500是接入外部网络的三层,s5500上接了一台服务器, s5560上的内部网络需要访问服务器 ,但不能访问外网。
怎样设置不让s5560访问外网,
下面附件是s5560的配置信息,现在vlan99可以上外网。 有哪些合理的优化,感谢!
组网及组网描述:
设置列表
- 有序列表
- 无序列表
对齐方式
- 靠左
- 居中
- 靠右
- 2020-11-20提问
- 举报
-
(0)
version 7.1.070, Release 6318P01
#
sysname S-P-1-201-A
#
clock timezone beijing add 08:00:00
clock protocol none
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dhcp enable
dhcp server forbidden-ip 172.24.0.2 172.24.0.30
dhcp server forbidden-ip 172.24.1.2 172.24.1.30
dhcp server forbidden-ip 172.24.2.2 172.24.2.30
dhcp server forbidden-ip 172.24.3.2 172.24.3.30
dhcp server forbidden-ip 172.24.4.2 172.24.4.30
dhcp server forbidden-ip 172.24.5.2 172.24.5.30
dhcp server forbidden-ip 172.24.6.2 172.24.6.30
dhcp server forbidden-ip 172.24.14.2 172.24.14.30
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 30
#
vlan 98 to 104
#
vlan 112
#
stp global enable
#
dhcp server ip-pool vlan98
gateway-list 172.24.0.1
network 172.24.0.0 mask 255.255.255.0
dns-list 202.102.224.68 202.102.227.68
#
dhcp server ip-pool vlan99
gateway-list 172.24.1.1
network 172.24.1.0 mask 255.255.255.0
dns-list 202.102.227.68 202.102.224.68
#
dhcp server ip-pool vlan100
gateway-list 172.24.2.1
network 172.24.2.0 mask 255.255.255.0
#
dhcp server ip-pool vlan101
gateway-list 172.24.3.1
network 172.24.3.0 mask 255.255.255.0
#
dhcp server ip-pool vlan102
gateway-list 172.24.4.1
network 172.24.4.0 mask 255.255.255.0
#
dhcp server ip-pool vlan103
gateway-list 172.24.5.1
network 172.24.5.0 mask 255.255.255.0
#
dhcp server ip-pool vlan104
gateway-list 172.24.6.1
network 172.24.6.0 mask 255.255.255.0
#
dhcp server ip-pool vlan112
gateway-list 172.24.14.1
network 172.24.14.0 mask 255.255.255.0
#
dhcp server ip-pool vlan1112
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
dhcp client identifier ascii 689320a73923-VLAN0001
#
interface Vlan-interface30
description 设备管理
ip address 172.24.15.1 255.255.255.0
#
interface Vlan-interface98
description bangongshi-shiyong
ip address 172.24.0.1 255.255.255.0
#
interface Vlan-interface99
description yanfalou
ip address 172.24.1.1 255.255.255.0
#
interface Vlan-interface100
description cangku
ip address 172.24.2.1 255.255.255.0
#
interface Vlan-interface101
description 1车间
ip address 172.24.3.1 255.255.255.0
#
interface Vlan-interface102
description 2车间
ip address 172.24.4.1 255.255.255.0
#
interface Vlan-interface103
description 3车间
ip address 172.24.5.1 255.255.255.0
#
interface Vlan-interface104
description 4车间
ip address 172.24.6.1 255.255.255.0
#
interface Vlan-interface112
description 服务器
ip address 172.24.14.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/6
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/7
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/8
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/9
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/10
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/11
port link-mode bridge
port access vlan 112
#
interface GigabitEthernet1/0/12
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/13
port link-mode bridge
description to S-P-3-101
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/14
port link-mode bridge
description to S-P-3-102-A
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/15
port link-mode bridge
description to S-P-1-101-A
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/16
port link-mode bridge
description to S-Y-1-201-A
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/17
port link-mode bridge
description to S-C-1-101-A
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/18
port link-mode bridge
description to S-P-2-101 port 16
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/19
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/20
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/21
port link-mode bridge
description to S-P-1-301-A
port access vlan 101
#
interface GigabitEthernet1/0/22
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/23
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/24
port link-mode bridge
port access vlan 101
#
interface GigabitEthernet1/0/25
port link-mode bridge
#
interface GigabitEthernet1/0/26
port link-mode bridge
#
interface GigabitEthernet1/0/27
port link-mode bridge
description to S-B-1-101-A
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/28
port link-mode bridge
description to jifang Core
port link-type trunk
port trunk permit vlan all
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 3
user-role level-15
user-role network-admin
user-role network-operator
set authentication password hash $h$6$MrltoFLhaSzi0iOp$IOjDlayR278cTyr9+biIQ+xh3nEy7/bR5gfangyAEfD5TMy1gfKpaMdWxIA3uR08kpP4BmLinkfpyz/QXRKSag==
protocol inbound telnet
#
line vty 4 63
user-role network-operator
#
ip route-static 0.0.0.0 0 172.24.0.2
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$4lZ/dTeeAnRwzsDU$EuQbfWUuk5CMCRqsapbexYzGXpLa5WR8Nu4Z4u7iisRb0Lnbx+FViQKqAcPNs+GOZvodjFwKWj6lqoKAr69aOg==
service-type http
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
ip http enable
#
cloud-management server domain oasis.h3c.com
#
return
- 2020-11-20回答
- 评论(0)
- 举报
-
(0)
可以配置包过滤实现部分网部不能访问外网。
例如:
[H3C] acl basic 2000
[H3C-acl-ipv4-basic-2000] rule deny source 10.1.1.1 0
[H3C-acl-ipv4-basic-2000] quit
[H3C] interface gigabitethernet 1/0/1
[H3C-GigabitEthernet1/0/1] packet-filter 2000 inbound
- 2020-11-20回答
- 评论(2)
- 举报
-
(0)
这个内网s5560的28口是接的外网 s5500的16口,我这样配置可以吗 [H3C] acl basic 2000 [H3C-acl-ipv4-basic-2000] rule deny source 172.24.0.0 0 [H3C-acl-ipv4-basic-2000] quit [H3C] interface gigabitethernet 1/0/28 [H3C-GigabitEthernet1/0/28] packet-filter 2000 inbound
还是这个合适 rule 0 deny ip source 172.24.0.0 0.0.8.255 destination 0.0.0.0 0.0.0.0
可以配置包过滤,在上行口进行调用:
配置步骤
# 创建IPv4基本ACL 2000,配置拒绝源IP地址为10.1.1.1的报文通过的规则。
[H3C] acl basic 2000
[H3C-acl-ipv4-basic-2000] rule deny source 10.1.1.1 0
[H3C-acl-ipv4-basic-2000] quit
说明:如果acl number 2000无法写上去的话可能是由于交换机的软件版本不同导致,此时修改为acl basic 2000的写法就可以了。
# 配置包过滤功能,应用IPv4基本ACL 2000对端口GigabitEthernet1/0/1收到的IPv4报文进行过滤。
[H3C] interface gigabitethernet 1/0/1
[H3C-GigabitEthernet1/0/1] packet-filter 2000 outbound
- 2020-11-20回答
- 评论(3)
- 举报
-
(0)
这样设置了,服务器还能被外部网络访问到吗?内部网络我设置的是一个大网段,172.24.0.0/20。在s5560上面设置这个大网段的策略吗?
可以写两条规则,第一条permit允许服务器的地址,第二条就是上文的 deny禁止掉这个网段,ACL是按顺序匹配的。这样就保证服务器能和外网交互,这个网段其他地址就不能访问。
rule 0 deny ip source 172.24.0.0 0.0.8.255 destination 0.0.0.0 0.0.0.0 这个是 禁止整个网段访问外部是吧,想让服务器能被外网访问,但服务器不能访问外网。
您好,请知:
关于不让特定网段访问外网,在出口设备上的NAT配置ACL进行绑定限制即可,参考配置如下:
acl basic 2000
rule 0 deny source 192.168.1.0 0.0.0.255
rule 1 permit source any
quit
int gi 0/0
nat outbound 2000
quit
- 2020-11-20回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明