S3110+ACL策略
- 0关注
- 1收藏,1256浏览
问题描述:
S3110交换机。V5版本。
要求:
设置ACL策略,在交换机的出方向进行限制源地址仅能访问目的地址。
源地址:55.100.74.129-130
目的地址:55.10.10.101-104 55.10.40.1-4 55.20.10.1-6
做如下配置:
<CQ-QUANDB1.S1>dis cu
#
version 5.20.99, Release 1107
#
sysname CQ-QUANDB1.S1
#
clock timezone beijing add 08:00:00
#
undo copyright-info enable
#
domain default enable system
#
ipv6
#
undo ip http enable
#
password-recovery enable
#
acl number 2001
rule 0 permit source 10.55.0.0 0.0.255.255
rule 5 permit source 55.0.0.0 0.255.255.255
rule 10 deny
#
acl number 3001
rule 0 permit ip source 55.100.74.129 0 destination 55.10.10.101 0
rule 5 permit ip source 55.100.74.129 0 destination 55.10.10.102 0
rule 10 permit ip source 55.100.74.129 0 destination 55.10.10.103 0
rule 15 permit ip source 55.100.74.129 0 destination 55.10.10.104 0
rule 20 permit ip source 55.100.74.130 0 destination 55.10.10.101 0
rule 25 permit ip source 55.100.74.130 0 destination 55.10.10.102 0
rule 30 permit ip source 55.100.74.130 0 destination 55.10.10.103 0
rule 35 permit ip source 55.100.74.130 0 destination 55.10.10.104 0
rule 40 permit ip source 55.100.74.130 0 destination 55.10.40.1 0
rule 45 permit ip source 55.100.74.130 0 destination 55.10.40.2 0
rule 50 permit ip source 55.100.74.130 0 destination 55.10.40.3 0
rule 55 permit ip source 55.100.74.130 0 destination 55.10.40.4 0
rule 60 permit ip source 55.100.74.129 0 destination 55.10.40.1 0
rule 65 permit ip source 55.100.74.129 0 destination 55.10.40.2 0
rule 70 permit ip source 55.100.74.129 0 destination 55.10.40.3 0
rule 75 permit ip source 55.100.74.129 0 destination 55.10.40.4 0
rule 80 permit ip source 55.100.74.129 0 destination 55.20.10.1 0
rule 85 permit ip source 55.100.74.129 0 destination 55.20.10.2 0
rule 90 permit ip source 55.100.74.129 0 destination 55.20.10.3 0
rule 95 permit ip source 55.100.74.129 0 destination 55.20.10.4 0
rule 100 permit ip source 55.100.74.129 0 destination 55.20.10.5 0
rule 105 permit ip source 55.100.74.129 0 destination 55.20.10.6 0
rule 110 permit ip source 55.100.74.130 0 destination 55.20.10.1 0
rule 115 permit ip source 55.100.74.130 0 destination 55.20.10.2 0
rule 120 permit ip source 55.100.74.130 0 destination 55.20.10.3 0
rule 125 permit ip source 55.100.74.130 0 destination 55.20.10.4 0
rule 130 permit ip source 55.100.74.130 0 destination 55.20.10.5 0
rule 135 permit ip source 55.100.74.130 0 destination 55.20.10.6 0
rule 140 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user cqdl-con
password cipher $c$3$2Q8CPPgmULOQoCcJSI5bRAwPYbXPxCPnSGu1DA==
authorization-attribute level 3
service-type terminal
local-user cqdl-ssh
password cipher $c$3$j/bQk+VFcbAZEBPYgTQv0w/RFKN2EWazDLnx5Q==
authorization-attribute level 3
service-type ssh
#
interface NULL0
#
interface Vlan-interface1
ip address 55.100.74.252 255.255.255.128
#
interface Ethernet1/0/1
description TO R1
port link-type trunk
port trunk permit vlan all
#
interface Ethernet1/0/2
ip source binding mac-address 0090-e85d-79a6
ip verify source mac-address
#
interface Ethernet1/0/3
ip source binding mac-address 0090-e85f-0f99
ip verify source mac-address
#
interface Ethernet1/0/4
shutdown
#
interface Ethernet1/0/5
shutdown
#
interface Ethernet1/0/6
shutdown
#
interface Ethernet1/0/7
shutdown
#
interface Ethernet1/0/8
shutdown
#
interface Ethernet1/0/9
shutdown
#
interface Ethernet1/0/10
shutdown
#
interface Ethernet1/0/11
shutdown
#
interface Ethernet1/0/12
shutdown
#
interface Ethernet1/0/13
shutdown
#
interface Ethernet1/0/14
shutdown
#
interface Ethernet1/0/15
#
interface Ethernet1/0/16
shutdown
#
interface Ethernet1/0/17
shutdown
#
interface Ethernet1/0/18
shutdown
#
interface Ethernet1/0/19
shutdown
#
interface Ethernet1/0/20
shutdown
#
interface Ethernet1/0/21
shutdown
#
interface Ethernet1/0/22
shutdown
#
interface Ethernet1/0/23
shutdown
#
interface Ethernet1/0/24
shutdown
#
interface GigabitEthernet1/0/25
shutdown
#
interface GigabitEthernet1/0/26
shutdown
#
ip route-static 10.55.0.0 255.255.0.0 55.100.74.254
ip route-static 55.0.0.0 255.0.0.0 55.100.74.254
#
ntp-service unicast-server 55.20.10.253
#
ssh server enable
ssh user cqdl-ssh service-type stelnet authentication-type password
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
authentication-mode scheme
idle-timeout 5 0
user-interface vty 0 4
acl 2001 inbound
authentication-mode scheme
idle-timeout 5 0
user-interface vty 5 15
#
return
<CQ-QUANDB1.S1>
问题:
1、如何把ACL 3001 应用到交换机的出方向? V5的版本,发现 interface Ethernet1/0/1 下没有 outbound。
2、发现如果在 interface Ethernet1/0/1 下键入 packet-filter 3001 inbound 后,通过路由器SSH2到交换机远程连接会断掉,应该如何处理?
- 2018-11-21提问
- 举报
-
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论