华为防火墙透明模式ACL测试试验
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
packet-filter 3002 inbound
mode lacp-static
可以在USG9000上配置ACL来控制PC对4507的访问:
acl number 3002 ////当删除rule 5时,PC无法访问4507
rule 5 permit ip source 10.2.94.0 0.0.0.255
rule 10 deny ip
firewall interzone trust untrust
no switchport
no ip address
channel-group 3 mode active
interface TenGigabitEthernet4/2
description firewall-testing
no switchport
no ip address
channel-group 3 mode active
description to ChengYuWang-12808-2
undo shuLeabharlann Baidudown
eth-trunk 1
#
interface GigabitEthernet2/1/0
description to DianBo-4507-2
undo shutdown
eth-trunk 2
interface Eth-Trunk1
description to ChengYuWang-12808-1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/1/0
description to DianBo-4507-1
undo shutdown
eth-trunk 2
#
interface GigabitEthernet2/0/0
mode lacp
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 78
ip route-static 0.0.0.0 0.0.0.0 10.2.94.2
USG9000配置:
interface GigabitEthernet1/0/0
ip route 10.2.94.4 255.255.255.252 10.2.94.1
5700配置:
#
interface XGigabitEthernet0/1/1
eth-trunk 1
#
interface XGigabitEthernet0/1/2
eth-trunk 1
interface Vlanif77
4507配置:
interface Port-channel3
description firewall-testing
ip address 10.2.94.2 255.255.255.252
interface TenGigabitEthernet4/1
description firewall-testing
拓扑:
4507(int port-channel 3,10.2.94.2,4/1,4/2)---(vlan 10,1/0/0,1/1/0)USG9000(vlan 10,2/0/0,2/1/0)---(int vlan 77,10.2.94.1,0/1/1,0/1/2)5700(int vlan 78,10.2.94.5,0/0/1)----(10.2.94.6)PC
portswitch
description to ChengYuWang-12808
port default vlan 10
mode lacp-static
#
interface Eth-Trunk2
portswitch
description to DianBo-4507
port default vlan 10
ip address 10.2.94.1 255.255.255.252
#
interface Vlanif78
ip address 10.2.94.5 255.255.255.252
#
interface Eth-Trunk1
port link-type access
port default vlan 77
mode lacp-static
可以在USG9000上配置ACL来控制PC对4507的访问:
acl number 3002 ////当删除rule 5时,PC无法访问4507
rule 5 permit ip source 10.2.94.0 0.0.0.255
rule 10 deny ip
firewall interzone trust untrust
no switchport
no ip address
channel-group 3 mode active
interface TenGigabitEthernet4/2
description firewall-testing
no switchport
no ip address
channel-group 3 mode active
description to ChengYuWang-12808-2
undo shuLeabharlann Baidudown
eth-trunk 1
#
interface GigabitEthernet2/1/0
description to DianBo-4507-2
undo shutdown
eth-trunk 2
interface Eth-Trunk1
description to ChengYuWang-12808-1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/1/0
description to DianBo-4507-1
undo shutdown
eth-trunk 2
#
interface GigabitEthernet2/0/0
mode lacp
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 78
ip route-static 0.0.0.0 0.0.0.0 10.2.94.2
USG9000配置:
interface GigabitEthernet1/0/0
ip route 10.2.94.4 255.255.255.252 10.2.94.1
5700配置:
#
interface XGigabitEthernet0/1/1
eth-trunk 1
#
interface XGigabitEthernet0/1/2
eth-trunk 1
interface Vlanif77
4507配置:
interface Port-channel3
description firewall-testing
ip address 10.2.94.2 255.255.255.252
interface TenGigabitEthernet4/1
description firewall-testing
拓扑:
4507(int port-channel 3,10.2.94.2,4/1,4/2)---(vlan 10,1/0/0,1/1/0)USG9000(vlan 10,2/0/0,2/1/0)---(int vlan 77,10.2.94.1,0/1/1,0/1/2)5700(int vlan 78,10.2.94.5,0/0/1)----(10.2.94.6)PC
portswitch
description to ChengYuWang-12808
port default vlan 10
mode lacp-static
#
interface Eth-Trunk2
portswitch
description to DianBo-4507
port default vlan 10
ip address 10.2.94.1 255.255.255.252
#
interface Vlanif78
ip address 10.2.94.5 255.255.255.252
#
interface Eth-Trunk1
port link-type access
port default vlan 77