華為 eNSP 配置 ACL 擴充套件
ACL基本擴充套件
1.實驗拓撲:
使用ENSP模擬器(版本V100R002C001.2.00.350)
2.實驗需求
1:給R1做一個dhcp地址池
2:做基本的和擴充套件的NAT
3:用vm8綁在2008上
3.實驗配置
給網絡卡設ip
基本
[Huawei]intg0/0/1
[Huawei-GigabitEthernet0/0/1]ipadd192.168.10.124
[Huawei-GigabitEthernet0/0/1]intg0/0/0
[Huawei-GigabitEthernet0/0/0]ipadd192.168.20.124
[Huawei]dhcpenable做地址池
[Huawei]intg0/0/1
[Huawei-GigabitEthernet0/0/1]dhcpselectinterface放入
2008收到地址
Huawei]acl2014
[Huawei-acl-basic-2014]ruledenysource192.168.10.2520讓10.252不能上
[Huawei-acl-basic-2014]rulepermitsourceany
disthis
[Huawei-acl-basic-2014]rule6denysource192.168.10.2530中間新增一個6
[Huawei-acl-basic-2014]disthis
Huawei-acl-basic-2014]undorule6直接加上6就能刪了
[Huawei-acl-basic-2014]disthis
[Huawei-acl-basic-2014]intg0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filteroutboundacl2014
[Huawei-GigabitEthernet0/0/0]displayaclall
[Huawei-GigabitEthernet0/0/0]untraffic-filteroutbound
q
擴充套件
[Huawei]undoacl2014
[Huawei]acl3014
[Huawei-acl-adv-3014]ruledenytcpsource192.168.10.00.0.0.255destination192.168.20.80destination-porteq8010.0網段不能通過20.8獲取www
[Huawei-acl-adv-3014]rulepermitipsourceanydestinationany
Huawei-acl-adv-3014]intg0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filterinboundacl3014
[Huawei-GigabitEthernet0/0/1]disaclall
配置時間
[Huawei]time-rangework8:00to11:30working-day建立時間組
[Huawei-acl-adv-3014]ruledenytcpsource192.168.10.00.0.0.255destination192.168.20.80destination-porteq80time-rangeftp-access加上時間組
user-intvty04
acl3014inbound設在這裡安全
轉載於:https://blog.51cto.com/funinghua/1584424