H3CNE 24 配置基本ACL 实现包过滤
24 配置基本ACL 实现包过滤通过配置基本ACL拒绝PC1192.168.10.100访问PC2 192.168.20.100R1基本配置<H3C>system-viewsysname r1interface gigabitethernet 0/2ip address 192.168.10.1 24interface gigabitethernet 0/0ip address 10.10.12.1 24quit配置默认路由ip route-static 192.168.20.0 255.255.255.010.10.12.2//配置默认路由配置基本ACLacl number 2000 //创建基本ACLstep 10//配置步长为10rule deny source192.168.10.100 0.0.0.0//配置拒绝源地址通行规则rule permit source any//配置允许源地址访问规则quit配置接口引用ACLinterfacegigabitethernet 0/0 packet-filter 2000 outbound//配置接口的出方向访问引用ACL规则包过滤 R2<H3C>system-viewsysname r2interface gigabitethernet 0/2ip address 192.168.20.1 24interface gigabitethernet 0/0ip address 10.10.12.2 24quitip route-static 192.168.10.0 255.255.255.010.10.12.1此时当PC1地址为192.168.10.100时,无法访问对面PC2192.168.20.100;数据在R1 的G 0/0出接口时被ACL2000过滤。把PC1的时址改成101时则能正常访问了。反之,在R1的G 0/0接口inbound方向也可进行配置,例如禁止R2 192.168.20.100的PC访问本路由下的PC1。acl number 2001 step 20rule 0 deny source192.168.20.100 0.0.0.0rule 10 permit source anyquitinterface gigabitethernet 0/0packet-filter 2001 inboundquit 完成!
页:
[1]
