华为交换机S5500系列上,作黑白名单访问ACL的配置案例实操
(1)第一步:定义规则(设置预计命中的条目,即:制作“滤芯”)
acl number 3000
rule 0 permit tcp source 10.0.28.247 0 destination 10.0.20.20 0 destination-port eq 8081
rule 1 deny tcp destination 10.0.20.43 0 destination-port eq 8081
acl number 3001
rule 0 permit tcp source 10.0.24.152 0 destination 10.0.20.91 0 destination-port eq 1521
rule 1 deny tcp destination 10.0.20.96 0 destination-port eq 1521
acl number 3002
rule 0 permit tcp source 10.0.24.152 0 destination 10.0.20.37 0 destination-port eq 9090
rule 1 deny tcp destination 10.0.20.37 0 destination-port eq 9090
(2)第二步:流分类(经过接口流量的分类梳理,匹配上述规则条目的流量形成一类流量)
traffic classifier Access-Whitelist operator or
if-match acl 3000
if-match acl 3001
if-match acl 3002
(3)第三步:流行为
traffic behavior Access-behavior
(留空)permit和deny都不要配置!!!
(4) 第四步:策略(安装成一个完整策略:流分类关联流行为)
traffic policy Access-policy
classifier Access-Whitelist behavior Access-behavior
(5) 第五步:策略应用到接口(给接口安装上策略这个零件)
interface GigabitEthernet0/1/2
port link-type access
port default vlan 4091
traffic-policy Access-policy inbound ++++= 只添这行