ACL簡單運用
SW1 : VLAN 10 IP:10.10.1.1/30 SW2 :VLAN10 IP :10.10.1.2/30
SW1 : VLAN 20 IP:10.10.2.1/30 SW2 :VLAN20 IP :10.10.2.2/30
SW1配置:
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.252
#
interface Vlanif20
ip address 10.10.2.1 255.255.255.252
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
#
acl number 3000
rule 5 permit icmp source 10.10.1.2 0 destination 10.10.1.1 0
acl number 3001
rule 5 permit ip
#
traffic classifier deny operator and
if-match acl 3000
traffic classifier permit operator or
if-match acl 3001
#
traffic behavior deny
deny
traffic behavior permit
permit
#
traffic policy ce
traffic policy ceshi
classifier deny behavior permit
classifier permit behavior deny
#
traffic-policy ceshi global inbound
#
SW2配置:
#
interface Vlanif10
ip address 10.10.1.2 255.255.255.252
#
interface Vlanif20
ip address 10.10.2.2 255.255.255.252
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
實現如下:
只允許10.10.1.2與10.10.1.1互通
traffic policy ceshi
classifier deny behavior permit
classifier permit behavior deny
#
只允許10.10.2.1與10.10.2.2互通
#
traffic policy ceshi
classifier deny behavior deny
classifier permit behavior permit
#
如果這種情況1:
#
traffic policy ceshi
classifier permit behavior permit
classifier deny behavior deny
#
都可以互相訪問
如果是這種情況2:
#
traffic policy ceshi
classifier permit behavior deny
classifier deny behavior deny
#
都不能互相訪問
以上兩種情況,在policy下從上往下匹配,匹配到classifier根據behavior進行運算。(rule和behavior是與運算)
如果在acl 3000下
#
acl number 3000
rule 5 permit icmp source 10.10.1.2 0 destination 10.10.1.1 0
rule 10 deny icmp
rule 5 permit ip
#
traffic policy ceshi
classifier deny behavior permit
classifier permit behavior permit
#
這種情況下
只能10.10.1.0/30互通,而10.10.2.0/30不能互通。是因爲根據policy順序先匹配了classifier deny behavior permit,在ACL3000中從上往下匹配,因爲rule10做了禁止,所以其他報文都被禁止通過,隨即丟棄,而不會匹配acl 3001。