H3C-ACL单向访问.doc

S5500-EI交换机利用ACL实现TCP单向访问的配置一、 组网需求：2个网段通过一台S5500-EI互联，要求网段A可以访问网段B，网段B不能访问网段A。二、 组网图：S5500-EI交换机G1/0/23端口连接Vlan 100，G1/0/24端口连接Vlan 200。S5500-EI交换机版本必须为R2202P05以上。三、 配置步骤：#配置端口、虚接口H3Cvlan 100H3C-vlan100port GigabitEthernet 1/0/23H3C-vlan100quitH3Cinterface Vlan-interface 100H3C-Vlan-interface100ip address 1.1.1.1 24H3C-Vlan-interface100quitH3Cvlan 200H3C-vlan200port GigabitEthernet 1/0/24H3C-vlan200quitH3Cinterface Vlan-interface 200H3C-Vlan-interface200ip address 2.2.2.1 24#创建ACL，其中第1条匹配TCP连接请求报文，第2条匹配TCP连接建立报文H3Cacl number 3001H3C-acl-adv-3001rule 0 permit tcp established source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255 H3C-acl-adv-3001quitH3Cacl number 3002H3C-acl-adv-3002rule 0 permit tcp source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255#创建流分类，匹配相应的ACLH3Ctraffic classifier 3001H3C-classifier-3001if-match acl 3001H3C-classifier-3001quit H3Ctraffic classifier 3002H3C-classifier-3002if-match acl 3002#创建流行为，permit TCP连接建立报文，deny从 Vlan 200发送的TCP连接建立请求报文H3Ctraffic behavior 3001H3C-behavior-3001filter permitH3C-behavior-3001quitH3Ctraffic behavior 3002H3C-behavior-3002filter deny#创建Qos策略，关联流分类和流行为H3Cqos policy 3000H3C-qospolicy-3000classifier 3001 behavior 3001H3C-qospolicy-3000classifier 3002 behavior 3002#在Vlan 200端口入方向下发Qos策略H3Cinterface GigabitEthernet 1/0/24H3C-GigabitEthernet1/0/24qos apply policy 3000 inbound四、 配置关键点：1. 在配置ACL和Qos策略前必须全网路由可达。如果S5500-EI两端连接的是交换机，则需要配置路由协议或在两端交换机上配置到对方网段的静态路由。2. 在S5500-EI上配置ACL rule时，tcp established匹配的是带有ack标志位的tcp连接报文，而tcp匹配的是所有tcp连接报文。在配置Qos策略时，匹配流分类和流行为要注意顺序，先匹配permit的，再匹配deny的。这样的结果是在入方向deny了不带有ack标志位的tcp连接报文，其它tcp连接报文均能正常通过。因此Vlan 200所在网段发起tcp连接时第一个请求报文被deny而无法建立连接，Vlan 100所在网段发起tcp连接时，Vlan 200所在网段发送的都是带有ack标志位的tcp连接报文，连接可以顺利建立。3. S5500-EI从R2202P05版本开始，在ACL中添加了Established字段，之前的版本无法实现TCP单向访问功能。 traffic classifier 3001 operator and 建立流分类 if-match acl 3001 引入ACL traffic classifier 3002 operator and if-match acl 3002#traffic behavior 3001 建立流行为 filter permittraffic behavior 3002 filter deny#qos policy 3000 建立qos策略 classifier 3001 behavior 3001 关联流分类和流行为 classifier 3002 behavior 3002#local-user h3c service-type telnet#acl number 3001 rule 0 permit tcp established 允许请求报文 any to anyacl number 3002 rule 0 permit tcp 允许建立连接报文 any to any# - More -interface Serial0/2/0 link-protocol ppp - More - ip address 10.1.1.2 255.255.255.0# - More -interface Serial0/2/1 link-protocol ppp - More -# interface Serial0/2/2 - More - link-protocol ppp ip address 172.1.1.1 255.255.255.0 - More - qos apply policy 3000 inbound 接口应用qos策略 定义方向或者Advanced ACL 3001, named -none-, 2 rules,ACLs step is 5 rule 0 permit tcp established source 172.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (418 times matched) rule 5 permit tcp established destination 172.1.1.1 0 (17 times matched)Advanced ACL 3002, named -none-, 2 rules,ACLs step is 5 rule 0 permit tcp source 172.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (25 times matched) rule 5 permit tcp destination 172.1.1.1 0 traffic classifier 3001 operator and if-match acl 3001traffic classifier 3002 operator and if-match acl 3002#traffic behavior 3001 filter permittraffic behavior 3002 filter deny#qos policy 3000 classifier 3001 behavior 3001 classifier 3002 behavior 3002#local-user h3c service-type telnet#acl number 3001 rule 0 permit tcp establishedacl number 3002 rule 0 permit tcp# - More -interface Serial0/2/0 link-protocol ppp - More - ip address 10.1.1.2 255.255.255.0# - More -interface Serial0/2/1 link-protocol ppp - More -# interface Serial0/2/2 - More - link-protocol ppp ip address 172.1.1.1 255.255.255.0 - More - qos apply policy 3000 inboundH3C5500-EI交换机TCP单向访问一例用户需求:vlan 1: 管理机vlan 101,102,103: 业务网段要求业务网段之间不互访,管理机可访问业务网段,业务网段不可访问管理机(即TCP单向),交换机间均trunk连接,QOS下发到VLAN.要点:established为TCP三次握手的ACK报文.下面配置可以实现TCP 单通TXnet-JGversion 5.20, Release 2102vlan 1description tx-system-vlan#vlan 101description tx-huawu-vlan#vlan 102description tx-jifei-vlan#vlan 103description tx-ziyuan-vlan#traffic classifier denyip operator andif-match acl 3001traffic classifier denytcp operator andif-match acl 3002traffic classifier permitTCPest operator andif-match acl 3003#traffic behavior permitfilter permittraffic behavior denyfilter deny#qos policy aclassifier permitTCPest behavior permitclassifier denytcp behavior denyclassifier denyip behavior deny#acl number 3001rule 0 permit ip source 10.103.101.0 0.0.0.255 destination 10.103.102.0 0.0.0.255rule 5 permit ip source 10.103.101.0 0.0.0.255 destination 10.103.103.0 0.0.0.255rule 10 permit ip source 10.103.102.0 0.0.0.255 destination 10.103.101.0 0.0.0.255rule 15 permit ip source 10.103.102.0 0.0.0.255 destination 10.103.103.0 0.0.0.255rule 20 permit ip source 10.103.103.0 0.0.0.255 destination 10.103.101.0 0.0.0.255rule 25 permit ip source 10.103.103.0 0.0.0.255 destination 10.103.102.0 0.0.0.255acl number 3002rule 0 permit tcp source 10.103.101.0 0.0.0.255 destination 10.103.100.0 0.0.0.63rule 5 permit tcp source 10.103.102.0 0.0.0.255 destination 10.103.100.0 0.0.0.63rule 15 permit tcp source 10.103.103.0 0.0.0.255 destination 10.103.100.0 0.0.0.63acl number 3003rule 0 permit tcp established source 10.103.101.0 0.0.0.255 destination 10.103.100.0 0.0.0.63rule 5 permit tcp established source 10.103.102.0 0.0.0.255 destination 10.103.100.0 0.0.0.63rule 10 permit tcp established source 10.103.103.0 0.0.0.255 destination 10.103.100.0 0.0.0.63#interface Vlan-interface1ip address 10.103.100.10 255.255.255.192#interface Vlan-interface101ip address 10.103.101.254 255.255.255.0#interface Vla