VLAN间访问问题,ACL控制

新人帖[复制链接]
发表于 : 2018-2-1 21:39:55 最新回复:2018-02-04 12:15:02
931 12
ding_guo    

  悬赏: 1E币   (未解决)

各位大侠,我的网络中有 VLAN1 :10.100.1.0 VLAN2 :10.100.2.0 VLAN3:10.100.3.0 VLAN10:10.100.10.0 VLAN11:10.100.11.0 VLAN12:10.100.12.0 VLAN13:10.100.13.0 VLAN100:192.168.1.0 VLAN200:10.100.200.0

要求是1、 VLAN1只能和VLAN100通信 ,其他禁止通信 2、VLAN2和所有VLAN通信  3、VLAN3只和VLAN2和VLAN100通信,其他禁止通信,4、VLAN10只和VLAN2  VLAN100通信其他禁止通信  5、VLAN11只和VLAN2  VLAN100通信其他禁止通信  6、VLAN12只和VLAN2  VLAN100通信其他禁止通信  7、VLAN13只和VLAN2  VLAN100通信其他禁止通信   8、VLAN100禁止和VLAN200通信通信,其他都允许互相访问   9、VLAN200只和VLAN2通信 其他都禁止通信  

这样我做了ACL流控制,问题是以上基本实现,VLAN间的用户按要求不能访问别的VLAN的用户,但是每个网段的用户都可以平通任何VLAN的网关,也就是10.100.1.1   10.100.3.1    10.100.10.1   10.100.11.1    10.100.12.1   10.100.13.1   10.100.200.1 

不知道问题出在哪里,请好心人帮忙,另外配置贴在下面 

!Software Version V200R010C00SPC600
#
sysname S9306
#
vlan batch 2 to 3 10 to 13 100 200
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
telnet server enable
#
clock timezone UTC add 00:00:00
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
acl number 3000 
 rule 5 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
 rule 10 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.10.0 0.0.0.255
 rule 15 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.11.0 0.0.0.255
 rule 20 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.12.0 0.0.0.255
 rule 25 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.13.0 0.0.0.255
 rule 30 deny ip source 10.100.1.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3003 
 rule 5 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.1.0 0.0.0.255
 rule 10 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.10.0 0.0.0.255
 rule 15 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.11.0 0.0.0.255
 rule 20 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.12.0 0.0.0.255
 rule 25 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.13.0 0.0.0.255
 rule 30 deny ip source 10.100.3.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3010 
 rule 5 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.1.0 0.0.0.255
 rule 10 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
 rule 15 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.11.0 0.0.0.255
 rule 20 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.12.0 0.0.0.255
 rule 25 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.13.0 0.0.0.255
 rule 30 deny ip source 10.100.10.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3011 
 rule 5 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.1.0 0.0.0.255
 rule 10 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
 rule 15 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.10.0 0.0.0.255
 rule 20 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.12.0 0.0.0.255
 rule 25 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.13.0 0.0.0.255
 rule 30 deny ip source 10.100.11.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3012 
 rule 5 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.1.0 0.0.0.255
 rule 10 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
 rule 15 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.10.0 0.0.0.255
 rule 20 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.11.0 0.0.0.255
 rule 25 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.13.0 0.0.0.255
 rule 30 deny ip source 10.100.12.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3013 
 rule 5 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.1.0 0.0.0.255
 rule 10 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
 rule 15 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.10.0 0.0.0.255
 rule 20 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.12.0 0.0.0.255
 rule 25 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.11.0 0.0.0.255
 rule 30 deny ip source 10.100.13.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
acl number 3100 
 rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 10.100.200.0 0.0.0.255
#
traffic classifier tcvlan1 operator or precedence 5
 if-match acl 3000
traffic classifier tcvlan10 operator or precedence 15
 if-match acl 3010
traffic classifier tcvlan100 operator or precedence 35
 if-match acl 3100
traffic classifier tcvlan11 operator or precedence 20
 if-match acl 3011
traffic classifier tcvlan12 operator or precedence 25
 if-match acl 3012
traffic classifier tcvlan13 operator or precedence 30
 if-match acl 3013
traffic classifier tcvlan3 operator or precedence 10
 if-match acl 3003
#
traffic behavior tbvlan1
 deny
traffic behavior tbvlan10
 deny
traffic behavior tbvlan100
 deny
traffic behavior tbvlan11
 deny
traffic behavior tbvlan12
 deny
traffic behavior tbvlan13
 deny
traffic behavior tbvlan3
 deny
#
traffic policy tpvlan1 match-order config
 classifier tcvlan1 behavior tbvlan1
traffic policy tpvlan10 match-order config
 classifier tcvlan10 behavior tbvlan10
traffic policy tpvlan100 match-order config
 classifier tcvlan100 behavior tbvlan100
traffic policy tpvlan11 match-order config
 classifier tcvlan11 behavior tbvlan11
traffic policy tpvlan12 match-order config
 classifier tcvlan12 behavior tbvlan12
traffic policy tpvlan13 match-order config
 classifier tcvlan13 behavior tbvlan13
traffic policy tpvlan3 match-order config
 classifier tcvlan3 behavior tbvlan3
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
vlan 1
 description SHEBEI
 traffic-policy tpvlan1 inbound
vlan 2
 description WAN
vlan 3
 description caiwu
 traffic-policy tpvlan3 inbound
vlan 10
 description 10F
 traffic-policy tpvlan10 inbound
vlan 11
 description 11F
 traffic-policy tpvlan11 inbound
vlan 12
 description 12F
 traffic-policy tpvlan12 inbound
vlan 13
 description 13F
 traffic-policy tpvlan13 inbound
vlan 100
 description SERVER
 traffic-policy tpvlan100 inbound
vlan 200
 description GUEST
#
ip pool VLAN1
 gateway-list 10.100.1.1
 network 10.100.1.0 mask 255.255.255.0
 excluded-ip-address 10.100.1.2 10.100.1.50
 excluded-ip-address 10.100.1.200 10.100.1.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN3
 gateway-list 10.100.3.1
 network 10.100.3.0 mask 255.255.255.0
 excluded-ip-address 10.100.3.2 10.100.3.50
 excluded-ip-address 10.100.3.200 10.100.3.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN10
 gateway-list 10.100.10.1
 network 10.100.10.0 mask 255.255.255.0
 excluded-ip-address 10.100.10.2 10.100.10.50
 excluded-ip-address 10.100.10.200 10.100.10.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN11
 gateway-list 10.100.11.1
 network 10.100.11.0 mask 255.255.255.0
 excluded-ip-address 10.100.11.2 10.100.11.50
 excluded-ip-address 10.100.11.200 10.100.11.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN12
 gateway-list 10.100.12.1
 network 10.100.12.0 mask 255.255.255.0
 excluded-ip-address 10.100.12.2 10.100.12.50
 excluded-ip-address 10.100.12.200 10.100.12.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN13
 gateway-list 10.100.13.1
 network 10.100.13.0 mask 255.255.255.0
 excluded-ip-address 10.100.13.2 10.100.13.50
 excluded-ip-address 10.100.13.200 10.100.13.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN100
 gateway-list 192.168.1.1
 network 192.168.1.0 mask 255.255.255.0
 excluded-ip-address 192.168.1.2 192.168.1.50
 excluded-ip-address 192.168.1.200 192.168.1.254
 dns-list 218.201.96.130 211.137.191.26
#
ip pool VLAN200
 gateway-list 10.100.200.1
 network 10.100.200.0 mask 255.255.255.0
 excluded-ip-address 10.100.200.2 10.100.200.50
 excluded-ip-address 10.100.200.200 10.100.200.254
 dns-list 218.201.96.130 211.137.191.26
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 local-aaa-user password policy administrator
  password expire 0
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user admin password irreversible-cipher $1a$ovgi9XPeq($#Z,g1"*sIQQ!X,*}|<e1_P`bNTCKu(&vDD%lL\N5$
 local-user admin privilege level 15
 local-user admin service-type telnet
 #
interface Vlanif1
 ip address 10.100.1.1 255.255.255.0
 dhcp select global
#
interface Vlanif2
 ip address 10.100.2.1 255.255.255.0
 dhcp select global
#
interface Vlanif3
 ip address 10.100.3.1 255.255.255.0
 dhcp select global
#
interface Vlanif10
 ip address 10.100.10.1 255.255.255.0
 dhcp select global
#
interface Vlanif11
 ip address 10.100.11.1 255.255.255.0
 dhcp select global
#
interface Vlanif12
 ip address 10.100.12.1 255.255.255.0
 dhcp select global
#
interface Vlanif13
 ip address 10.100.13.1 255.255.255.0
 dhcp select global
#
interface Vlanif100
 ip address 192.168.1.1 255.255.255.0
 dhcp select global
#
interface Vlanif200
 ip address 10.100.200.1 255.255.255.0
 dhcp select global
#
interface Ethernet0/0/0
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/1
#
interface GigabitEthernet2/0/2
#
interface GigabitEthernet2/0/3
#
interface GigabitEthernet2/0/4
#
interface GigabitEthernet2/0/5
#
interface GigabitEthernet2/0/6
#
interface GigabitEthernet2/0/7
#
interface GigabitEthernet2/0/8
#
interface GigabitEthernet2/0/9
#
interface GigabitEthernet2/0/10
#
interface GigabitEthernet2/0/11
#
interface GigabitEthernet2/0/12
#
interface GigabitEthernet2/0/13
#
interface GigabitEthernet2/0/14
#
interface GigabitEthernet2/0/15
#
interface GigabitEthernet2/0/16
#
interface GigabitEthernet2/0/17
#
interface GigabitEthernet2/0/18
#
interface GigabitEthernet2/0/19
#
interface GigabitEthernet2/0/20
#
interface GigabitEthernet2/0/21
#
interface GigabitEthernet2/0/22
#
interface GigabitEthernet2/0/23
#
interface GigabitEthernet2/0/24
#
interface GigabitEthernet2/0/25
#
interface GigabitEthernet2/0/26
#
interface GigabitEthernet2/0/27
#
interface GigabitEthernet2/0/28
#
interface GigabitEthernet2/0/29
#
interface GigabitEthernet2/0/30
#
interface GigabitEthernet2/0/31
#
interface GigabitEthernet2/0/32
#
interface GigabitEthernet2/0/33
#
interface GigabitEthernet2/0/34
#
interface GigabitEthernet2/0/35
#
interface GigabitEthernet2/0/36
#
interface GigabitEthernet2/0/37
#
interface GigabitEthernet2/0/38
#
interface GigabitEthernet2/0/39
#
interface GigabitEthernet2/0/40
#
interface GigabitEthernet2/0/41
#
interface GigabitEthernet2/0/42
#
interface GigabitEthernet2/0/43
#
interface GigabitEthernet2/0/44
#
interface GigabitEthernet2/0/45
#
interface GigabitEthernet2/0/46
#
interface GigabitEthernet2/0/47
#
interface NULL0
#
user-interface maximum-vty 15
user-interface con 0
 authentication-mode aaa
 idle-timeout 0 0
 screen-length 0
user-interface vty 0 14
 authentication-mode aaa
 user privilege level 3
 idle-timeout 0 0
 screen-length 0
 protocol inbound telnet
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

  • x
  • 常规:

点评 回复

跳转到指定楼层
ding_guo     发表于 2018-2-1 21:49:42 已赞(0) 赞(0)

请版主帮忙解答
  • x
  • 常规:

点评 回复

我只是调设备的  导师   发表于 2018-2-2 09:12:26 已赞(0) 赞(0)

因为本机ping报文上送CPU处理,在ACL机制之前,你ping的网关都是在这台设备上,如果跨设备的网关,是ping不通的,也就是说没有问题
  • x
  • 常规:

点评 回复

轩钰     发表于 2018-2-2 11:00:48 已赞(0) 赞(0)

简单的就是ACL不能控制自己访问自己的路由
  • x
  • 常规:

点评 回复

老咪  新锐   发表于 2018-2-2 11:19:01 已赞(0) 赞(0)

有个疑问,你是否该把ACL里面的 DENY 都改成 PERMIT 才合理。新手问题可能比较郁闷,请见谅。
  • x
  • 常规:

点评 回复

坚决学习十九大讲话
ding_guo     发表于 2018-2-2 12:45:24 已赞(0) 赞(0)

老咪 发表于 2018-02-02 11:19:01 有个疑问,你是否该把ACL里面的 DENY 都改成 PERMIT 才合理。新手问题可能比较郁闷,请见谅。 ...
效果一样
  • x
  • 常规:

点评 回复

ding_guo     发表于 2018-2-2 12:49:57 已赞(0) 赞(0)

我只是调设备的 发表于 2018-02-02 09:12:26 因为本机ping报文上送CPU处理,在ACL机制之前,你ping的网关都是在这台设备上,如果跨设备的网关,是ping不 ...
这样的话对我们这些人士来说可以说通,但是对于用户理解的是,他们隔离的网络仍然有通信,所以不好解释
  • x
  • 常规:

点评 回复

老咪  新锐   发表于 2018-2-2 15:19:04 已赞(0) 赞(0)

本帖最后由 老咪 于 2018-2-2 15:27 编辑
我的意思是ACL用permit这 if-match 中了到了behavior 时还是用 deny 的,要不然负负得正了。还有你配置就是这样吗?interface没有配上vlan呀?怎测到还是通的呢?本机试不到的呀!楼上说的问题呀。
  • x
  • 常规:

点评 回复

坚决学习十九大讲话
kmyd  版主   发表于 2018-2-2 20:48:40 已赞(0) 赞(0)

参考配置:
三层的话,用ACL来实现,比如:
vlan 2:192.168.2.0/255.255.255.0
vlan 3:192.168.3.0/255.255.255.0
vlan 4:192.186.4.0/255.255.255.0
vlan2\vlan3\vlan4相互之间不能访问

acl number 3002
rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

acl number 3003
rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
acl number 3004
rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

用traffic-filter在vlan下应用ACL,
traffic-filter vlan 2 inbound acl 3002
traffic-filter vlan 3 inbound acl 3003
traffic-filter vlan 4 inbound acl 3004
  • x
  • 常规:

点评 回复

ding_guo     发表于 2018-2-2 21:00:55 已赞(0) 赞(0)

kmyd 发表于 2018-02-02 20:48:40 参考配置:三层的话,用ACL来实现,比如:vlan 2:192.168.2.0/255.255.255.0vlan 3:192.168.3.0/255.255.25 ...
这种方式我试过了,还是可以ping通网关的
  • x
  • 常规:

点评 回复

12
返回列表
发表回复
您需要登录后才可以回帖 登录 | 注册

如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
快速回复 返回顶部