@TOC
一、网络环境
1.网络拓扑
2.网络互通链接
二、ACL要求
1.要求部门A不能访问部门B
2.要求所有部门不可以ping通服务器区域,但能访问web服务器
3.部门D不能访问部门C
三、ACL实施
1.部门A禁止访问部门B
[SW2]acl 3001
[SW2-acl-adv-3001]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168
.20.0 0.0.0.255
[SW2-acl-adv-3001]quit
[SW2-GigabitEthernet0/0/3]traffic-filter inbound acl
PC>ping 192.168.20.222
Ping 192.168.20.222: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.20.222 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
2.服务器区域ACL配置
[SW2]acl 3002
[SW2-acl-adv-3002]rule deny ip source any destination 172.16.10.0 0.0.0.255
[SW2-acl-adv-3002]rule permit ip source 192.168.10.222 0 destination 172.16.10.2
50 0
[SW2-acl-adv-3002]rule permit tcp destination 172.16.10.250 0 destination-port e
q 80
[SW2-acl-adv-3002]quit
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]traffic-filter inbound acl 3002
[SW2-GigabitEthernet0/0/6]
3.部门D不能访问部门C
[SW2]acl 3003
[SW2-acl-adv-3003]rule deny ip source 192.168.40.0 0.0.0.255 des
[SW2-acl-adv-3003]rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168
.30.0 0.0.0.255
[SW2-acl-adv-3003]quit
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]traffic-filter inbound acl 3003
