网络流量控制---ACL与traffic-filter

一．要求
1）R1只允许WG登录，WG能ping通Server1和Client1
2）YF和CW之间不能互通，但都可以和WG互通
3）YF可以访问Client1
4）CW不能访问Client1
5）YF和CW只能访问Server1的WWW服务
6）只有WG才能访问Server1的所有服务
二．拓扑图

三．配置
WG：IP 192.168.1.1/24 网关192.168.1.254
YF： IP 192.168.2.1/24 网关192.168.2.254
CW：IP 192.168.3.1/24 网关192.168.3.254
server1：IP 192.168.4.1/24 网关192.168.4.254
Client1: IP192.168.10.1/24 网关192.168.10.254

wg
sys
sys wg
int g0/0/0
ip addr 192.168.1.1 24
q
ip route-s 0.0.0.0 0.0.0.0 192.168.1.254

r1
sys
sys r1
int g0/0/0
ip addr 192.168.20.254 24
q
int g0/0/1
ip addr 192.168.30.254 24
q
int g0/0/2
ip addr 192.168.10.254 24
q

r2
sys
sys r2
int g0/0/0
ip addr 192.168.30.1 24
q
int g0/0/1
ip addr 192.168.1.254 24
q
int g0/0/2
ip addr 192.168.2.254 24
q

r3
sys
sys r3
int g0/0/0
ip addr 192.168.20.1 24
q
int g0/0/1
ip addr 192.168.3.254 24
q
int g0/0/2
ip addr 192.168.4.254 24
q

r1
ip route-s 192.168.1.0 24 192.168.30.1
ip route-s 192.168.2.0 24 192.168.30.1
ip route-s 192.168.3.0 24 192.168.20.1
ip route-s 192.168.4.0 24 192.168.20.1

r2
ip route-s 192.168.10.0 24 192.168.30.254
ip route-s 192.168.3.0 24 192.168.30.254
ip route-s 192.168.4.0 24 192.168.30.254

r3
ip route-s 192.168.10.0 24 192.168.20.254
ip route-s 192.168.1.0 24 192.168.20.254
ip route-s 192.168.2.0 24 192.168.20.254

r1
acl 2000
rule 5 permit source 192.168.1.1 0.0.0.0
rule 10 deny source any
q
user-interface vty 0 4
acl 2000 inbound
user privilege level 3
authentication-mode aaa
aaa
local-user jing password cipher 123
local-user jing service-type telnet
q

r2
acl 3000
rule 5 permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0
rule 10 permit tcp source 192.168.2.1 0.0.0.0 destination 192.168.4.1 0.0.0.0 destination-port eq 80
rule 15 permit ip source 192.168.2.1 0.0.0.0 destination 192.168.10.1 0.0.0.0
rule 20 deny ip source any
q
int g0/0/2
traffic-filter inbound acl 3000

r3
acl 3000
rule 5 permit ip source 192.168.3.1 0.0.0.0 destination 192.168.1.1 0.0.0.0
rule 10 permit tcp source 192.168.3.1 0.0.0.0 destination 192.168.4.1 0.0.0.0 destination-port eq 80
rule 20 deny ip source any
q
int g0/0/1
traffic-filter inbound acl 3000
四．验证
YF成功访问server1 的www服务

YF ping访问server1 失败
YF ping访问Client1成功

YF ping访问WG成功
YF ping访问CW失败

CW ping访问WG成功
CW ping访问YF失败

CW ping访问server1失败

acl访问控制列表，匹配感兴趣的数据，与相应的工具对数据进行处理，本次与traffic-filter流量过滤一起，对相应的流量数据进行限制或者放行。