华为QoS：配置限制不同网段的用户互访示例

华为QoS：配置限制不同网段的用户互访示例

组网需求
如图1所示，部门1和部门2可经由SwitchC和路由器访问网络。为方便管理网络，管理员将部门1和部门2划分在不同VLAN之中，规划了两个网段的IP地址。现要求SwitchC能够限制两个网段之间互访。
配置思路
采用如下的思路在SwitchC上进行配置：
    配置接口所属的VLAN以及接口的IP地址。
    配置ACL，用于匹配两个部门互访的报文。
    在接口GE1/0/1和GE1/0/2的入方向配置报文过滤，使SwitchC丢弃匹配ACL规则的报文。

操作步骤
    配置接口所属的VLAN以及接口的IP地址
    # 创建VLAN10和VLAN20。
    <HUAWEI> system-view
    [HUAWEI] sysname SwitchC
    [SwitchC] vlan batch 10 20
    # 配置SwitchC的接口GE1/0/1和GE1/0/2为Trunk类型接口，并分别加入VLAN10和VLAN20。
    [SwitchC] interface gigabitethernet 1/0/1
    [SwitchC-GigabitEthernet1/0/1] port link-type trunk
    [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [SwitchC-GigabitEthernet1/0/1] quit
    [SwitchC] interface gigabitethernet 1/0/2
    [SwitchC-GigabitEthernet1/0/2] port link-type trunk
    [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
    [SwitchC-GigabitEthernet1/0/2] quit
    # 创建VLANIF10和VLANIF20，并配置各VLANIF接口的IP地址。
    [SwitchC] interface vlanif 10
    [SwitchC-Vlanif10] ip address 10.1.1.1 24
    [SwitchC-Vlanif10] quit
    [SwitchC] interface vlanif 20
    [SwitchC-Vlanif20] ip address 10.1.2.1 24
    [SwitchC-Vlanif20] quit
    
    配置ACL
    # 创建高级ACL 3001并配置ACL规则，拒绝两个网段之间互访的报文通过。
    [SwitchC] acl 3001
    [SwitchC-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [SwitchC-acl-adv-3001] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [SwitchC-acl-adv-3001] quit
    配置基于ACL的报文过滤
    # 在接口GE1/0/1和GE1/0/2的入方向配置基于ACL 3001的报文过滤。
    [SwitchC] interface gigabitethernet 1/0/1
    [SwitchC-GigabitEthernet1/0/1] traffic-filter inbound acl 3001
    [SwitchC-GigabitEthernet1/0/1] quit
    [SwitchC] interface gigabitethernet 1/0/2
    [SwitchC-GigabitEthernet1/0/2] traffic-filter inbound acl 3001
    [SwitchC-GigabitEthernet1/0/2] quit

    验证配置结果
    # 查看ACL规则的配置信息。
    [SwitchC] display acl 3001
    Advanced ACL 3001, 2 rules                                                                                                          
    Acl's step is 5                                                                                                                     
     rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255                                                            
     rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

    # 查看基于ACL的简化流策略的应用记录。
    [SwitchC] display traffic-applied record
    -------------------------------------------------------------------------                                                           
    *interface GigabitEthernet1/0/1                                                                                                     
     traffic-filter inbound acl 3001                                                                                                    
      slot 1: success                                                                                                                   
    -------------------------------------------------------------------------                                                           
    *interface GigabitEthernet1/0/2                                                                                                     
     traffic-filter inbound acl 3001                                                                                                    
      slot 1: success                                                                                                                   
    -------------------------------------------------------------------------
    # 部门1和部门2所在的两个网段之间不能互访。