1.组网需求

如下图网络拓扑，某公司通过交换机LSW1实现各部门之间的互连。为方便管理网络，管理员为公司的研发部和市场部规划了两个网段的IP地址。同时为了隔离广播域，又将两个部门划分在不同VLAN之中。现要求LSW1既能够限制两个网段之间互访，又不影响两个部门访问外网。

2.配置思路

按如下思路在上图中的S5700交换机上进行配置：

1）配置高级ACL

2）配置基于ACL的流分类，对研发部与市场部互访的报文进行过滤。

2）配置流行为，拒绝匹配上ACL的报文通过。

3）配置并应用流策略，使ACL和流行为生效。

3.配置步骤

交换机LSW1：

<Huawei> system-view

[Huawei]sysname LSW1

[LSW1]un in en //关闭信息显示

[LSW1]vlan batch 10 20 //新建VLAN

[LSW1]int g0/0/1

[LSW1-GigabitEthernet0/0/1]port link-type access

[LSW1-GigabitEthernet0/0/1]port default vlan 10

[LSW1-GigabitEthernet0/0/1]int g0/0/2

[LSW1-GigabitEthernet0/0/2]port link-type access

[LSW1-GigabitEthernet0/0/2]port default vlan 20

[LSW1-GigabitEthernet0/0/2]quit

[LSW1]int vlanif 10

[LSW1-Vlanif10]ip address 10.1.1.1 24

[LSW1-Vlanif10]int vlanif 20

[LSW1-Vlanif20]ip add 10.1.2.1 24

[LSW1-Vlanif20]q

[LSW1]acl 3001 //配置ACL

[LSW1-acl-adv-3001]rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[LSW1-acl-adv-3001]rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[LSW1-acl-adv-3001]q

[LSW1]traffic classifier mycon3001  //配置流分类

[LSW1-classifier-mycon3001]if-match acl 3001

[LSW1-classifier-mycon3001]q

[LSW1]traffic behavior mybh3001 //配置流行为，拒绝报文通过

[LSW1-behavior-mybh3001]deny

[LSW1-behavior-mybh3001]q

[LSW1]traffic policy mypo3001 //配置流策略，关联流分类和流行为

[LSW1-trafficpolicy-mypo3001]classifier mycon3001 behavior mybh3001

[LSW1-trafficpolicy-mypo3001]q

[LSW1]int g0/0/1 //应用流策略

[LSW1-GigabitEthernet0/0/1]traffic-policy mypo3001 inbound

[LSW1-GigabitEthernet0/0/1]q

[LSW1]int g0/0/2  //应用流策略

[LSW1-GigabitEthernet0/0/2]traffic-policy mypo3001 inbound

[LSW1-GigabitEthernet0/0/2]q

[LSW1]vlan batch 100

[LSW1]int g0/0/24

[LSW1-GigabitEthernet0/0/24]port link-type access

[LSW1-GigabitEthernet0/0/24]port default vlan 100

[LSW1-GigabitEthernet0/0/24]int vlanif100

[LSW1-Vlanif100]ip add 10.1.100.254 24

[LSW1-Vlanif100]q

[LSW1]q

<LSW1>save

路由R1配置：

<Huawei>sys

[Huawei]sys R1

[R1]un in en

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 10.1.100.1 24

[R1-GigabitEthernet0/0/1]q

[R1]ip route-static 0.0.0.0 0.0.0.0 10.1.100.254  //配置静态路由

[R1]q

<R1>sa

4.结果验证

PC1 ping PC2:

PC>ping 10.1.2.10

Ping 10.1.2.10: 32 data bytes, Press Ctrl_C to break

Request timeout!

Request timeout!

Request timeout!

Request timeout!

Request timeout!

--- 10.1.2.10 ping statistics ---

  5 packet(s) transmitted

  0 packet(s) received

  100.00% packet loss

PC1 ping 出口路由网关地址：

PC>ping 10.1.100.1

Ping 10.1.100.1: 32 data bytes, Press Ctrl_C to break

From 10.1.100.1: bytes=32 seq=1 ttl=254 time=109 ms

From 10.1.100.1: bytes=32 seq=2 ttl=254 time=46 ms

From 10.1.100.1: bytes=32 seq=3 ttl=254 time=31 ms

From 10.1.100.1: bytes=32 seq=4 ttl=254 time=32 ms

From 10.1.100.1: bytes=32 seq=5 ttl=254 time=47 ms

--- 10.1.100.1 ping statistics ---

  5 packet(s) transmitted

  5 packet(s) received

  0.00% packet loss

  round-trip min/avg/max = 31/53/109 ms

PC2 ping PC1：

PC>ping 10.1.1.10

Ping 10.1.1.10: 32 data bytes, Press Ctrl_C to break

Request timeout!

Request timeout!

Request timeout!

Request timeout!

Request timeout!

--- 10.1.1.10 ping statistics ---

  5 packet(s) transmitted

  0 packet(s) received

  100.00% packet loss

PC2 ping 出口路由网关地址:

PC>ping 10.1.100.1

Ping 10.1.100.1: 32 data bytes, Press Ctrl_C to break

From 10.1.100.1: bytes=32 seq=1 ttl=254 time=31 ms

From 10.1.100.1: bytes=32 seq=2 ttl=254 time=63 ms

From 10.1.100.1: bytes=32 seq=3 ttl=254 time=31 ms

From 10.1.100.1: bytes=32 seq=4 ttl=254 time=31 ms

From 10.1.100.1: bytes=32 seq=5 ttl=254 time=32 ms

--- 10.1.100.1 ping statistics ---

  5 packet(s) transmitted

  5 packet(s) received

  0.00% packet loss

  round-trip min/avg/max = 31/37/63 ms