Monodyee

这个屌丝很懒，什么也没留下！

热门标签

H3C交换机ACL的单向访问解决方案_h3c 接口acl单向访问

作者：Monodyee | 2024-04-16 03:03:49

踩

h3c 接口acl单向访问

写下此文的目的只是为了记录遇到的问题，以防下次再遇到此类问题可以备查。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

一、需求

公司要求为开发部门提供一个SIT集成测试环境：

1、能上外网

2、按需开放要访问的业务

3、除以上外，默认禁止访问其他

4、其他所有业务网段可访问此网段

二、环境现状

文中的设备及ip都是使用H3C模拟器HCLv2.1.1比照真实环境搭建的。
使用MSR36-20路由器模拟其他环境下的主机server1和SIT环境下主机server2，使用S5820V2-54QS模拟核心交换机core-sw

注意：

在真实机上的配置已经测试成功。而模拟器中虽然能输入命令，但并不生效，建议用真实机做测试。

真实机基本信息：H3C S5500-58C-HI ，Comware Software, Version 5.20, Release 5206

三、测试环境交换机基本信息：


[core-sw]dis version
H3C Comware Software, Version 7.1.075, Alpha 7571
Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.
H3C S5820V2-54QS-GE uptime is 0 weeks, 0 days, 0 hours, 24 minutes
Last reboot reason: User reboot
Boot image: flash:/s5820v2_5830v2-cmw710-boot-a7514.bin
Boot image version: 7.1.075, Alpha 7571
  Compiled Sep 20 2017 16:00:00
Boot image: flash:/s5820v2_5830v2-cmw710-system-a7514.bin
Boot image version: 7.1.075, Alpha 7571
  Compiled Sep 20 2017 16:00:00

原有配置，包含vlan10 和 ip


core-sw的vlan配置
interface Vlan-interface10
 description other
 ip address 10.1.10.254 255.255.255.0
 
接口配置
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 10
 combo enable fiber
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 combo enable fiber

四、设计思路

基于H3C交换机的产品特性，通过ACL及QOS实现上述需求。

提示：H3C交换机和思科交换机在ACL上的最大区别就是，H3C在ACL中匹配源目后，是双向管控，CISCO是单向。

1、确认各个网段下的ip互通

2、基于以上添加策略

策略内容：
10.1.20.1 禁止访问所有
10.1.10.0网段和10.1.30.0网段的主机可访问===>10.1.20.1

3、后续需求

10.1.20.1 可访问===>10.1.30.1主机，其他不可访问

4、应用策略

在vlan20的inbound方向应用策略

五、拓扑说明

MSR36-20_2（server1）在其他业务网段other中，ip 10.1.10.1/24


[server1]接口信息
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 10.1.10.1 255.255.255.0
 
[server1]默认路由
ip route-static 0.0.0.0 0 10.1.10.254
 
打开telnet功能，即打开23端口，便于之后的验证
[server1]telnet server enable

MSR36-20_3（server2）在新增网段SIT中，ip 10.1.20.1/24


server2的接口信息
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 10.1.20.1 255.255.255.0
 
server2的路由信息
 ip route-static 0.0.0.0 0 10.1.20.254
 
打开23端口，便于之后验证
[server2]telnet server enable

六、交换机配置

实施步骤

1、在交换机上建立新网段用于SIT，如：vlan20，ip 10.1.20.254，掩码24位；真实环境中交换机上还有其他网段，在此环境中，用loopback接口模拟


[core-sw]vlan 20
[core-sw-vlan20]quit
[core-sw]
[core-sw]int vlan 20
[core-sw-Vlan-interface20]description SIT
[core-sw-Vlan-interface20]ip add 10.1.20.254 255.255.255.0
[core-sw-Vlan-interface20]quit
 
便于后面的测试，增加一个回环口，模拟其他网段
[core-sw]int LoopBack 0
[core-sw-LoopBack0]ip add 10.1.30.1 24
 
打开23端口
telnet server enable

2、交换机与server2相连的G2接口划入vlan20


[core-sw]int g1/0/2
[core-sw-GigabitEthernet1/0/2]port access vlan 20
[core-sw-GigabitEthernet1/0/2]quit

3、确认server1和server2以及交换机上模拟的loopback0互通


<server1>telnet 10.1.20.1
Trying 10.1.20.1 ...
Press CTRL+K to abort
Connected to 10.1.20.1 ...
 
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************
Login failed.
The connection was closed by the remote host!
<server1>ping 10.1.20.1
Ping 10.1.20.1 (10.1.20.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.20.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.1.20.1: icmp_seq=1 ttl=254 time=1.000 ms
<server1>telnet 10.1.30.1
Trying 10.1.30.1 ...
Press CTRL+K to abort
Connected to 10.1.30.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************
 
Login failed.
 
The connection was closed by the remote host!
<server1>
 
<server1>ping 10.1.30.1
Ping 10.1.30.1 (10.1.30.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.30.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.1.30.1: icmp_seq=1 ttl=255 time=0.000 ms


<server2>telnet 10.1.10.1
Trying 10.1.10.1 ...
Press CTRL+K to abort
Connected to 10.1.10.1 ...
 
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************
Login failed.
The connection was closed by the remote host!
<server2>ping 10.1.10.1
Ping 10.1.10.1 (10.1.10.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.10.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.1.10.1: icmp_seq=1 ttl=254 time=1.000 ms
<server2>ping 10.1.30.1
Ping 10.1.30.1 (10.1.30.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.30.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.1.30.1: icmp_seq=1 ttl=255 time=1.000 ms
<server2>telnet 10.1.30.1
Trying 10.1.30.1 ...
Press CTRL+K to abort
Connected to 10.1.30.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************
 
Login failed.
 
The connection was closed by the remote host!

已经互通，Login failed是因为没有配置用户名密码，此处可忽略

提示：真实环境中，server可能是windows、linux或者交换机系统，根据各系统的情况使用测试命令

4、配置ACL要匹配的报文


[core-sw]acl adv 3001
[core-sw-acl-ipv4-adv-3001]des 3001permit
[core-sw-acl-ipv4-adv-3001]rule 100 permit tcp ack 1 destination 10.1.10.0 0.0.0.255
[core-sw-acl-ipv4-adv-3001]rule 101 permit tcp ack 1 destination 10.1.30.0 0.0.0.255
 
[core-sw]acl adv 3002
[core-sw-acl-ipv4-adv-3002]description 3002deny
[core-sw-acl-ipv4-adv-3002]rule 100 permit tcp syn 1 destination 10.1.10.0 0.0.0.255
[core-sw-acl-ipv4-adv-3002]rule 101 permit tcp syn 1 destination 10.1.30.0 0.0.0.255

5、配置匹配报文分类


[core-sw]traffic classifier SIT-Permit operator and
[core-sw-classifier-SIT-Permit]if-match acl 3001
[core-sw-classifier-SIT-Permit]quit
 
[core-sw]traffic classifier SIT-Deny operator and
[core-sw-classifier-SIT-Deny]if-match acl 3002
[core-sw-classifier-SIT-Deny]quit

6、配置流的行为


[core-sw]traffic behavior SIT-Permit
[core-sw-behavior-SIT-Permit]filter permit
[core-sw-behavior-SIT-Permit]quit
 
[core-sw]traffic behavior SIT-Deny
[core-sw-behavior-SIT-Deny]filter deny
[core-sw-behavior-SIT-Deny]quit

7、配置qos策略


[core-sw]qos policy SIT-Control
[core-sw-qospolicy-SIT-Control]classifier SIT-Permit behavior SIT-Permit
[core-sw-qospolicy-SIT-Control]classifier SIT-Deny behavior SIT-Deny
[core-sw-qospolicy-SIT-Control]quit

8、应用到接口或vlan的inbound方向

[core-sw]qos vlan-policy SIT-Control vlan 20 inbound

9、后续需求

10.1.20.1 可访问===>10.1.30.1这个主机


[core-sw]acl adv 3001
[core-sw-acl-ipv4-adv-3001]des 3001permit
[core-sw-acl-ipv4-adv-3001]rule 90 deny ip destination 10.1.30.1 0
 
[core-sw]dis acl 3001
Advanced IPv4 ACL 3001, 3 rules,
3001permit
ACL's step is 5
 rule 90 deny ip destination 10.1.30.1 0
 rule 100 permit tcp destination 10.1.10.0 0.0.0.255 ack 1
 rule 101 permit tcp destination 10.1.30.0 0.0.0.255 ack 1