【eNSP实战】高级ACL控制内网访问Internet

拓图

要求：

1. 允许工程部访问Internet
2. 允许财务部访问Internet，但只允许访问网站和收发电子邮件
3. 允许财务部使用ping命令测试到Internet网络是否畅通
4. 禁止财务部服务器访问Internet
5. PC主机IP配置如图所示

AR1接口vlan配置

vlan batch 10 20 30
#
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0 
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0 
#
interface Vlanif30
 ip address 192.168.30.254 255.255.255.0 
#
interface Ethernet0/0/0
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 20
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/0
 ip address 10.0.0.1 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2

AR2接口配置

interface GigabitEthernet0/0/0
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 172.16.0.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

下面开始配置高级ACL
AR1配置ACL

[AR1]acl 3000		# 进入acl3000高级acl配置视图
[AR1-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255	# 设置允许IP访问
[AR1-acl-adv-3000]rule 10 permit tcp source 192.168.20.0 0.0.0.255 destination-port eq www		# 设置允许访问80端口网站
[AR1-acl-adv-3000]rule 15 permit tcp source 192.168.20.0 0.0.0.255 destination-port eq 443		# 设置允许访问443端口网站
[AR1-acl-adv-3000]rule 20 permit udp source 192.168.20.0 0.0.0.255 destination-port eq 53		# 设置允许访问dns服务
[AR1-acl-adv-3000]rule 25 permit tcp source 192.168.20.0 0.0.0.255 destination-port eq 25		# 设置允许访问smtp服务
[AR1-acl-adv-3000]rule 30 permit tcp source 192.168.20.0 0.0.0.255 destination-port eq 110		# 设置允许访问pop3服务
[AR1-acl-adv-3000]rule 35 permit icmp source 192.168.20.0 0.0.0.255 		# 设置允许ping
[AR1-acl-adv-3000]rule 40 deny ip source 192.168.30.0 0.0.0.255			# 设置拒绝该IP访问
[AR1-acl-adv-3000]rule 50 deny ip 		# 拒绝所有IP访问
[AR1-acl-adv-3000]quit

将上面的ACL3000策略应用到指定接口上

[AR1]interface GigabitEthernet 0/0/0	
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
[AR1-GigabitEthernet0/0/0]quit

至此全部ACL配置完成，下面测试财务部PC访问Internet测试