AR +SW上網控制---SW控制實例

基本組網

AR 1 作為網關路由器，負責鏈接外網，NAT也配置在這個設備上。

AR 2 模擬運營商路由器。

LSW1 作為核心交換機，上面有三個vlan ,分別為vlan 10 ,vlan 20 ,vlan 30。

地址規劃：

核心交換LSW1

用戶網段：

vlan 10 192.168.10.254/24

vlan 20 192.168.20.254/24

vlan 30 192.168.30.254/24

AR---LSW1 互聯網段

AR GE 0/0/0 接口 192.168.1.1 /24

LSW1 vlanif 100接口 192.168.1.2/24

AR 公網互聯（可以是PPPOE也可以是固定IP，此處為固定IP，結尾會單獨說明PPPOE配置方式）

AR GE 0/0/1 接口 122.122.122.110

要實現控制上網，所先要讓用戶無限制的都可以上網。

交換機做基於接口劃分vlan ,配置如下：

#

interface Vlanif10

ip address 192.168.10.254 255.255.255.0

#

interface Vlanif20

ip address 192.168.20.254 255.255.255.0

#

interface Vlanif30

ip address 192.168.30.254 255.255.255.0

#

interface Vlanif100

ip address 192.168.1.2 255.255.255.0

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 30

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 100

#

interface GigabitEthernet0/0/5

#

......

......

interface GigabitEthernet0/0/24

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

#

return

AR做固定IP ，接入交換機和互聯網，配置如下

dis cur

[V200R003C00]

#

acl number 2999

rule 5 permit

#

#

interface GigabitEthernet0/0/0

ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 122.122.122.110 255.255.255.0

nat outbound 2999

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 122.122.122.1

ip route-static 192.168.10.0 255.255.255.0 192.168.1.2

ip route-static 192.168.20.0 255.255.255.0 192.168.1.2

ip route-static 192.168.30.0 255.255.255.0 192.168.1.2

#

return

在交換機上控制某個地址或者是某些地址上網有兩種方式，1 簡化流ACL 2 訪問控制策略

目的：精緻vlan 10 的所有用戶和vlan 20的192.168.20.20 上網

1 簡化流ACL

a 應用在接口下的簡化流ACL （只對通過配置命令的接口的數據生效）

應用在接口的inbound方向

#

acl number 3000

rule 5 deny ip destination 192.168.10.0 0.0.0.255

rule 10 deny ip destination 192.168.20.20 0

#

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 100

traffic-filter inbound acl 3000

#

應用在接口的outbound方向

#

acl number 3001

rule 5 deny ip source 192.168.10.0 0.0.0.255

rule 10 deny ip source 192.168.20.20 0

#

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 100

traffic-filter outbound acl 3001

#

接口和數據的方向（inbound/outbound）和ACL中rule的destination/source 是對應的要注意匹配。

應用在系統視圖，其實質是全局視圖的簡化流策略會應用在全局的所有接口得inbound方向上。所以在控制方式中需要修改一下。

全局inbound方向

#

acl number 3002

rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

rule 15 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

rule 20 permit ip source 192.168.20.20 0 destination 192.168.10.0 0.0.0.255

rule 25 permit ip source 192.168.20.20 0 destination 192.168.20.0 0.0.0.255

rule 30 permit ip source 192.168.20.20 0 destination 192.168.30.0 0.0.0.255

rule 35 deny ip source 192.168.10.0 0.0.0.255

rule 40 deny ip source 192.168.20.20 0

#

#

traffic-filter outbound acl 3002

#

Rule 5~rule30 是為了實現內網互訪，rule35，rule 40 實現上網控制

全局 outbound方向

#

acl number 3001

rule 5 deny ip source 192.168.10.0 0.0.0.255

rule 10 deny ip source 192.168.20.20 0

#

#

traffic-filter outbound acl 3001

#

2 訪問控制策略

訪問控制策略只能應用在接口下或者是vlan下，效果是一樣的，應用限制也是一樣的。

應用在接口上 outbound方向

acl number 3002

rule 5 deny ip source 192.168.10.0 0.0.0.255

rule 10 deny ip source 192.168.20.20 0

#

traffic classifier c1 operator and

if-match acl 3002

#

traffic behavior b1

deny

#

traffic policy p1

classifier c1 behavior b1

#

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 100

traffic-policy p1 outbound

#

應用在接口上inbound方向

acl number 3003

rule 5 deny ip destination 192.168.10.0 0.0.0.255

rule 10 deny ip destination 192.168.20.20 0

#

traffic classifier c2 operator and

if-match acl 3003

#

traffic behavior b2

deny

#

traffic policy p2

classifier c2 behavior b2

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 100

traffic-policy p2 inbound

#

如果策略應用在vlan下，只有最後一步不一樣命令就是

應用在接口上 outbound方向

#

vlan 100

traffic-policy p1 outbound

#

應用在接口上inbound方向

#

vlan 100

traffic-policy p1 outbound

#