An example of h3c layer-3 Switch acl

The h3c layer-3 Switch acl is an example of a new library that can only access the electronic reading room, and cannot access other hosts on the Intranet, so as to avoid security impact. the IP address of the On-Internet www.2cto.com electronic reading room is not opened to 10.0.1.9, the new library plans to divide vlan 11, network segment 10.1.11.0/25, and vlan-int 11 IP address 10.1.11.1. The layer-3 Switch has already completed the inter-vlan routing by default. The configuration is as follows: 1. Access to the Internet is not allowed: as long as no nat is provided on the vro, you do not need to change the configuration because no nat 2 is provided for the new CIDR block by default, for the implementation scheme, the core switch should be configured with an Acl:, inbound acl num 3001 name ReadRoomIn rule perm ip source 10.1.11.0 0.0.127 dest 10.1.11.0 0.0.0.127 rule perm ip dest 10.0.1.4 0 rule perm ip dest 10.0.1.9 0 rule deny ip quit this is inbound, the first is to enable intercommunication between computers in vlan11, and send and receive packets between hosts and gateways in vlan. This is very important; article 2 and Article 3 allow the computer in the library to access the dns server and the electronic reading room, and the last one is of course preventing it from accessing other hosts on the Intranet, outbound acl num 3002 name ReadRoomOu T rule perm ip sour 10.0.1.4 0 dest 10.1.11.0 0.0.127 rule perm ip sour 10.0.1.9 0 dest 10.1.11.0 0.0.0.127 rule deny ip www.2cto.com this is the outbound direction, article 1 and Article 2 ensure that data packets are transmitted between the dns host and the electronic reading room host and vlan 11, and article 3 prohibit intercommunication between other Intranet hosts and hosts in vlan 11. Because the routes are bidirectional, both inbound and outbound have settings c for both hosts 10.0.1.4 and 10.0.1.9, use the acl int vlan 101 dest ReadRoompacket-filter acl name ReadRoomIn inboundpacket-filter acl name ReadRoomOut outbound on the vlan interface. Finally, perform nat on the Wireless AP in the access layer electronic reading room, the wan port is connected to the core switch and added to vlan11, which enables the Library's computers to only access the electronic reading room, but not other hosts on the Intranet and to access the internet.