一 组网说明
用户需求:
客户网络建设初期规划比较乱,并且经过多位运维工程师,不同区域之间服务器又没有防火墙,如果不同区域服务器之间互相通信会存在数据丢失的风险,所以需要不同区域服务器之间经过交换机的时候只能实现类似防火墙的单向访问。
如上图要实现Server1不可以主动telnet Server2,但是Server2可以主动telnet Server1,这样以保障Server2的数据不会丢失。(Server1和Server2都开启telnet服务)
二 设备配置
2.1 SW配置ACL访问控制列表
hostname SW
!
ip access-list extended 100
10 permit tcp host 192.168.1.2 host 192.168.1.1
20 permit tcp host 192.168.1.1 host 192.168.1.2 established
30 deny tcp host 192.168.1.1 host 192.168.1.2
!
interface GigabitEthernet 0/0
ip access-group 100 in
!
2.2 上述规则配置解释
# 规则10:允许 192.168.1.2 访问 192.168.1.1 的流量
10 permit tcp host 192.168.1.2 host 192.168.1.1
# 规则20:允许 192.168.1.1 回应 192.168.1.2 的合法回程流量(利用established)
20 permit tcp host 192.168.1.1 host 192.168.1.2 established
# 规则30:拒绝 192.168.1.1 主动发起对 192.168.1.2 的连接
30 deny tcp host 192.168.1.1 host 192.168.1.2
或者ACL如下配置也可以,因为ACL默认就是拒绝
hostname SW
!
ip access-list extended 100
10 permit tcp host 192.168.1.2 host 192.168.1.1
20 permit tcp host 192.168.1.1 host 192.168.1.2 established
!
interface GigabitEthernet 0/0
ip access-group 100 in
!
三 访问验证
3.1 SW配置ACL单向TCP访问前测试
1.Server1可以telnet Server2
Server1#telnet 192.168.1.2
Trying 192.168.1.2, 23...
User Access Verification
Username:admin
Password:*****************
Username:admin
Password:*****************
Server2#
2.Server2可以telnet Server1
Server2#telnet 192.168.1.1
Trying 192.168.1.1, 23...
User Access Verification
Username:admin
Password:*****************
Server1#
3.查看登录信息
Server1#show users
Line User Host(s) Idle Location
---------------- ------------ -------------------- ---------- ------------------
0 con 0 --- idle 00:00:21 ---
* 1 vty 0 admin idle 00:00:00 192.168.1.2
Server1#
Server1#show users all
Line User Host(s) Idle Location
---------------- ------------ -------------------- ---------- ------------------
0 con 0 --- idle 00:00:24 ---
* 1 vty 0 admin idle 00:00:00 192.168.1.2
2 vty 1 --- 00:00:00 ---
3 vty 2 --- 00:00:00 ---
4 vty 3 --- 00:00:00 ---
5 vty 4 --- 00:00:00 ---
3.2 SW配置ACL单向TCP访问后测试
1.Server1不能telnet Server2
1.Server1不可以telnet Server2
Server1#telnet 192.168.1.2
Trying 192.168.1.2, 23...
2.但是Server2可以telnet Server1
Server2#telnet 192.168.1.1
Trying 192.168.1.1, 23...
User Access Verification
Username:admin
Password:*****************
Server1#