
一 组网说明用户需求客户网络建设初期规划比较乱并且经过多位运维工程师不同区域之间服务器又没有防火墙如果不同区域服务器之间互相通信会存在数据丢失的风险所以需要不同区域服务器之间经过交换机的时候只能实现类似防火墙的单向访问。如上图要实现Server1不可以主动telnet Server2但是Server2可以主动telnet Server1这样以保障Server2的数据不会丢失。Server1和Server2都开启telnet服务二 设备配置sysname SW#acl advanced 3000description deny-tcprule 0 permit tcp source 192.168.1.2 0 destination 192.168.1.1 0rule 5 permit tcp source 192.168.1.1 0 destination 192.168.1.2 0 establishedrule 10 deny tcp//华三必须配置最后的拒绝acl锐捷的不需要配置#interface GigabitEthernet1/0/1port link-mode bridgedescription To-Server1//在Server1的入方向接口是应用combo enable fiberpacket-filter 3000 inbound#三 访问验证3.1 SW配置ACL单向TCP访问前测试1.Server1可以telnet Server2Server1telnet 192.168.1.2Trying 192.168.1.2 ...Press CTRLK to abortConnected to 192.168.1.2 ...******************************************************************************* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.** Without the owners prior written consent, ** no decompiling or reverse-engineering shall be allowed. *******************************************************************************Server12.Server2可以telnet Server1Server2telnet 192.168.1.1Trying 192.168.1.1 ...Press CTRLK to abortConnected to 192.168.1.1 ...******************************************************************************* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.** Without the owners prior written consent, ** no decompiling or reverse-engineering shall be allowed. *******************************************************************************Server23.2 SW配置ACL单向TCP访问后测试1.Server1不能telnet Server2Server1telnet 192.168.1.2Trying 192.168.1.2 ...Press CTRLK to abortConnected to 192.168.1.2 ...2.但是Server2可以telnet Server1Server2telnet 192.168.1.1Trying 192.168.1.1 ...Press CTRLK to abortConnected to 192.168.1.1 ...******************************************************************************* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.** Without the owners prior written consent, ** no decompiling or reverse-engineering shall be allowed. *******************************************************************************Server1