华为防火墙透明模式ACL测试试验

拓扑：

4507(int port-channel 3,10.2.94.2,4/1,4/2)---(vlan 10,1/0/0,1/1/0)USG9000(vlan 10,2/0/0,2/1/0)---(int vlan 77,10.2.94.1,0/1/1,0/1/2)5700(int vlan 78,10.2.94.5,0/0/1)----(10.2.94.6)PC

4507配置：

interface Port-channel3

description firewall-testing

ip address 10.2.94.2 255.255.255.252

interface TenGigabitEthernet4/1

description firewall-testing

no switchport

no ip address

channel-group 3 mode active

interface TenGigabitEthernet4/2

description firewall-testing

no switchport

no ip address

channel-group 3 mode active

ip route 10.2.94.4 255.255.255.252 10.2.94.1

5700配置：

#

interface XGigabitEthernet0/1/1

eth-trunk 1

#

interface XGigabitEthernet0/1/2

eth-trunk 1

interface Vlanif77

ip address 10.2.94.1 255.255.255.252

#

interface Vlanif78

ip address 10.2.94.5 255.255.255.252

#

interface Eth-Trunk1

port link-type access

port default vlan 77

mode lacp

interface GigabitEthernet0/0/1

port link-type access

port default vlan 78

ip route-static 0.0.0.0 0.0.0.0 10.2.94.2

USG9000配置：

interface GigabitEthernet1/0/0 description to ChengYuWang-12808-1 undo shutdown

eth-trunk 1

#

interface GigabitEthernet1/1/0 description to DianBo-4507-1

undo shutdown

eth-trunk 2

#

interface GigabitEthernet2/0/0 description to ChengYuWang-12808-2 undo shutdown

eth-trunk 1

#

interface GigabitEthernet2/1/0 description to DianBo-4507-2

undo shutdown

eth-trunk 2

interface Eth-Trunk1

portswitch

description to ChengYuWang-12808 port default vlan 10

mode lacp-static

#

interface Eth-Trunk2

portswitch

description to DianBo-4507

port default vlan 10

mode lacp-static

可以在USG9000上配置ACL来控制PC对4507的访问：acl number 3002 ////当删除rule 5时，PC无法访问4507 rule 5 permit ip source 10.2.94.0 0.0.0.255

rule 10 deny ip

firewall interzone trust untrust

packet-filter 3002 inbound