锐捷ACL单向TCP互通组网-通过Established状态回包实现

📅 2026/7/3 9:38:15 👁️ 阅读次数 📝 编程学习
锐捷ACL单向TCP互通组网-通过Established状态回包实现

一 组网说明

用户需求:

客户网络建设初期规划比较乱,并且经过多位运维工程师,不同区域之间服务器又没有防火墙,如果不同区域服务器之间互相通信会存在数据丢失的风险,所以需要不同区域服务器之间经过交换机的时候只能实现类似防火墙的单向访问。

如上图要实现Server1不可以主动telnet Server2,但是Server2可以主动telnet Server1,这样以保障Server2的数据不会丢失。(Server1和Server2都开启telnet服务)

二 设备配置

2.1 SW配置ACL访问控制列表

hostname SW

!

ip access-list extended 100

10 permit tcp host 192.168.1.2 host 192.168.1.1

20 permit tcp host 192.168.1.1 host 192.168.1.2 established

30 deny tcp host 192.168.1.1 host 192.168.1.2

!

interface GigabitEthernet 0/0

ip access-group 100 in

!

2.2 上述规则配置解释

# 规则10:允许 192.168.1.2 访问 192.168.1.1 的流量

10 permit tcp host 192.168.1.2 host 192.168.1.1

# 规则20:允许 192.168.1.1 回应 192.168.1.2 的合法回程流量(利用established)

20 permit tcp host 192.168.1.1 host 192.168.1.2 established

# 规则30:拒绝 192.168.1.1 主动发起对 192.168.1.2 的连接

30 deny tcp host 192.168.1.1 host 192.168.1.2

或者ACL如下配置也可以,因为ACL默认就是拒绝

hostname SW

!

ip access-list extended 100

10 permit tcp host 192.168.1.2 host 192.168.1.1

20 permit tcp host 192.168.1.1 host 192.168.1.2 established

!

interface GigabitEthernet 0/0

ip access-group 100 in

!

三 访问验证

3.1 SW配置ACL单向TCP访问前测试

1.Server1可以telnet Server2

Server1#telnet 192.168.1.2

Trying 192.168.1.2, 23...

User Access Verification

Username:admin

Password:*****************

Username:admin

Password:*****************

Server2#

2.Server2可以telnet Server1

Server2#telnet 192.168.1.1

Trying 192.168.1.1, 23...

User Access Verification

Username:admin

Password:*****************

Server1#

3.查看登录信息

Server1#show users

Line User Host(s) Idle Location

---------------- ------------ -------------------- ---------- ------------------

0 con 0 --- idle 00:00:21 ---

* 1 vty 0 admin idle 00:00:00 192.168.1.2

Server1#

Server1#show users all

Line User Host(s) Idle Location

---------------- ------------ -------------------- ---------- ------------------

0 con 0 --- idle 00:00:24 ---

* 1 vty 0 admin idle 00:00:00 192.168.1.2

2 vty 1 --- 00:00:00 ---

3 vty 2 --- 00:00:00 ---

4 vty 3 --- 00:00:00 ---

5 vty 4 --- 00:00:00 ---

3.2 SW配置ACL单向TCP访问后测试

1.Server1不能telnet Server2

1.Server1不可以telnet Server2

Server1#telnet 192.168.1.2

Trying 192.168.1.2, 23...

2.但是Server2可以telnet Server1

Server2#telnet 192.168.1.1

Trying 192.168.1.1, 23...

User Access Verification

Username:admin

Password:*****************

Server1#