锐捷ACL单向TCP互通组网-通过Established状态回包实现

发布时间:2026/7/3 9:24:14
锐捷ACL单向TCP互通组网-通过Established状态回包实现 一 组网说明用户需求客户网络建设初期规划比较乱并且经过多位运维工程师不同区域之间服务器又没有防火墙如果不同区域服务器之间互相通信会存在数据丢失的风险所以需要不同区域服务器之间经过交换机的时候只能实现类似防火墙的单向访问。如上图要实现Server1不可以主动telnet Server2但是Server2可以主动telnet Server1这样以保障Server2的数据不会丢失。Server1和Server2都开启telnet服务二 设备配置2.1 SW配置ACL访问控制列表hostname SW!ip access-list extended 10010 permit tcp host 192.168.1.2 host 192.168.1.120 permit tcp host 192.168.1.1 host 192.168.1.2 established30 deny tcp host 192.168.1.1 host 192.168.1.2!interface GigabitEthernet 0/0ip access-group 100 in!2.2 上述规则配置解释# 规则10允许 192.168.1.2 访问 192.168.1.1 的流量10 permit tcp host 192.168.1.2 host 192.168.1.1# 规则20允许 192.168.1.1 回应 192.168.1.2 的合法回程流量利用established20 permit tcp host 192.168.1.1 host 192.168.1.2 established# 规则30拒绝 192.168.1.1 主动发起对 192.168.1.2 的连接30 deny tcp host 192.168.1.1 host 192.168.1.2或者ACL如下配置也可以因为ACL默认就是拒绝hostname SW!ip access-list extended 10010 permit tcp host 192.168.1.2 host 192.168.1.120 permit tcp host 192.168.1.1 host 192.168.1.2 established!interface GigabitEthernet 0/0ip access-group 100 in!三 访问验证3.1 SW配置ACL单向TCP访问前测试1.Server1可以telnet Server2Server1#telnet 192.168.1.2Trying 192.168.1.2, 23...User Access VerificationUsername:adminPassword:*****************Username:adminPassword:*****************Server2#2.Server2可以telnet Server1Server2#telnet 192.168.1.1Trying 192.168.1.1, 23...User Access VerificationUsername:adminPassword:*****************Server1#3.查看登录信息Server1#show usersLine User Host(s) Idle Location---------------- ------------ -------------------- ---------- ------------------0 con 0 --- idle 00:00:21 ---* 1 vty 0 admin idle 00:00:00 192.168.1.2Server1#Server1#show users allLine User Host(s) Idle Location---------------- ------------ -------------------- ---------- ------------------0 con 0 --- idle 00:00:24 ---* 1 vty 0 admin idle 00:00:00 192.168.1.22 vty 1 --- 00:00:00 ---3 vty 2 --- 00:00:00 ---4 vty 3 --- 00:00:00 ---5 vty 4 --- 00:00:00 ---3.2 SW配置ACL单向TCP访问后测试1.Server1不能telnet Server21.Server1不可以telnet Server2Server1#telnet 192.168.1.2Trying 192.168.1.2, 23...2.但是Server2可以telnet Server1Server2#telnet 192.168.1.1Trying 192.168.1.1, 23...User Access VerificationUsername:adminPassword:*****************Server1#