一、高級ACL配置
二、配置驗證
三、Telnet配置
四、高級ACL實驗
4.1、拓撲圖
? 分別在路由器中拖出3臺AR2220,然后選擇設備連線,點擊Copper進行設備接線,完成后開啟設備,
4.2、IP及靜態路由配置
AR1:
<Huawei>system-view [Huawei]sysname AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip add 12.1.1.1 24 [AR1-GigabitEthernet0/0/0]q [AR1]ip route-static 23.1.1.0 255.255.255.0 12.1.1.2
AR2:
<Huawei>system-view [Huawei]sysname AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip add 12.1.1.2 24 [AR2-GigabitEthernet0/0/0]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip add 23.1.1.2 24 [AR2-GigabitEthernet0/0/1]q
AR3:
<Huawei>system-view [Huawei]sysname AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip add 23.1.1.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ip route-static 12.1.1.0 255.255.255.0 23.1.1.2
? 此時,AR1 PING AR3,可以PING通:
4.3、AR3 Telnet配置
作用:在AR3上配置Telnet,以便于演示如何使用高級ACL來禁止AR1 telnet AR3?
AR3:
[AR3]user-interface vty 0 4
[AR3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):5
[AR3-ui-vty0-4]set authentication password cipher huawei
[AR3-ui-vty0-4]user privilege level 3
[AR3-ui-vty0-4]q
? 此時,AR1 telnet AR3,成功:
AR1:
<AR1>telnet 23.1.1.3
4.4、AR2 高級ACL配置
[AR2]acl 3000
[AR2-acl-adv-3000]rule deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0.0.0.0 destination-port eq 23 --限制源地址范圍是12.1.1.0/24、目的IP地址為23.1.1.3、目的埠號為23的所有TCP報文,
[AR2-acl-adv-3000]rule permit ip --匹配所有IP報文,并對報文執行允許動作,
[AR2-acl-adv-3000]int g0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[AR2-GigabitEthernet0/0/0]q
? 此時,AR1 telnet AR3,失敗:
? 此時,AR1 PING AR3,成功:
4.5、洗掉AR2 高級ACL配置
? 查看
[AR2]display acl 3000
? 洗掉
[AR2]acl 3000
[AR2-acl-adv-3000]undo rule 5
[AR2-acl-adv-3000]q
4.6、增加指定步長高級ACL
[AR2]acl 3000
[AR2-acl-adv-3000]rule 3 deny tcp source 12.1.1.1 0.0.0.0 destination 23.1.1.3 0
.0.0.0 destination-port eq 23
[AR2-acl-adv-3000]q
[AR2]display acl 3000
[AR2]display traffic-filter applied-record
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/537697.html
標籤:其他