ACL配置

最新推荐文章于 2024-06-14 14:43:28 发布

久拥不315

最新推荐文章于 2024-06-14 14:43:28 发布

阅读量1.4k

点赞数

文章标签：网络

本文链接：https://blog.csdn.net/2302_78575222/article/details/131509572

版权

一、ACL基本配置

拓扑

配置SW1：

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy SW!
[SW!]sy SW1
[SW1]vlan b
[SW1]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]port-g gr g0/0/1 to g0/0/3
[SW1-port-group]p l a
[SW1-GigabitEthernet0/0/1]p l a
[SW1-GigabitEthernet0/0/2]p l a
[SW1-GigabitEthernet0/0/3]p l a
[SW1-port-group]p d v 10
[SW1-GigabitEthernet0/0/1]p d v 10
[SW1-GigabitEthernet0/0/2]p d v 10
[SW1-GigabitEthernet0/0/3]p d v 10
[SW1-port-group]

配置SW:2：

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]Sy SW2
[SW2]vlan 20
[SW2-vlan20]q
[SW2]port-g gr g0/0/1 g0/0/2
[SW2-port-group]p l a
[SW2-GigabitEthernet0/0/1]p l a
[SW2-GigabitEthernet0/0/2]p l a
[SW2-port-group]p d v 20
[SW2-GigabitEthernet0/0/1]p d v 20
[SW2-GigabitEthernet0/0/2]p d v 20
[SW2-port-group]

配置R1：

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip ad
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip ad
[R1-GigabitEthernet0/0/1]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/1]q
[R1]ip rou
[R1]ip route-
[R1]ip route-static 192.168.0.0 16 192.168.12.2
[R1]

配置R2：
[Huawei]sy R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip ad
[R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip ad
[R2-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip ad
[R2-GigabitEthernet0/0/2]ip address 192.168.3.254 24
[R2-GigabitEthernet0/0/2]q
[R2]ip route-static 192.168.1.0 24 192.168.12.1

在R2中配置ACL：
[R2]acl 2000
[R2-acl-basic-2000]rule 10 deny source 192.168.1.0 0.0.0.254
[R2-acl-basic-2000]q
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
[R2-GigabitEthernet0/0/2]

验证pc1 ping server服务器

二、高级ACL配置案例

拓扑

需求

售后主机Client1仅能访问Server1上的Web服务

售后主机client1可以访问行政部的所有主机的服务

售后主机client1不能访问网络中的其他主机

配置思路

实现全网互通

分析数据转发路径

确定ACL的类别

确定配置ACL的设备

确定调用ACL的端口

配置步骤

第一步：配置Client1/PC1/Server1的IP，掩码，网关

第二步：配置路由，让网络互通

配置R1/R2/R3的接口IP地址

在R2中配置去往192.168.1.0/24的静态路由，下一跳为192.168.12.1

在R2中配置去往192.168.3.0/24的静态路由，下一跳为192.168.23.3

在R3中配置默认路由，下一跳为192.168.23.2

配置R1：

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy R1
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.
[R1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/0]q
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.12.2
[R1]

配置R2：

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.12.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.23.1 24
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]undo ip address 192.168.23.1 24
[R2-GigabitEthernet0/0/1]ip address 192.168.23.2 24
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.2.254 24

[R2]ip route-static 192.168.1.0 24 192.168.12.1

[R2]ip route-static 192.168.33.0 24 192.168.23.3

配置R3：

[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip ad
[R3-GigabitEthernet0/0/0]ip address 192.168.23.3 24
[R3-GigabitEthernet0/0/0]int g0/0/2
[R3-GigabitEthernet0/0/2]ip address 192.168.3.254 24
[R3]ip route-static 0.0.0.0 0.0.0.0 192.168.23.2

第三步：在R1中配置ZCL

[R1]acl 3000
[R1-acl-adv-3000]rule 10 permit tcp source 192.168.1.0 0.0.0.254 destination 192
.168.3.10 0.0.0.0 destination-port eq 80
[R1-acl-adv-3000]rule 20 permit ip source 192.168.1.0 0.0.0.255 destination 192.1
68.2.0 0.0.0.255

[R1-acl-adv-3000]rule 30 deny ip source 192.168.1.0 0.0.0.255 destination any

[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

验证：