ACL（访问控制列表）配置实验

1、概述

        （1）ACL可以通过对网络中报文流的精确识别，与其他技术结合，达到控制网络访问行为、防止网络攻击和提高网络带宽利用率的目的，从而切实保障网络环境的安全性和网络服务质量的可靠性。

        （2）ACL是由一系列permit或deny语句组成的、有序规则的列表。ACL是一个匹配工具，能够对报文进行匹配和区分。

        （3）ACL应用。匹配P流量、在Traffic-filter中被调用、在NAT《Network Address Translation)中被调用、在路由策略中被调用、在防火墙的策略部著中被调用、在QoS中被调用、其他。

2、基本概念与原理

        （1）ACL组成

        ACL由若干桑permit或deny语句组成。每条语句就是该ACL的一条规则，每条语句中的permit或deny就是与这条规则相对应的必理动作。

        （2）通配符

        通配符是一个32比特长度的数值，用于指示Ip地址中,哪些比特位需要严格匹配，哪些比特位无需匹配。通配符通常采用类似网络掩码的点分十进制形式表示,但是含义却与网络掩码完全不同。

        （3）规则编号(Rule lID)

        一个ACL中的每一条规则都有一个相应的编号。

        （4）步长(Step)

        步长是系统自动为ACL规则分配编号时，每个相邻规则编号之间的差值，缺省值为5。步长的作用是为了方便后续在旧规则之间，插入新的规则。

        （5）Rule ID分配规则:

        系统为ACL中首条未手工指定编号的规则分配编号时,使用步长值（例如步长=5，首条规则编号为5)作为该规则的起始编号;为后续规则分配编号时，则使用大于当前ACL内最大规则编号且是步长整数倍的最小整数作为规则编号。

3、实验拓扑图

                

4、配置命令

（1）LSW1配置信息

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]

[Huawei]vla b 10 20 30

Info: This operation may take a few seconds. Please wait for a moment...done.

Jan  2 2022 17:48:13-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5

.25.191.3.1 configurations have been changed. The current change number is 4, the change loop count is 0, and the maximum number of records is 4095.

[Huawei]int e0/0/1

[Huawei-Ethernet0/0/1]port link-type access

Jan  2 2022 17:48:53-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 5, the change loop count is 0, and the maximum number of records is 4095.

[Huawei-Ethernet0/0/1]port default vlan 10

Jan  2 2022 17:49:13-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 6, the change loop count is 0, and the maximum number of records is 4095.

[Huawei-Ethernet0/0/1]int e0/0/2

[Huawei-Ethernet0/0/2]port link-type access

Jan  2 2022 17:49:43-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 7, the change loop count is 0, and the maximum number of records is 4095.vl

[Huawei-Ethernet0/0/2]port default vlan 20

Jan  2 2022 17:49:53-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 8, the change loop count is 0, and the maximum number of records is 4095.

[Huawei-Ethernet0/0/2]int e0/0/3

[Huawei-Ethernet0/0/3]port link-type access

[Huawei-Ethernet0/0/3]port default vlan

Jan  2 2022 17:50:13-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 9, the change loop count is 0, and the maximum number of records is 4095.

[Huawei-Ethernet0/0/3]port default vlan 30

Jan  2 2022 17:50:17-08:00 Huawei %%01IFNET/4/IF_STATE(l)[0]:Interface Vlanif1 has turned into DOWN state.

[Huawei-Ethernet0/0/3]quit

Jan  2 2022 17:50:23-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 10, the change loop count is 0, and the maximum number of records is 4095.

[Huawei]int Vlanif 10

[Huawei-Vlanif10]

Jan  2 2022 17:50:37-08:00 Huawei %%01IFNET/4/IF_STATE(l)[1]:Interface Vlanif10 has turned into UP state.

[Huawei-Vlanif10]ip address 192.168.1.254 24

Jan  2 2022 17:51:07-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface Vlanif10 has entered the UP state.

Jan  2 2022 17:51:13-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 11, the change loop count is 0, and the maximum number of records is 4095.it

[Huawei-Vlanif10]quit

[Huawei]int Vlanif 20

Jan  2 2022 17:51:21-08:00 Huawei %%01IFNET/4/IF_STATE(l)[3]:Interface Vlanif20 has turned into UP state.

[Huawei-Vlanif20]ip address 192.168.2.254 24

Jan  2 2022 17:51:32-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[4]:The line protocol IP on the interface Vlanif20 has entered the UP state.

Jan  2 2022 17:51:33-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 12, the change loop count is 0, and the maximum number of records is 4095.

[Huawei-Vlanif20]quit

[Huawei]int Vlanif 30

Jan  2 2022 17:51:58-08:00 Huawei %%01IFNET/4/IF_STATE(l)[5]:Interface Vlanif30 has turned into UP state.

[Huawei-Vlanif30]ip address 172.16.1.1 30

Jan  2 2022 17:52:13-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[6]:The line protocol IP on the interface Vlanif30 has entered the UP state.

[Huawei-Vlanif30]quit

Jan  2 2022 17:52:23-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 13, the change loop count is 0, and the maximum number of records is 4095.

[Huawei]

[Huawei]ip route-static 0.0.0.0 0 172.16.1.2

Jan  2 2022 17:52:53-08:00 Huawei DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 14, the change loop count is 0, and the maximum number of records is 4095. User interface con0 is available Please Press ENTER.

<Huawei>

（2）LSW2配置

[Huawei]dis th

#

sysname Huawei

#

vlan batch 40 50

#

cluster enable

ntdp enable

ndp enable

#

drop illegal-mac alarm

#

ip route-static 0.0.0.0 0.0.0.0 172.16.2.2

ip route-static 192.168.1.0 255.255.255.0 172.16.1.1

ip route-static 192.168.2.0 255.255.255.0 172.16.1.1

#

return

[Huawei-Vlanif40]dis th

#

interface Vlanif40

 ip address 172.16.1.2 255.255.255.252

#

return

[Huawei-Vlanif50]dis th

#

interface Vlanif50

 ip address 172.16.2.1 255.255.255.252

#

return

[Huawei-Ethernet0/0/1]dis th

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 40

#

return

[Huawei-Ethernet0/0/1]int e0/0/2

[Huawei-Ethernet0/0/2]dis th

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 50

#

return

[Huawei-Ethernet0/0/2]

（3）配置R1

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip ad 172.16.2.2 30

Jan  2 2022 19:13:56-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[Huawei-GigabitEthernet0/0/0]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip ad 192.168.3.254 24

[Huawei-GigabitEthernet0/0/1]int g0/0/2

[Huawei-GigabitEthernet0/0/2]ip ad 192.168.4.254 24

Jan  2 2022 19:15:42-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface GigabitEthernet0/0/2 has entered the UP state.

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]ip route-static 192.168.1.0 24 172.16.2.1

[Huawei]ip route-static 192.168.2.0 24 172.16.2.1

[Huawei]

[Huawei]acl 3000

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.4.1 0.0.0.0 destination-port eq 80

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]rule 10 deny tcp source 192.168.1.0 0.0.0.255  destination 192.168.3.1 0.0.0.0 destination-port eq 21

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]rule 15 permit tcp source 192.168.2.0 0.0.0.255 destination 192.168.3.1 0.0.0.0 destination-port eq 21

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]rule 20 deny tcp source 192.168.2.0 0.0.0.255  destination 192.168.4.1 0.0.0.0 destination-port eq 80

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]

[Huawei-acl-adv-3000]quit

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]

6、测试

        （1）用client1访问web服务器，可以访问成功。

                

        （2）用client1访问ftp服务器，访问不成功。

                

        （3）用client2访问web服务器，可以访问成功。

                

        （4）用client2访问ftp服务器，访问不成功。