1.搭建拓扑并实现全网互通
1.1 AR1的初始配置
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.10.12.1 24
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 10.10.10.254 24
[AR1-GigabitEthernet0/0/1]quit
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 10.10.20.254 24
[AR1-GigabitEthernet0/0/2]quit
[AR1]interface LoopBack 0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1-LoopBack0]quit
[AR1]ospf 1 router-id 1.1.1.1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.10.12.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 10.10.10.254 0.0.0.0[AR1-ospf-1-area-0.0.0.0]network 10.10.20.254 0.0.0.0
1.2 AR2的初始配置
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.10.12.2 24
[AR2-GigabitEthernet0/0/0]quit
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 10.10.23.2 24
[AR2-GigabitEthernet0/0/1]quit
[AR2]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address 10.10.30.254 24
[AR2-GigabitEthernet0/0/2]quit
[AR2]interface LoopBack 0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2-LoopBack0]quit
[AR2]ospf 1 router-id 2.2.2.2
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.10.12.2 0.0.0.0[AR2-ospf-1-area-0.0.0.0]network 10.10.23.2 0.0.0.0[AR2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0[AR2-ospf-1-area-0.0.0.0]network 10.10.30.254 0.0.0.0
1.3 AR3的初始配置
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 10.10.23.3 24
[AR3-GigabitEthernet0/0/1]quit
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3-LoopBack0]quit
[AR3]ospf 1 router-id 3.3.3.3
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.10.23.3 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
2.基本ACL的配置
2.1 在AR2的G0/0/2出方向上应用以PC1子网为源的基本ACL
[AR2]acl 2000
[AR2-acl-basic-2000]rule deny source 10.10.10.0 0.0.0.255
[AR2-acl-basic-2000]rule permit source any
[AR2-acl-basic-2000]quit
[AR2]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
2.2 从PC1向PC3发起ping测试
PC1>ping 10.10.30.10
Ping 10.10.30.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.10.30.10 ping statistics ---5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
3.高级ACL的配置
3.1 在AR1的G0/0/2入方向上应用高级ACL
[AR1]acl 3000
[AR1-acl-adv-3000]rule deny ip source 10.10.20.0 0.0.0.255 destination 10.10.30.0 0.0.0.255
[AR1-acl-adv-3000]quit
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
3.2 从PC2向PC3发起ping测试
PC2>ping 10.10.30.10
Ping 10.10.30.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.10.30.10 ping statistics ---5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
3.3 在AR1上查看ACL 3000
[AR1]display acl 3000
Advanced ACL 3000, 1 ruleAcl's step is 5rule 5 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.30.0 0.0.0.255 (5 matches)
4.ACL规则的顺序
4.1在AR3的G0/0/1入方向上应用ACL
AR3]acl 3000
[AR3-acl-adv-3000]rule deny icmp source 10.10.12.1 0 destination 3.3.3.3 0 icmp-type echo
[AR3-acl-adv-3000]rule permit tcp source 10.10.12.1 0 destination 3.3.3.3 0destination-port eq 23
[AR3-acl-adv-3000]rule deny tcp source any destination 3.3.3.3 0 destination-port eq 23
[AR3-acl-adv-3000]quit
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
4.2 在AR3上启用Telnet
AR3]user-interface vty 0 4
[AR3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):Huawei@123
4.3 在AR3上添加deny规则
[AR3-acl-adv-3000]rule deny tcp source any destination 3.3.3.3 0destination-port eq telnet
[AR3-acl-adv-3000]display this
[V200R003C00]
#
acl number 3000 match-order autorule 5 deny icmp source 10.10.12.1 0 destination 3.3.3.3 0 icmp-typeecho
rule 10 deny tcp destination 3.3.3.3 0 destination-port eq telnet
#
return