一、实验描述
企业部署了三个网络,其中R2连接的是公司总部网络,R1和R3分别为两个不同分支网络的设备,这三台路由器通过广域网相连。你需要控制员工使用Telnet和FTP服务的权限,R1所在分支的员工只允许访问公司总部网络中的Telnet服务器,R3所在分支的员工只允许访问FTP服务器。
二、实验目的
掌握高级ACL的配置方法 掌握ACL在接口下的应用方法
三、实验环境
ENSP
四、工具材料
ENSP
五、实验步骤
步骤一 实验环境准备
如果本任务中您使用的是空配置设备,需要从步骤1开始配置,然后跳过步骤2。如果使用的设备包含上一个实验的配置,请直接从步骤2开始配置。
[Huawei]sysname R1
[Huawei]sysname R2
[Huawei]sysname R3
[Huawei]sysname S1
[S1]vlan 4
[S1-vlan4]quit
[S1]interface vlanif 4
[S1-Vlanif4]ip address 10.0.4.254 24
[Huawei]sysname S2
[S2]vlan 6
[S2-vlan6]quit
[S2]interface vlanif 6
[S2-Vlanif6]ip address 10.0.6.254 24
步骤二 清除设备上原有的配置
删除设备上的OSPF配置、PPPoE拨号接口以及R2上的PPPoE服务器虚拟模板的配置。
[R1]ospf
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]quit
[R1]undo ip route-static 0.0.0.0 0
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1
[R1]interface Dialer 1
[R1-Dialer1]undo dialer user
[R1]undo interface Dialer 1
[R1]dialer-rule
[R1-dialer-rule]undo dialer-rule 1
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]undo pppoe-server bind
Warning:All PPPoE sessions on this interface will be deleted, continue?[Y/N]:y
[R2-GigabitEthernet0/0/0]quit
[R2]undo interface Virtual-Template 1
[R2]undo ip pool pool1
[R2]aaa
[R2-aaa]undo local-user huawei1
[R2-aaa]undo local-user huawei2
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
[R3-ospf-1-area-0.0.0.0]quit
[R3-ospf-1]quit
[R3]undo ip route-static 0.0.0.0 0 [R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1
[R3-GigabitEthernet0/0/0]quit
[R3]interface Dialer 1
[R3-Dialer1]undo dialer user
[R3-Dialer1]quit
[R3]undo interface Dialer 1
[R3]dialer-rule
[R3-dialer-rule]undo dialer-rule 1
步骤三 配置 IP 地址
按照拓扑图中所示网络的地址进行IP编址的配置。
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 10.0.13.2 24
[R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.0.4.2 24
[R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip address 10.0.6.2 24
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24
配置S1和S2连接路由器的端口为Trunk端口,并通过修改PVID使物理端口加入三层VLANIF逻辑接口。
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]port link-type trunk
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[S1-GigabitEthernet0/0/2]port trunk pvid vlan 4
[S1-GigabitEthernet0/0/2]quit
[S2]interface GigabitEthernet 0/0/2
[S2-GigabitEthernet0/0/2]port link-type trunk
[S2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[S2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[S2-GigabitEthernet0/0/2]quit
步骤四 配置 OSPF 使网络互通
在R1、R2和R3上配置OSPF,三台设备均在区域0中,并发布各自的直连网段信息。
[R1]ospf
[R1-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
在S1和S2上配置缺省静态路由,指定下一跳为各自连接的路由器网关。
[S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
[S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
检测网络的连通性。
<R1>ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=10 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
--- 10.0.4.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 1/3/10 ms
<R1>ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
--- 10.0.6.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 2/5/10 ms
<R3>ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=10 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
--- 10.0.4.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 2/5/10 ms
<R3>ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
--- 10.0.6.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 2/5/10 ms
步骤五 配置ACL 过滤报文
将S1配置为Telnet服务器。
[S1]telnet server enable [S1]user-interface vty 0 4
[S1-ui-vty0-4]protocol inbound all
[S1-ui-vty0-4]authentication-mode password
[S1-ui-vty0-4]set authentication password cipher huawei123
将S2配置为FTP服务器。
[S2]ftp server enable [S2]aaa
[S2-aaa]local-user huawei password cipher huawei123
[S2-aaa]local-user huawei privilege level 3
[S2-aaa]local-user huawei service-type ftp
[S2-aaa]local-user huawei ftp-directory flash:/
在R2上配置ACL,只允许R1访问Telnet服务器,只允许R3访问FTP服务器。
[R2]acl 3000
[R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination
10.0.4.254 0.0.0.0 destination-port eq 23
[R2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination
10.0.6.254 0.0.0.0 destination-port range 20 21
[R2-acl-adv-3000]rule 15 permit ospf
[R2-acl-adv-3000]rule 20 deny ip source any
[R2-acl-adv-3000]quit
在R2的G0/0/0接口应用ACL。
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
验证ACL的应用结果。
<R1>telnet 10.0.4.254
Press CTRL_] to quit telnet mode Trying 10.0.4.254 ...
Connected to 10.0.4.254 ... Login authentication Password:
Info: The max number of VTY users is 5, and the number of current VTY users on line is 1.
<S1>
注意:执行quit命令,可以结束Telnet会话。
<R1>ftp 10.0.6.254
Trying 10.0.6.254 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.
注意:FTP连接的响应时间约为60秒。
<R3>telnet 10.0.4.254
Press CTRL_] to quit telnet mode Trying 10.0.4.254 ...
Error: Can't connect to the remote host
<R3>ftp 10.0.6.254
Trying 10.0.6.254 ...
Press CTRL+K to abort Connected to 10.0.6.254.
220 FTP service ready. User(10.0.6.254:(none)):huawei
331 Password required for huawei. Enter password:
230 User logged in. [R3-ftp]
注意:可以执行bye命令,关闭FTP连接。
附加练习:分析并验证
为什么FTP要求ACL定义两个端口?
应在源端网络还是目标网络配置基本和高级ACL,为什么?
配置文件
<R1>display current-configuration [V200R007C00SPC600]
#
sysname R1 #
aaa
authentication-scheme default authorization-scheme default accounting-scheme default domain default
domain default_admin
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$ local-user admin service-type http
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$ local-user huawei service-type ppp
#
interface GigabitEthernet0/0/0
ip address 10.0.13.1 255.255.255.0 #
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
return
<R2>display current-configuration [V200R007C00SPC600]
#
sysname R2 #
acl number 3000
rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port eq telnet
rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port range ftp-data ftp
rule 15 permit ospf rule 20 deny ip
#
interface GigabitEthernet0/0/0
ip address 10.0.13.2 255.255.255.0
traffic-filter inbound acl 3000 #
interface GigabitEthernet0/0/1
ip address 10.0.4.2 255.255.255.0 #
interface GigabitEthernet0/0/2
ip address 10.0.6.2 255.255.255.0 #
ospf 1 router-id 10.0.2.2
area 0.0.0.0
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
network 10.0.13.0 0.0.0.255
#
return
<R3>display current-configuration [V200R007C00SPC600]
#
sysname R3 #
interface GigabitEthernet0/0/0
ip address 10.0.13.3 255.255.255.0 #
ospf 1 router-id 10.0.3.3
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
return
<S1>display current-configuration
!Software Version V200R008C00SPC500 #
sysname S1 #
vlan batch 3 to 4 #
telnet server enable #
interface Vlanif4
ip address 10.0.4.254 255.255.255.0 #
interface GigabitEthernet0/0/2 port link-type trunk
port trunk pvid vlan 4
port trunk allow-pass vlan 2 to 4094 #
ip route-static 0.0.0.0 0.0.0.0 10.0.4.2 #
user-interface con 0
user-interface vty 0 4
authentication-mode password
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
Protocol inbound all #
return
<S2>display current-configuration
!Software Version V200R008C00SPC500 #
sysname S2 #
FTP server enable #
vlan batch 6 #
aaa
authentication-scheme default authorization-scheme default accounting-scheme default domain default
domain default_admin
local-user admin password simple admin local-user admin service-type http
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
Local-user huawei privilege level 3 local-user huawei ftp-directory flash:/ local-user huawei service-type ftp
#
interface Vlanif6
ip address 10.0.6.254 255.255.255.0 #
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 6
port trunk allow-pass vlan 2 to 4094 #
ip route-static 0.0.0.0 0.0.0.0 10.0.6.2 #
return
1484
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
