基本ACL(2000 -2999)
ACL:
access control list , 访问控制列表,
-作用:
在设备上进行流量的过滤;
-类型:
@基本ACL
*表示: 2000 ~ 2999
*特点:
只能匹配数据包的源IP地址 (匹配数据包不精确)
@高级ACL
*表示: 3000 ~ 3999
*特点:
可以同时匹配数据包的源、目标、协议号、源端口、目标端口信息; (匹配数据包精确)-原理:
*ACL通常是调用在“数据包转发”时所用的那个接口上,分为出和入两个方向;
*ACL中通常包含多个“规则",为了区分不同的”规则“,每个"规则”通过“规则号–rule”进行区分;
*当一个ACL中具有多个 rule 的时,在匹配数据包时,
首先查看 rule 号码小的那个条目,如果匹配不住,
则继续查看下一个 rule 号码对应的条目;
如果该条目匹配住的了,那么后续的 rule 号码对应的条目,就不再查看了;
如果所有的条目都没有匹配住,则允许流量通过
因为:
ACL 最后有一个隐含的“允许所有”;-基本配置:
R1:(配置基本ACL) acl 2000 // 2000,是ACL的名字,取值范围是 2000~2999 rule 10 deny source 192.168.1.1 0.0.0.0 * rule 10 ,用于区分ACL2000中的多个条目;后面的规则号取值范围是2的32方; * deny ,拒绝的意思; * source ,表示的是数据包的源IP地址 * 192.168.1.1 0.0.0.0 ,表示的是源头IP地址必须是 192.168.1.1 ;
配置设备信息
R1
u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.3.254 24
[R1-GigabitEthernet0/0/0]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[R1-GigabitEthernet0/0/2]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.1.254 24
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]acl 2000 //选择acl(2000-2999普通,3000到3999高级)
R1:(配置基本ACL)
acl 2000 // 2000,是ACL的名字,取值范围是 2000~2999
rule 10 deny source 192.168.1.1 0.0.0.0
* rule 10 ,用于区分ACL2000中的多个条目;后面的规则号取值范围是2的32方;
* deny ,拒绝的意思;
* source ,表示的是数据包的源IP地址
* 192.168.1.1 0.0.0.0 ,表示的是源头IP地址必须是 192.168.1.1 ;
[R1-acl-basic-2000]rule 10 deny source 192.168.1.1 0.0.0.0 //选择ACL条条目,拒绝pc上的访问服务器
[R1]display acl all //查询全部ACL的信息
Total quantity of nonempty ACL number is 1
Basic ACL 2000, 1 rule
Acl's step is 5
rule 10 deny source 192.168.1.1 0
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 2000 //基本ACL过滤入(2传3)发送的流量数据包 (出去)
删除acl命令
[R1]int g0/0/1**加粗样式**
[R1-GigabitEthernet0/0/1]undo traffic-filter inbound
[R1-GigabitEthernet0/0/1]undo 2000
[R1]undo acl 2000
如果两者都不同的话设置
[R1]acl 2000
[R1-acl-basic-2000]rule 20 deny source 192.168.2.1 0
[R1-acl-basic-2000]rule 10 deny source 192.168.1.1 0
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000 //激活他禁止(3传2)发回的所有流量 (回来)
[R1]display traffic-filter applied-record //查询设备用了那些接口用acl
-----------------------------------------------------------
Interface Direction AppliedRecord
-----------------------------------------------------------
GigabitEthernet0/0/0 outbound acl 2000
GigabitEthernet0/0/0 inbound acl 2001
-----------------------------------------------------------
[R1]
高级ACL 3000-3999
随便选择电脑路径就可以了
R1
<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 192.168.3.0 24 192.168.2.2
[Huawei]ip route-static 192.168.4.0 24 192.168.2.2
[Huawei]ip route-static 192.168.5.0 24 192.168.2.2
[Huawei]SYS R1
[R1]acl 3000
[R1-acl-adv-3000]rule 5 permit tcp source 192.168.1.1 0 destination 192.168.5.1 0 destination-port eq www //允许访问的5.10 的web服务(允许访问web服务)
[R1-acl-adv-3000]rule 10 permit ip source 192.168.1.1 0 destination 192.168.3.0 0.0.0.255 //允许ping3网段(允许访问网络)
[R1-acl-adv-3000]rule 15 deny ip source any destination any//(拒绝所有网络)
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 //进入发送端的网关激活
R2
<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]int g0/0/0.
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[R2-GigabitEthernet0/0/0]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.3.254 24
[R2-GigabitEthernet0/0/2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.4.2 24
[R2-GigabitEthernet0/0/1]q
[R2]ip route-static 192.168.1.0 24 192.168.2.1
[R2]ip route-static 192.168.5.0 24 192.168.4.1
[R2]
R3
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R3
[R3]ip add
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.4.1 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip address 192.168.5.254 24
[R3-GigabitEthernet0/0/1]q
[R3]ip route-static 192.168.1.0 24 192.168.4.2
[R3]ip route-static 192.168.2.0 24 192.168.4.2
[R3]ip route-static 192.168.3.0 24 192.168.4.2
[R3]
R1上允许web访问,禁止ping
[R1-acl-adv-3000]rule 5 permit tcp source 192.168.1.1 0 destination 192.168.5.1 0 destination-port eq www //允许访问的5.10 的web服务(允许访问web服务)
[R1-acl-adv-3000]rule 10 permit ip source 192.168.1.1 0 destination 192.168.3.0 0.0.0.255 //允许ping3网段(允许访问网络)
[R1-acl-adv-3000]rule 15 deny ip source any destination any//(拒绝所有网络)
**([R1-acl-adv-3000]rule 15 deny ip source 原地址 destination 目标地址//(拒绝某一个地址的网络))**
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 //进入发送端的网关激活
下面2张图的结果:
设置远程登录
<R2>sys
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode password (回车)
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R4
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R4-GigabitEthernet0/0/0]q
[R4]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254 //路由设置网关
R2
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R2
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.1.254 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[R2-GigabitEthernet0/0/2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.5.2 30
R1
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.5.1 30
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.7.1 30
[R1-GigabitEthernet0/0/2]ip address 192.168.6.254 24
[R1-GigabitEthernet0/0/2]
设置aaa远程登录
[Huawei]user-interface vty 0 4同时远程管理的终端个数
[Huawei-ui-vty0-4]user privilege level 3定义登录级别
[Huawei-ui-vty0-4]authentication-mode aaa启用三A认证
[Huawei-ui-vty0-4]aaa进入三A认证视图
[Huawei-aaa]local-user ntd1912 password cipher 123定义远程管理的用户名及密码
[Huawei-aaa]local-user ntd1912 service-type telnet定义用telnet协议远程管理
<Huawei>telnet 192.168.1.254
> > 注意:
> ACL 对设备自己产生的数据包,不起作用;
> ACL 最后有一个隐含的条目,表示“拒绝所有”;
> [当 ACL 被 traffic-filter这个命令调用的时候,最后一个隐含条目,表示的才是允许所有]
rule 10 permit ip source 源地址 0 destination 目标地址 0
rule 40 deny ip source any 全部 destination any //拒绝全部
ule 20 permit tcp source 源地址 0 0 destination 目标地址 0 destination-port eq 目标端口号
permit 允许
deny 拒绝
any 全部
source 原地址
destinatio 目标地址
destination-port 目标端口
inbound 进入
outbound 出去