ACL实验
拓扑图如下:
1、配置接口与PC的IP
指令如下
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addrees 12.1.1.1 24
2、ospf宣告(每个路由器都宣告)
[Huawei]ospf 100 router-id 1.1.1.1
[Huawei-ospf-100]area 0
[Huawei-ospf-100-area-0.0.0.0]net 0.0.0.0 255.255.255.255
3、在R1上做acl,使PC1不能pingPC2
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 192.1
68.2.2 0.0.0.0 icmp-type echo
[Huawei-acl-adv-3000]rule permit ip source any destination any
[Huawei-acl-adv-3000]quit
[Huawei]interface g0/0/0 //调用,在靠近源地址做acl
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
4、在R1与R3上打开远程登录(R1、R3都打开)
[Huawei]aaa
[Huawei-aaa]local-user xx privilege level 15 password cipher 123
Info: Add a new user.
[Huawei-aaa]quit
[Huawei]user-interface vty 0 4 //调用
[Huawei-ui-vty0-4]authentication-mode aaa
5、在R2上做acl,使R1不能登录R3,R3不能ping通R1
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny tcp source 12.1.1.1 0.0.0.0 destination 23.1.1.2 //R1不能登录R3
0.0.0.0 destination-port eq 23
[Huawei-acl-adv-3000]rule deny icmp source 12.1.1.1 0.0.0.0 destination 23.1.1. //R3不能ping通R1
2 0.0.0.0 icmp-type echo-reply
[Huawei-acl-adv-3000]rule permit ip source any destination any
[Huawei-acl-adv-3000]quit
[Huawei]interface g0/0/0 //在R3不能ping通R1时,做的是不接收回来的流量,所以在靠近源地址做acl
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
显然实验要求都达成,实验成功。