ACL和NAT

ACL概述

访问控制列表ACL（Access Control List）是由一系列permit或deny语句组成的、有序规则的列表，它通过匹配报文的相关信息实现对报文的分类；
ACL本甚至能够用于报文的匹配和区分，而无法实现对报文过滤功能，针对ACL所匹配的报文的过滤功能，需要特定的机制来实现（例如在交换机的接口上使用traffic-filte命令调用ACL来进行报文过滤），ACL只是一个匹配用的工具；
ACL除了能够对报文进行匹配，还能够用于匹配路由；
ACL是一个使用非常广泛的基础性工具，能够被各种应用或命令所调用。

ACL的应用

匹配IP流量（可基于源、目IP地址、协议类型、端口号等元素）
在Traffic-filter中被调用
在NAT中被调用
在路由路由策略中被调用
在IPSec VPN中被调用
在防火墙的策略部署中被调用
在QoS中被调用

什么是ACL

ACL能够匹配一个IP数据包中的源IP地址、目IP地址、协议类型、源目的端口等元素的基础工具；ACL还能够用于匹配路由条目。

如何标识ACL

利用数字标识ACL
利用名称标识ACL

ACL的配置：基本ACL

使用编号创建一个基本ACL，并进入ACL视圈：
【Huawei】acl num
【Huawei-acl-basic-num】
基本ACL编号的范围是2000-2999.
创建一个规则（rule）
【Huawei-acl-basic-num】rule 5{permit/deny}source src-address wildcard

wildcard(通配符）

通配符是一个32比特长度的数值，用于指示IP地址中，哪些比特位需要严格匹配，哪些比特位则无所谓。
通配符通常采用类似网络掩码的点分十进制形式表示，但是含义却与网络掩码完全不同。

公网IP地址及私有IP地址

公网地址：公网地址是指可以在lnternet上使用的地址。为保证整个lnternet内的IP地址的唯一性，公网地址由IANA（Internet Assigned Number Authority）这个国际组织负责分配。以太网络设备如果需要使用公网地址，就必须ISP（Internet Service Provider ）或注册中心申请。
私有地址：为了满足一些实验室、公司或他组织的独立于lnternet之处的私有网络的需求，RFCA（Requests For Comment）1918为私有使用留出了三个IP地址段。私有地址不能在lnternet上被分配，因而可以不必申请就可以自己使用。

什么是NAT

NAT（Network Address Translator）的主要原理是通过解析IP报文头部，自动替换报文头中的源地址或目的地址，实现私网用户通过私网IP访问公网的目的。私网IP转换为公网IP的过程对用户来说是透明的。

NAT优缺点

优点：缓解公网地址紧缺问题、解决IP地址空间冲突或重叠的问题、网络扩展更高，本地控制也更容易、内网结构及相关操作对外变得不可见、增加了安全性。
缺点：存在转发延迟、端到端寻址变得困难、某些应用不支持NAT、NAT产生的表项需占用设备的内存空间、设备性能问题

NAT类型

源IP地址转换

No-Port地址转换
网络地址及端口转换

目的IP地址转换

NAT Server
目的NAT

静态NAT

静态NAT实现了私有地址和公有地址的一对一映射

动态NAT

动态NAT基于地址来实现私有地址和公有地址的转换

NAPT

网络地址端口转换NAPT允许许多个内部地址映射到通一个公有地址的不同端口

Easy IP

Easy ip允许将多个内部地址映射到网关出接口地址上的不同端口

NAT服务器

通过配置NAT服务器可以使外网用户访问内网服务器
作业
1

sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys sw1
[sw1]
Apr 13 2021 23:45:17-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 4, the c
hange loop count is 0, and the maximum number of records is 4095.
[sw1]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment…done.
[sw1]int
Apr 13 2021 23:46:27-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 5, the c
hange loop count is 0, and the maximum number of records is 4095.
^
Error:Incomplete command found at ‘^’ position.
[sw1]int e0/0/1
[sw1-Ethernet0/0/1]p l a
[sw1-Ethernet0/0/1]
Apr 13 2021 23:46:57-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 6, the c
hange loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/1]p d v 10
[sw1-Ethernet0/0/1]
Apr 13 2021 23:47:17-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 7, the c
hange loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/1]int e0/0/2
[sw1-Ethernet0/0/2]p l a
[sw1-Ethernet0/0/2]
Apr 13 2021 23:47:57-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 8, the c
hange loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/2]p d v 20
[sw1-Ethernet0/0/2]
Apr 13 2021 23:48:17-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 9, the c
hange loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/2]int e0/0/3
[sw1-Ethernet0/0/3]p l a
[sw1-Ethernet0/0/3]
Apr 13 2021 23:48:47-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 10, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/3]p d v 20
[sw1-Ethernet0/0/3]
Apr 13 2021 23:49:07-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 11, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/3]int e0/0/4
[sw1-Ethernet0/0/4]p l a
[sw1-Ethernet0/0/4]
Apr 13 2021 23:50:57-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 12, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/4]p d v 20
[sw1-Ethernet0/0/4]
Apr 13 2021 23:51:07-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 13, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/4]int e0/0/3
[sw1-Ethernet0/0/3]undo p d v
[sw1-Ethernet0/0/3]
Apr 13 2021 23:51:37-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 14, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/3]p d v 10
[sw1-Ethernet0/0/3]
Apr 13 2021 23:51:57-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 15, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/3]int e0/0/5
[sw1-Ethernet0/0/5]p l t
[sw1-Ethernet0/0/5]
Apr 13 2021 23:52:17-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 16, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/5]p t a v a
[sw1-Ethernet0/0/5]
Apr 13 2021 23:52:57-08:00 sw1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 17, the
change loop count is 0, and the maximum number of records is 4095.
[sw1-Ethernet0/0/5]user in
[sw1-Ethernet0/0/5]
Apr 13 2021 23:58:58-08:00 sw1 %%01PHY/1/PHY(l)[0]: Ethernet0/0/5: change sta
tus to down
Apr 13 2021 23:58:58-08:00 sw1 %%01IFNET/4/IF_STATE(l)[1]:Interface Vlanif1 has
turned into DOWN state.
Apr 13 2021 23:59:32-08:00 sw1 %%01PHY/1/PHY(l)[2]: Ethernet0/0/5: change sta
tus to up
Apr 13 2021 23:59:32-08:00 sw1 %%01IFNET/4/IF_STATE(l)[3]:Interface Vlanif1 has
turned into UP state.
Apr 13 2021 23:59:45-08:00 sw1 %%01PHY/1/PHY(l)[4]: Ethernet0/0/4: change sta
tus to down
Apr 13 2021 23:59:46-08:00 sw1 %%01PHY/1/PHY(l)[5]: Ethernet0/0/4: change sta
tus to up User interface con0 is available
sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys r1
[r1]int g0/0/0.1
[r1-GigabitEthernet0/0/0.1]d t v 10
[r1-GigabitEthernet0/0/0.1]a b e
[r1-GigabitEthernet0/0/0.1]ip add 192.168.1.254 24
[r1-GigabitEthernet0/0/0.1]int g0/0/0.2
[r1-GigabitEthernet0/0/0.2]d t v 20
[r1-GigabitEthernet0/0/0.2]a b e
[r1-GigabitEthernet0/0/0.2]ip add 192.168.2.254 24

[r1-GigabitEthernet0/0/0.2]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add 100.0.0.1 24

[r1-GigabitEthernet0/0/1]q
[r1]ip rou
[r1]ip route-s
[r1]ip route-static 10.0.0.0 24 100.0.0.2

sys
Enter system view, return user view with Ctrl+Z.
[r1]acl 2000
[r1-acl-basic-2000]rule d
[r1-acl-basic-2000]rule deny sou
[r1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[r1-acl-basic-2000]int g0/0/0.2
[r1-GigabitEthernet0/0/0.2]traf
[r1-GigabitEthernet0/0/0.2]traffic-filter out
[r1-GigabitEthernet0/0/0.2]traffic-filter outbound acl 2000
[r1-GigabitEthernet0/0/0.2]
sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys r2
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ip add 100.0.0.2 24
Apr 14 2021 00:05:55-08:00 r2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r2-GigabitEthernet0/0/0]int g0/0/1
[r2-GigabitEthernet0/0/1]ip add 10.0.0.254 24
Apr 14 2021 00:06:41-08:00 r2 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r2-GigabitEthernet0/0/1]q
[r2]ip rou
[r2]ip route-s
[r2]ip route-static 192.168.1.0 24 100.0.0.1
[r2]ip route-static 192.168.2.0 24 100.0.0.1
[r2]acl 3000
[r2-acl-adv-3000]rule d
[r2-acl-adv-3000]rule deny ip s
[r2-acl-adv-3000]rule deny ip source 100.0.0.0 0.0.0.255 des
[r2-acl-adv-3000]rule deny ip source 100.0.0.0 0.0.0.255 destination 10.0.0.1 0
[r2-acl-adv-3000]int g0/0/1
[r2-GigabitEthernet0/0/1]tra
[r2-GigabitEthernet0/0/1]traff
[r2-GigabitEthernet0/0/1]traffic-f
[r2-GigabitEthernet0/0/1]traffic-filter outb
[r2-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[r2-GigabitEthernet0/0/1]
全网互通


vlan10与vlan20不通

r1不能访问服务器