ACL的拓展配置及应用

最新推荐文章于 2024-04-05 23:18:50 发布

Gur.

最新推荐文章于 2024-04-05 23:18:50 发布

阅读量2.6w

点赞数 3

分类专栏：网络文章标签：华为网络网络协议

本文链接：https://blog.csdn.net/weixin_64051859/article/details/122139879

版权

网络专栏收录该内容

8 篇文章 0 订阅

订阅专栏

以华为的ensp为例

首先进行IP地址的划分

接下来在每个接口上配IP，并且给最下面两个路由器写缺省，下一跳都指向R1的GE0/0/0接口以此来充当两台电脑

[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.2.1 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.3.1 24
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.3.2 24
[PC1]interface GigabitEthernet 0/0/0
[PC1-GigabitEthernet0/0/0]ip add 192.168.2.2 24
[PC1]ip route-static 0.0.0.0 0 192.168.2.1
[PC2]interface GigabitEthernet 0/0/0
[PC2-GigabitEthernet0/0/0]ip add 192.168.2.3 24
[PC2]ip route-static 0.0.0.0 0 192.168.2.1

接下来就是在路由器上写路由表

[R2]ip route-static 192.168.2.0 24 192.168.3.1

此时两台电脑都可以ping通

但此时题目要求是PC1可以Telnet R1，但不能pingR1，PC1可以ping R2，但不能TelnetR2 ，PC2可以ping R1，但不能TelnetR1，PC2可以Telnet R2，但不能pingR2

所以此时先做ping的策略

[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.2.2 0 destination 192.168.2.1 0
[R1-acl-adv-3000]rule deny icmp source 192.168.2.2 0 destination 192.168.3.1 0
[R1-acl-adv-3000]rule deny icmp source 192.168.2.3 0 destination 192.168.3.2 0
[R1-acl-adv-3000]q
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[R1]acl 3000

然后在路由器上开启远程操控接口

[R1]aaa
[R1-aaa]local-user 666 privilege level 15 password cipher 123456
[R1-aaa]local-user 666 service-type telnet 
[R1-aaa]q
[R1]user-interface vty 0 4	
[R1-ui-vty0-4]authentication-mode aaa
[R2]aaa
[R2-aaa]local-user 666 privilege level 15 password cipher 123456	
[R2-aaa]local-user 666 service-type telnet 
[R2-aaa]q
[R2]user-interface vty0 4	
[R2-ui-vty0-4]authentication-mode aaa

在路由器上根据题目做限制

[R1-acl-adv-3000]rule deny tcp source 192.168.2.2 0 destination 192.168.3.2 0 de
stination-port eq 23 
[R1-acl-adv-3000]rule deny tcp source 192.168.2.3 0 destination 192.168.2.1 0 de
stination-port eq 23
[R1-acl-adv-3000]rule deny tcp source 192.168.2.3 0 destination 192.168.3.1 0 de
stination-port eq 23

查看R1的0/0/0接口上的表

[R1]display acl 3000
Advanced ACL 3000, 6 rules
Acl's step is 5
 rule 5 deny icmp source 192.168.2.2 0 destination 192.168.2.1 0 
 rule 10 deny icmp source 192.168.2.2 0 destination 192.168.3.1 0 
 rule 15 deny icmp source 192.168.2.3 0 destination 192.168.3.2 0 
 rule 20 deny tcp source 192.168.2.2 0 destination 192.168.3.2 0 destination-port
 eq telnet 
 rule 25 deny tcp source 192.168.2.3 0 destination 192.168.2.1 0 destination-port
 eq telnet (2 matches)
 rule 30 deny tcp source 192.168.2.3 0 destination 192.168.3.1 0 destination-port
 eq telnet

最后可以看到完全满足要求