ACL流量控制实验
实验环境
实验思路
1.规划网络并配置路由
2.配置Telnet(在SW3上)
3.配置ACL控制规则并应用(在SW2上)
4.测试
实验步骤
1.规划网络并配置动态路由
SW1
<Huawei>sys
[Huawei]sy SW1
[SW1]int g0/0/0
[SW1-GigabitEthernet0/0/0]ip address 10.1.2.1 24
[SW1]ospf router-id 1.1.1.1
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
SW2
<Huawei>sys
[Huawei]sy SW2
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]ip address 10.1.3.2 24
[SW2-GigabitEthernet0/0/1]int g0/0/0
[SW2-GigabitEthernet0/0/0]ip address 10.1.2.2 24
[SW2]ospf router-id 2.2.2.2
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255 //这里的0.0.0.255为通配符,以下皆同
[SW2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
SW3
<Huawei>sys
[Huawei]sys SW3
[SW3]int g0/0/0
[SW3-GigabitEthernet0/0/0]ip address 10.1.3.1 24
[SW3-GigabitEthernet0/0/0]int lo 0
[SW3-LoopBack0]ip address 3.3.3.3 32
[SW3]ospf router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255
[SW3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
2.配置Telnet(在SW3上)
[SW3]user-interface vty 0 4
[SW3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):huawei
[SW3-ui-vty0-4]user privilege level 3
3.配置ACL控制规则并应用(在SW2上)
[SW2]acl 3000
[SW2-acl-adv-3000]rule permit tcp source 10.1.2.1 0 destination 3.3.3.3 0 destination-port eq 23
[SW2-acl-adv-3000]rule deny ip //阻止ping操作
[SW2-acl-adv-3000]rule 6 permit ospf //由于使用OSPF动态路由,所以要放行OSPF报文
[SW2-acl-adv-3000]q
[SW2]int g0/0/0
[SW2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
4.测试
未配置ACL
//SW1 ping SW3测试
[SW1]ping 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 3.3.3.3: bytes=56 Sequence=5 ttl=254 time=40 ms
--- 3.3.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/40 ms
//SW1 Telnet登录SW3测试
[SW1]q
<SW1>telnet 3.3.3.3
Press CTRL_] to quit telnet mode
Trying 3.3.3.3 ...
Connected to 3.3.3.3 ...
Login authentication
Password:
<SW3>
配置ACL后
//SW1 ping SW3测试
<SW1>ping 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 3.3.3.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//SW1 Telnet登录SW3测试
<SW1>telnet 3.3.3.3
Press CTRL_] to quit telnet mode
Trying 3.3.3.3 ...
Connected to 3.3.3.3 ...
Login authentication
Password:
<SW3>q
通过实验结果对比可以看到,配置ACL后SW1无法对SW3进行ping操作,但是可以进行Telnet登录。