一、高级ACL配置
二、配置验证
三、Telnet配置
四、高级ACL实验
4.1、拓扑图
• 分别在路由器中拖出3台AR2220,然后选择设备连线,点击Copper进行设备接线,完成后开启设备。
4.2、IP及静态路由配置
AR1:
<Huawei>system-view [Huawei]sysname AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip add 12.1.1.1 24 [AR1-GigabitEthernet0/0/0]q [AR1]ip route-static 23.1.1.0 255.255.255.0 12.1.1.2
AR2:
<Huawei>system-view [Huawei]sysname AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip add 12.1.1.2 24 [AR2-GigabitEthernet0/0/0]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip add 23.1.1.2 24 [AR2-GigabitEthernet0/0/1]q
AR3:
<Huawei>system-view [Huawei]sysname AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip add 23.1.1.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ip route-static 12.1.1.0 255.255.255.0 23.1.1.2
• 此时,AR1 PING AR3,可以PING通:
4.3、AR3 Telnet配置
作用:在AR3上配置Telnet,以便于演示如何使用高级ACL来禁止AR1 telnet AR3?
AR3:
[AR3]user-interface vty 0 4 [AR3-ui-vty0-4]authentication-mode password Please configure the login password (maximum length 16):5 [AR3-ui-vty0-4]set authentication password cipher huawei [AR3-ui-vty0-4]user privilege level 3 [AR3-ui-vty0-4]q
• 此时,AR1 telnet AR3,成功:
AR1:
<AR1>telnet 23.1.1.3
4.4、AR2 高级ACL配置
[AR2]acl 3000 [AR2-acl-adv-3000]rule deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0.0.0.0 destination-port eq 23 --限制源地址范围是12.1.1.0/24、目的IP地址为23.1.1.3、目的端口号为23的所有TCP报文。 [AR2-acl-adv-3000]rule permit ip --匹配所有IP报文,并对报文执行允许动作。 [AR2-acl-adv-3000]int g0/0/0 [AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 [AR2-GigabitEthernet0/0/0]q
• 此时,AR1 telnet AR3,失败:
• 此时,AR1 PING AR3,成功:
4.5、删除AR2 高级ACL配置
• 查看
[AR2]display acl 3000
• 删除
[AR2]acl 3000 [AR2-acl-adv-3000]undo rule 5 [AR2-acl-adv-3000]q
4.6、增加指定步长高级ACL
[AR2]acl 3000 [AR2-acl-adv-3000]rule 3 deny tcp source 12.1.1.1 0.0.0.0 destination 23.1.1.3 0 .0.0.0 destination-port eq 23 [AR2-acl-adv-3000]q [AR2]display acl 3000 [AR2]display traffic-filter applied-record
标签:AR1,AR2,AR3,GigabitEthernet0,HCIA,acl,3000,ACL,四十二 From: https://www.cnblogs.com/atomy/p/16769284.html