ACL(华为&CISCO)

华为:

ACL(华为&CISCO)_第1张图片

设备

接口

IP地址

子网掩码

默认网关

AR1

G0/0/0

10.0.13.1

255.255.255.0

N/A

Loopback0

1.1.1.1

255.255.255.255

N/A

AR2

G0/0/0

10.0.23.2

255.255.255.0

N/A

Loopback0

2.2.2.2

255.255.255.255

N/A

AR3

G0/0/0

10.0.13.3

255.255.255.0

N/A

G0/0/1

10.0.23.3

255.255.255.0

N/A

G0/0/2

10.0.34.3

255.255.255.0

N/A

Loopback0

3.3.3.3

255.255.255.255

N/A

AR4

G0/0/0

10.0.34.4

255.255.255.0

N/A

Loopback0

4.4.4.4

255.255.255.255

N/A

使用OSPF,全部宣告进area0

检查路由表,使用ping命令检查连通性

设置telnet连接,这是允许所有连接的:
[AR4]user-interface vty 0 4
[AR4-ui-vty0-4]authentication-mode password 
Please configure the login password (maximum length 16):huawei
[AR4-ui-vty0-4]quit 
[AR4]


设置acl,让AR4拒绝所有连接,只允许源地址为1.1.1.1的连接,
[AR4]acl 2000
[AR4-acl-basic-2000]rule 5 permit source 1.1.1.1 0  允许的源IP的规则
[AR4-acl-basic-2000]rule 10 deny source any 禁止任何IP的规则
[AR4-acl-basic-2000]quit 
[AR4]user-interface vty 0 4
[AR4-ui-vty0-4]acl 2000 inbound 
[AR4-ui-vty0-4]


AR1和AR2连接AR4:
AR1:
telnet -a 1.1.1.1 4.4.4.4
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
  Connected to 4.4.4.4 ...


Login authentication




Password:



AR2:
telnet 4.4.4.4
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
会一直连接不上去。


要让AR3能连接上AR4,需要写允许规则,并且规则的优先级高于拒绝规则,
[AR4-acl-basic-2000]rule 8 permit source 3.3.3.3 0


AR3连接:
telnet -a 3.3.3.3 4.4.4.4
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
  Connected to 4.4.4.4 ...


Login authentication




Password:



高级ACL
基于之前的试验,删除acl2000,并在AR4上创建loopback1:40.40.40.40/32,并宣告进ospf的area0
在AR4上,创建ACL3000,只允许源IP为1.1.1.1目标IP为4.4.4.4的数据包通过,并在vty接口允许入向调用
[AR4]undo acl 2000


[AR4]acl 3000
[AR4-acl-adv-3000]rule permit ip source 1.1.1.1 0 destination 4.4.4.4 0
[AR4-acl-adv-3000]quit 
[AR4]display acl all
 Total quantity of nonempty ACL number is 1 


Advanced ACL 3000, 1 rule
Acl's step is 5
 rule 5 permit ip source 1.1.1.1 0 destination 4.4.4.4 0 


[AR4]user-interface vty 0 4
[AR4-ui-vty0-4]acl 3000 inbound 


AR1连接:
telnet -a 1.1.1.1 4.4.4.4
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
  Connected to 4.4.4.4 ...

Login authentication


Password:


其他路由器连接不上去



思科:

ACL(华为&CISCO)_第2张图片





PC=pc3,isp=r2
100.1.1.0    12.1.1.0   200.1.1.0


R1:
Interface Ethernet 0/1
Ip address 12.1.1.1 255.255.255.0
No shutdown
Interface Ethernet 0/0
Ip address 100.1.1.254
No shutdown
ISP:
interface Ethernet 0/1
ip address 12.1.1.2 255.255.255.0
no shutdown
interface Ethernet 0/0
ip address 200.1.1.254
no shutdown
PC:
no ip routing
Ip default-gateway 100.1.1.254
Interface Ethernet 0/0
Ip address 100.1.1.1 255.255.255.0
No shutdown
Server:
Interface Ethernet 0/0
Ip address 200.1.1.1 255.255.255.0
No shutdown
Exit
No ip routing
Ip default-gateway 200.1.1.254
R1: (R1和ISP运行OSPF)
router ospf 110
router-id 1.1.1.1
network 12.1.1.1 0.0.0.0 area 0
network 100.1.1.254 0.0.0.0.0 area 0
ISP:
router ospf 110
router-id 2.2.2.2
network 12.1.1.2 0.0.0.0 area 0
network 200.1.1.254 0.0.0.0 area 0
R1:
access-list 100 permit icmp host 100.1.1.1 host 100.1.1.254 echo(host 100.1.1.1=100.1.1.1 0.0.0.0,抓载荷为echo,然后放行)
access-list 100 permit tcp host 100.1.1.1 host 100.1.1.254 eq 23
username admin password cisco
line vty 0 4
login local
exit 
line vty 0
autocommand access-enable host
exit
access-list 100 dynamic PC-SERVER permit ip 100.1.1.0 0.0.0.254 200.1.1.0 0.0.0.255(源地址,目的地址)
interface Ethernet 0/0
ip access-group 100 in (该接口入向调用)


PC1#ping 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC1#ping 100.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PC1#




基于时间的ACL(部署NTP让时间同步)
R1:
no access-list 100
no ip access-list 100 in(接口也要删除)
clock timezone HK +8
time-range 
periodic daily 08:00 to 15:03
exit
access-list 100 permit icmp host 100.1.1.1 host 100.1.1.254
access-list 100 permit tcp host 100.1.1.1 host 100.1.1.254
access-list 100 permit icmp host 100.1.1.1 host 200.1.1.1 time-range TEST
ip access-group 100 in

Time-based ACL 自反ACL
A——B,A能访问B,B不能访问A,且B访问A,回报不可以收到
升级为zone base policy firewall
R1:
no access-list extended 100
interface Ethernet 0/0
no ip access-group 100 in
exit
ip access-list extended BOSS(指定扩展,名字BOSS)
10 permit ospf any any
20 permit icmp host 12.1.1.2 host 12.1.1.1
30 permit tcp host 12.1.1.2 host 12.1.1.1
40 permit ip 200.1.1.0 0.0.0.255 100.1.1.0 0.0.0.255 reflect Employee(名字employee,)
exit
ip access-list extended employees(这个employee与上面的没关系)
10 permit icmp host 100.1.1.1 host 100.1.1.254
20 permit tcp 100.1.1.1 host 100.1.1.254
evaluate employees(调用boss中的employee)
interface Ethernet 0/1
ip access-group BOSS in
interface Ethernet 0/0
ip access-group Employees in


思科配置格式
access-list 名字 (permit|deny|remake) source.IP (mask)
interface Ethernet 0/0
ip access-group 名字 (in|out)
Vty接口:
access-class 名字 (in|out)


扩展ACL
access-list 名字 (permit|deny) (protocol协议号:ip) s.ip 反码 端口(可不写) D.IP 反码 目的端口 (eq|lt|gt|range) (TCP报头高级参数)
自定义:
ip access-list (standard|extended) 编号(name) 
序列号 permit|deny ***(ip、端口等)
interface Ethernet 0/0
ip access-group name out|in





你可能感兴趣的:(数通NA)