ACL访问控制列表简介和配置演示

一.ACL功能和特点

1.功能

2.特点

二.ACL种类

1.基础ACL:

2.增强ACL:

三.配置演示

1.基础ACL:

2.增强ACL:


一.ACL功能和特点

1.功能

对感兴趣的路由 (控制层面)进行设置策略

对感兴趣的流量 (数据层面)进行设置策略

2.特点

(1)自上而下匹配(编号由小到大执行),一旦匹配,立即执行

(2)ACL 列表的调用分为in(进入路由器的方向) ,先匹配ACL再查看路由。out ,离开路由器的方向,先查看路由,再匹配ACL。

(3)ACL 分为 标准 ACL 和 扩展 ACL

(4)在华为设备中若没有匹配到ACL 则假装认为没有这个ACL,需要明确写清策略为拒绝或允许

二.ACL种类

1.基础ACL:

关注源IP地址 ,只要源IP在ACL条目内,就执行相应的ACL规则,在配置时尽量靠近目标路由器,避免误伤其他路径

2.增强ACL:

关注源IP地址 、目标IP地址 、协议种类,在使用时尽量靠近源(ACL不能过滤自身产生的流量,所以不能位于源之上 )

三.配置演示

1.基础ACL:

实现AR1环回0ping不通AR4环回,但环回1和AR1出接口G0/0/0可以ping通

ACL访问控制列表简介和配置演示_第1张图片

(1)创建acl,设置acl规则,调用acl

[r4]acl 2000
#INTEGER<2000-2999>基础acl
#INTEGER<3000-3999>增强acl
[r4-acl-basic-2000]rule deny source 1.1.1.0 0.0.0.255     #指明源IP
源IP后缀参数是通配符,0代表固定位,1代表可变位,permit允许,deny拒绝
[r4]interface GigabitEthernet 0/0/1
[r4-GigabitEthernet0/0/1]traffic-filter inbound acl 2000   #调用ACL
#inbound为in方向,outbound为out方向

(2)查看测试

[r4]display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
 rule 5 deny source 1.1.1.0 0.0.0.255 (3 matches)

[r1]ping -a 1.1.1.1 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out

  --- 4.4.4.4 ping statistics ---
    3 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[r1]ping -a 1.1.2.1 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=50 ms
    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=50 ms

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/44/50 ms

[r1]ping 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=50 ms
    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=30 ms
    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=30 ms
    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=30 ms
    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=40 ms

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 30/36/50 ms

2.增强ACL:

实现AR1环回0ping不通AR4环回0但可以telnet,AR1环回1可以ping通AR4环回0但不可以telnet

ACL访问控制列表简介和配置演示_第2张图片

 (1)AR4配置开启telnet

[r4]user-interface vty 0 4
[r4-ui-vty0-4]set authentication password cipher hw
[r4-ui-vty0-4]q

(2)AR2配置扩展ACL(靠近源但不能位于源上),acl调用

[r2]acl 3000
[r2-acl-adv-3000]rule deny icmp source 1.1.1.0 0.0.0.255 destination 4.4.4.4 0.0.0.0 icmp-type echo
[r2-acl-adv-3000]rule deny tcp source 1.1.2.0 0.0.0.255 destination 4.4.4.4 0.0.0.0 destination-port eq 23
[r2-acl-adv-3000]q
[r2]display acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
 rule 5 deny icmp source 1.1.1.0 0.0.0.255 destination 4.4.4.4 0 icmp-type echo 

 rule 10 deny tcp source 1.1.2.0 0.0.0.255 destination 4.4.4.4 0 destination-port eq telnet 
[r2]interface GigabitEthernet 0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

(3)测试

[r1]ping -a 1.1.1.1 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[r1]ping -a 1.1.2.1 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=40 ms
    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=30 ms
    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=30 ms

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 30/36/40 ms

[r1]q
telne	
telnet -a 1.1.1.1 4.4.4.4
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
  Connected to 4.4.4.4 ...

Login authentication


Password:
q

  Configuration console exit, please retry to log on

  The connection was closed by the remote host
telnet -a 1.1.2.1 4.4.4.
  Press CTRL_] to quit telnet mode
  Trying 4.4.4.4 ...
  Error: Can't connect to the remote host

你可能感兴趣的:(HW网络,#,ACL,NAT,智能路由器,网络,华为,ACL,RIP)