ACL综合实验

拓扑结构:

ACL综合实验_第1张图片

要求

1、PC1可以Telnet R1,但是不能pingR1

2、PC1可以ping R2,但是不能Telnet R2

3、PC2的所有要求与PC1相反

 使用的设备:4台路由器、1台交换机

 解决网络拓扑:

1、确定广播域的个数

2、分配网段

3、配置IP地址 (优先配置路由器)

 确定广播域的个数

根据拓扑结构图以及要求可知,本拓扑结构一共拥有2个网段,为两个接口网段

分配网段

其中两个接口网段基于192.168.1.0/24进行划分

划分为:

192.168.1.0/25

192.168.1.128/25

ACL综合实验_第2张图片

 配置路由器IP地址

AR1:

system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r1
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 25
[r1-GigabitEthernet0/0/0]
Apr 17 2023 20:40:49-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[r1-GigabitEthernet0/0/0]q
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 192.168.1.129 25
Apr 17 2023 20:41:22-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP 
on the interface GigabitEthernet0/0/1 has entered the UP state. 
[r1-GigabitEthernet0/0/1]q
[r1]

AR2:

system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r2
[r2]interface GigabitEthernet 0/0/0
[r2-GigabitEthernet0/0/0]ip address 192.168.1.130 25
[r2-GigabitEthernet0/0/0]
Apr 17 2023 20:39:30-08:00 r2 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[r2-GigabitEthernet0/0/0]q
[r2]

AR3:

system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r3
[r3]interface GigabitEthernet 0/0/0
[r3-GigabitEthernet0/0/0]ip address 192.168.1.2 25
[r3-GigabitEthernet0/0/0]
Apr 17 2023 20:42:42-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[r3-GigabitEthernet0/0/0]q
[r3]

AR4:

system
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r4
[r4]interface GigabitEthernet 0/0/0
[r4-GigabitEthernet0/0/0]ip address 192.168.1.3 25
Apr 17 2023 20:43:42-08:00 r4 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0 has entered the UP state. 
[r4-GigabitEthernet0/0/0]q
[r4]

配置静态路由协议

AR2:

[r2]ip route-static 192.168.1.0 25 192.168.1.129

AR3:

[r3]ip route-static 192.168.1.128 25 192.168.1.1

AR4:

[r4]ip route-static 192.168.1.128 25 192.168.1.1

此时配置完静态路由以后,全网可达。

配置ACL访问控制列表

AR1:

[r1]acl 3000
[r1-acl-adv-3000]rule permit tcp source 192.168.1.2 0 destination 192.168.1.1 0 destination-port eq 23
[r1-acl-adv-3000]rule deny icmp source 192.168.1.2 0 destination 192.168.1.1 0
[r1-acl-adv-3000]rule permit icmp source 192.168.1.3 0 destination 192.168.1.1 0 
[r1-acl-adv-3000]rule deny tcp source 192.168.1.3 0 destination 192.168.1.1 0 destination-port eq 23
[r1-acl-adv-3000]q

AR2:

[r2]acl 3000
[r2-acl-adv-3000]rule permit icmp source 192.168.1.2 0 destination 192.168.1.130 0
[r2-acl-adv-3000]rule deny tcp source 192.168.1.2 0 destination 192.168.1.130 0 destination-port eq 23
[r2-acl-adv-3000]rule deny icmp source 192.168.1.3 0 destination 192.168.1.130 0 
[r2-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.1.130 0 destination-port eq 23
[r2-acl-adv-3000]q

一定切记要在信息传输的出接口上配置或在信息接收的入接口上配置ACL访问控制列表,必须调用才可以生效

在入接口上配置ACL

AR1:

[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

AR2:

[r2]interface GigabitEthernet 0/0/0
[r2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

并在AR1、AR2上开启telnet服务

AR1:

[r1]aaa
[r1-aaa]local-user panda privilege level 15 password cipher 123456
Info: Add a new user.
[r1-aaa]local-user panda service-type telnet
[r1-aaa]q
[r1]
[r1]user-interface vty 0
[r1-ui-vty0]authentication-mode aaa
[r1-ui-vty0]q
[r1]

AR2:

[r2]aaa
[r2-aaa]local-user banana privilege level 15 password cipher 123456
Info: Add a new user.
[r2-aaa]local-user banana service-type telnet
[r2-aaa]q
[r2]
[r2]user-interface vty 0
[r2-ui-vty0]authentication-mode aaa
[r2-ui-vty0]q
[r2]

实验结果:

PC1:

ACL综合实验_第3张图片

ACL综合实验_第4张图片

 此时PC1不可以pingR1,但是可以远程登录R1,可以pingR2,但是不能远程登录R2 

AR2:

ACL综合实验_第5张图片

 ACL综合实验_第6张图片

此时PC2可以pingR1,但是不能远程登录R1,不可以pingR2,但是可以远程登录R2

ACL访问控制列表生效,实验要求完成。 

你可能感兴趣的:(智能路由器,网络)