ACL访问控制列表
目录
- ACL的概念
- 实验
- 总结
ACL的概念
ACL-访问控制列表
作用:
读取三层、四层头部信息,根据预先定义好的规则对流量进行筛选和过滤,三层头部信息:源、目IP,四层头部信息:源、目端口号
访问控制列表调用的方向
入方向:流量将要进入本地路由器,将要被本地路由器处理
出方向:已经被本地路由器处理过,流量将离开本地路由器
策略做好后,在入接口和出接口调用的区别:
入接口调用的话是对本地路由器生效,出接口调用的话,对本地路由器不生效,流量将在数据发过程中的下一台路由器生效。
访问控制列表处理原则
路由条目只会被匹配一次
路由条目在ACL访问控制列表中匹配的顺序是从上往下匹配的
路由条目在ACL访问控制列表隐含一个拒绝所有
ACL访问控制列表至少要放行一条路由条目
访问控制列表类型
1.标准访问控制列表
只能基于源地址进行过滤
标准访问控制列表号是2000-2999
调用原则:靠近目标
2.扩展访问控制列表
可以根据源、目IP,TCP/UDP协议,源、目端口号进行过滤
相比较标准访问控制列表,流量控制的更精准
调用原则:靠近源
护展访问控制列表的列表号是3000- 3999
实验
拓扑图
FTP服务器设置
SW1配置
The device is running!
<Huawei>
<Huawei>undo t
<Huawei>undo terminal m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]user-i
[Huawei]user-interface c
[Huawei]user-interface co
[Huawei]user-interface console 0
[Huawei-ui-console0]id
[Huawei-ui-console0]idle-timeout 0 0
[Huawei-ui-console0]q
[Huawei]vlan bat 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlan 10
[Huawei-Vlanif10]q
[Huawei]?
System view commands:
aaa AAA
acl Specify ACL configuration information
alarm Enter the alarm view
anti-attack Specify anti-attack configurations
application-apperceive Set application-apperceive information
arp ARP module
arp-miss Specify ARP MISS configuration information
arp-suppress Specify arp suppress configuration information,
default is disabled
authentication Authentication
autoconfig AutoConfig configuration information
bfd Specify BFD(Bidirectional Forwarding Detection)
configuration information
bgp Border Gateway Protocol(BGP)
bootrom BootRom
bpdu BPDU message
btv Btv view
bulk-file Specify the file name of bulk statistics
bulk-stat Set bulk statistics
capture-packet Capture-packet
ccc Circuit cross connection
cfm Connectivity fault management
clear Cancel current configuration
cluster Specify the information for cluster configuration
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-t
[Huawei-Ethernet0/0/1]port link-type a
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port d
[Huawei-Ethernet0/0/1]port de
[Huawei-Ethernet0/0/1]port default vlan 10
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]port link-t
[Huawei-Ethernet0/0/2]port link-type a
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port de
[Huawei-Ethernet0/0/2]port default vlan 20
[Huawei-Ethernet0/0/2]int e0/0/3
[Huawei-Ethernet0/0/3]port t
[Huawei-Ethernet0/0/3]port link-
[Huawei-Ethernet0/0/3]port link-t
[Huawei-Ethernet0/0/3]port link-type a
[Huawei-Ethernet0/0/3]port d
[Huawei-Ethernet0/0/3]port def
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-t
[Huawei-Ethernet0/0/4]port link-type a
[Huawei-Ethernet0/0/4]port def
[Huawei-Ethernet0/0/4]port default vlan 20
[Huawei-Ethernet0/0/4]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port t
[Huawei-GigabitEthernet0/0/1]port l
[Huawei-GigabitEthernet0/0/1]port link-t
[Huawei-GigabitEthernet0/0/1]port link-type t
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port t
[Huawei-GigabitEthernet0/0/1]port trunk a
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/1]
AR1配置
The device is running!
<Huawei>undo t
<Huawei>undo terminal m
<Huawei>undo terminal monitor
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]user-
[Huawei]user-i
[Huawei]user-interface co
[Huawei]user-interface console 0
[Huawei-ui-console0]i
[Huawei-ui-console0]idle-timeout 0 0
[Huawei-ui-console0]q
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]undo s
[Huawei-GigabitEthernet0/0/0]undo sh
[Huawei-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[Huawei-GigabitEthernet0/0/0]int g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]dot
[Huawei-GigabitEthernet0/0/0.1]dot1q t
[Huawei-GigabitEthernet0/0/0.1]dot1q termination v
[Huawei-GigabitEthernet0/0/0.1]dot1q termination vid 10
[Huawei-GigabitEthernet0/0/0.1]ip add 192.168.10.1 24
[Huawei-GigabitEthernet0/0/0.1]arp br
[Huawei-GigabitEthernet0/0/0.1]arp broadcast e
[Huawei-GigabitEthernet0/0/0.1]arp broadcast enable
[Huawei-GigabitEthernet0/0/0.1]int g0/0/0.2
[Huawei-GigabitEthernet0/0/0.2]d
[Huawei-GigabitEthernet0/0/0.2]do
[Huawei-GigabitEthernet0/0/0.2]dot1q t
[Huawei-GigabitEthernet0/0/0.2]dot1q termination v
[Huawei-GigabitEthernet0/0/0.2]dot1q termination vid 20
[Huawei-GigabitEthernet0/0/0.2]ip add 192.168.20.1 24
[Huawei-GigabitEthernet0/0/0.2]arp
[Huawei-GigabitEthernet0/0/0.2]arpb
[Huawei-GigabitEthernet0/0/0.2]arp b
[Huawei-GigabitEthernet0/0/0.2]arp broadcast e
[Huawei-GigabitEthernet0/0/0.2]arp broadcast enable
[Huawei-GigabitEthernet0/0/0.2]ip ro
[Huawei-GigabitEthernet0/0/0.2]q
[Huawei]ip ro
[Huawei]ip route-s
[Huawei]ip route-static 202.10.10.0 24 12.1.1.2
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.1.1.1 24
[Huawei-GigabitEthernet0/0/1]undo sh
[Huawei-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[Huawei-GigabitEthernet0/0/1]
AR2配置
The device is running!
<Huawei>undo
<Huawei>undo
<Huawei>undo t
<Huawei>undo terminal m
<Huawei>undo terminal monitor
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]user-i
[Huawei]user-interface c
[Huawei]user-interface console 0
[Huawei-ui-console0]i
[Huawei-ui-console0]idle-timeout 0 0
[Huawei-ui-console0]q
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[Huawei-GigabitEthernet0/0/0]un
[Huawei-GigabitEthernet0/0/0]undo s
[Huawei-GigabitEthernet0/0/0]undo sh
[Huawei-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 202.10.10.2 24
[Huawei-GigabitEthernet0/0/1]undo s
[Huawei-GigabitEthernet0/0/1]undo sht
[Huawei-GigabitEthernet0/0/1]undo shut
[Huawei-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip rou
[Huawei]ip route-s
[Huawei]ip route-static 202.10.10.0 24 12.1.1.2
Error: The next-hop address is invalid.
[Huawei]
[Huawei]
此时C1PINGC2可以PING通
AR1进行配置
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny tcp sour
[Huawei-acl-adv-3000]rule deny tcp source 192.168.10.10 0.0.0.0 destination 202.
10.10.100 0.0.0.0 destination-port eq 21
[Huawei-acl-adv-3000]rule permit tcp source any destination any destination-port
eq 21
[Huawei-acl-adv-3000]rule permit ip source any destination any
[Huawei-acl-adv-3000]
[Huawei-acl-adv-3000]q
[Huawei]int g0/0/0.1
[Huawei-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
[Huawei-GigabitEthernet0/0/0.1]
此时就无法连接服务器了
总结
访问控制列表从概念上来讲并不复杂,复杂的是对它的配置和使用,许多初学者往往在使用访问控制列表时出现错误