HCIA--ACL和远程登陆实验

HCIA--ACL和远程登陆实验_第1张图片

1.划分网段,配IP地址,启用OSPF协议:

AR1配置:
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
[R1-GigabitEthernet0/0/1]qu
[R1]ospf 100 router-id 1.1.1.1
[R1-ospf-100]area 0	
[R1-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
AR2配置:
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 23.1.1.1 24
[R2-GigabitEthernet0/0/1]qu
[R2]ospf 100 router-id 2.2.2.2
[R2-ospf-100]area 0
[R2-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
AR3配置:
[Huawei]sys R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 23.1.1.2 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 172.16.1.1 24
[R3-GigabitEthernet0/0/1]qu
[R3]ospf 100 router-id 3.3.3.3
[R3-ospf-100]ar 0
[R3-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[R3]acl 2000    #acl配置
[R3-acl-basic-2000]rule deny source 192.168.1.2 0.0.0.0
[R3-acl-basic-2000]qu
[R3]int g0/0/1    #acl调用
[R3-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/1]qu
[R3]dis acl all   #查看acl

2. 基本ACL配置:

AR2:
[R2]acl 2000
[R2-acl-basic-2000]rule deny source 12.1.1.1 0.0.0.0
[R2-acl-basic-2000]qu
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R2-GigabitEthernet0/0/1]undo traffic-filter outbound
AR3:
[R3]acl 2000
[R3-acl-basic-2000]rule deny source 192.168.1.2 0.0.0.0
[R3-acl-basic-2000]qu
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/0]undo traffic-filter outbound
[R3-GigabitEthernet0/0/0]qu
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/1]qu
[R3]dis acl all
 Total quantity of nonempty ACL number is 1 

Basic ACL 2000, 1 rule
Acl's step is 5
 rule 5 deny source 192.168.1.2 0 

[R3]undo acl 2000
[R3]q
terminal debugging 
Info: Current terminal debugging is on.
debugging ip icmp 

3. 高级ACL配置,使用位置:靠近源的接口

AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny ip source 192.168.1.2 0.0.0.0 destination 172.16.1.2 
0.0.0.0
[R1-acl-adv-3000]qu
[R1]int g0/0/0   #调用acl
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
AR2:
[R2]acl 3000
[R2-acl-adv-3000]rule deny icmp source 12.1.1.1 0.0.0.0 destination 23.1.1.2 
0.0.0.0   #不让12.1.1.1,23.1.1.2互相访问
[R2-acl-adv-3000]q
[R2]int g0/0/1   #调用
[R2-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R2-GigabitEthernet0/0/1]q
[R2]undo acl 3000

[R2]acl 3000 
[R2-acl-adv-3000]rule 5 deny icmp source 23.1.1.2 0.0.0.0 destination 12.1.1.1 
0.0.0.0   #流量可以从R1到R3,但不能回去
[R2-acl-adv-3000]qu
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
AR3:
terminal debugging    #打开debugging
Info: Current terminal debugging is on.	
debugging ip icmp

4. 远程登陆配置:

AR1:
[R1]int l0
[R1-LoopBack0]ip add 1.1.1.1 32

[R1]qu
telnet 23.1.1.2    #远程登陆R3
  Press CTRL_] to quit telnet mode
  Trying 23.1.1.2 ...
  Connected to 23.1.1.2 ...

Login authentication


Password:
 AR3:
[R3]user-interface vty 0 4    #配置远程登陆
[R3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123
[R3-ui-vty0-4]user privilege level 15   #开启最高权限

或者使用用户名、密码远程登陆:

AR3:
[R3]aaa	
[R3-aaa]local-user xx privilege level 15 password cipher yy
Info: Add a new user.
[R3-aaa]qu
[R3]user-interface vty 0 4   #调用
[R3-ui-vty0-4]authentication-mode aaa
在AR1上登陆AR3:
telnet 23.1.1.2
  Press CTRL_] to quit telnet mode
  Trying 23.1.1.2 ...
  Connected to 23.1.1.2 ...

Login authentication

Username:xx
Password:

5. 干掉远程登陆,AR2:

[R2]acl 3000   #干掉远程登陆
[R2-acl-adv-3000]rule deny tcp source 12.1.1.1 0.0.0.0 destination 23.1.1.2 0.0.
0.0 destination-port eq telnet 
[R2]int g0/0/0    #调用
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
AR1测试结果:
telnet 23.1.1.2
  Press CTRL_] to quit telnet mode
  Trying 23.1.1.2 ...

6. PC1 无法ping通PC2,但PC2可以pingPC1:

AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 172.16.1.
2 0.0.0.0 icmp-type echo
[R1-acl-adv-3000]qu
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

PC1可以ping通PC2,但PC2不能pingPC1:

AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 172.16.1.
2 0.0.0.0 icmp-type echo-reply 
[R1-acl-adv-3000]qu
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
Error: A simplified ACL has been applied in this view.

7. ACL的命名写法:

AR1:
[R1]acl name xx
[R1-acl-adv-xx]rule deny icmp source 1.1.1.1 0.0.0.0 destination 23.1.1.1 0.0.0
.0
[R1-acl-adv-xx]int g0/0/0   #调用
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl name xx

你可能感兴趣的:(网络,huawei)