1.划分网段,配IP地址,启用OSPF协议:
AR1配置:
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
[R1-GigabitEthernet0/0/1]qu
[R1]ospf 100 router-id 1.1.1.1
[R1-ospf-100]area 0
[R1-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
AR2配置:
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 23.1.1.1 24
[R2-GigabitEthernet0/0/1]qu
[R2]ospf 100 router-id 2.2.2.2
[R2-ospf-100]area 0
[R2-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
AR3配置:
[Huawei]sys R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 23.1.1.2 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 172.16.1.1 24
[R3-GigabitEthernet0/0/1]qu
[R3]ospf 100 router-id 3.3.3.3
[R3-ospf-100]ar 0
[R3-ospf-100-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[R3]acl 2000 #acl配置
[R3-acl-basic-2000]rule deny source 192.168.1.2 0.0.0.0
[R3-acl-basic-2000]qu
[R3]int g0/0/1 #acl调用
[R3-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/1]qu
[R3]dis acl all #查看acl
2. 基本ACL配置:
AR2:
[R2]acl 2000
[R2-acl-basic-2000]rule deny source 12.1.1.1 0.0.0.0
[R2-acl-basic-2000]qu
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R2-GigabitEthernet0/0/1]undo traffic-filter outbound
AR3:
[R3]acl 2000
[R3-acl-basic-2000]rule deny source 192.168.1.2 0.0.0.0
[R3-acl-basic-2000]qu
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/0]undo traffic-filter outbound
[R3-GigabitEthernet0/0/0]qu
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
[R3-GigabitEthernet0/0/1]qu
[R3]dis acl all
Total quantity of nonempty ACL number is 1
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 192.168.1.2 0
[R3]undo acl 2000
[R3]q
terminal debugging
Info: Current terminal debugging is on.
debugging ip icmp
3. 高级ACL配置,使用位置:靠近源的接口
AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny ip source 192.168.1.2 0.0.0.0 destination 172.16.1.2
0.0.0.0
[R1-acl-adv-3000]qu
[R1]int g0/0/0 #调用acl
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
AR2:
[R2]acl 3000
[R2-acl-adv-3000]rule deny icmp source 12.1.1.1 0.0.0.0 destination 23.1.1.2
0.0.0.0 #不让12.1.1.1,23.1.1.2互相访问
[R2-acl-adv-3000]q
[R2]int g0/0/1 #调用
[R2-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[R2-GigabitEthernet0/0/1]q
[R2]undo acl 3000
[R2]acl 3000
[R2-acl-adv-3000]rule 5 deny icmp source 23.1.1.2 0.0.0.0 destination 12.1.1.1
0.0.0.0 #流量可以从R1到R3,但不能回去
[R2-acl-adv-3000]qu
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
AR3:
terminal debugging #打开debugging
Info: Current terminal debugging is on.
debugging ip icmp
4. 远程登陆配置:
AR1:
[R1]int l0
[R1-LoopBack0]ip add 1.1.1.1 32
[R1]qu
telnet 23.1.1.2 #远程登陆R3
Press CTRL_] to quit telnet mode
Trying 23.1.1.2 ...
Connected to 23.1.1.2 ...
Login authentication
Password:
AR3:
[R3]user-interface vty 0 4 #配置远程登陆
[R3-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123
[R3-ui-vty0-4]user privilege level 15 #开启最高权限
或者使用用户名、密码远程登陆:
AR3:
[R3]aaa
[R3-aaa]local-user xx privilege level 15 password cipher yy
Info: Add a new user.
[R3-aaa]qu
[R3]user-interface vty 0 4 #调用
[R3-ui-vty0-4]authentication-mode aaa
在AR1上登陆AR3:
telnet 23.1.1.2
Press CTRL_] to quit telnet mode
Trying 23.1.1.2 ...
Connected to 23.1.1.2 ...
Login authentication
Username:xx
Password:
5. 干掉远程登陆,AR2:
[R2]acl 3000 #干掉远程登陆
[R2-acl-adv-3000]rule deny tcp source 12.1.1.1 0.0.0.0 destination 23.1.1.2 0.0.
0.0 destination-port eq telnet
[R2]int g0/0/0 #调用
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
AR1测试结果:
telnet 23.1.1.2
Press CTRL_] to quit telnet mode
Trying 23.1.1.2 ...
6. PC1 无法ping通PC2,但PC2可以pingPC1:
AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 172.16.1.
2 0.0.0.0 icmp-type echo
[R1-acl-adv-3000]qu
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
PC1可以ping通PC2,但PC2不能pingPC1:
AR1:
[R1]acl 3000
[R1-acl-adv-3000]rule deny icmp source 192.168.1.2 0.0.0.0 destination 172.16.1.
2 0.0.0.0 icmp-type echo-reply
[R1-acl-adv-3000]qu
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
Error: A simplified ACL has been applied in this view.
7. ACL的命名写法:
AR1:
[R1]acl name xx
[R1-acl-adv-xx]rule deny icmp source 1.1.1.1 0.0.0.0 destination 23.1.1.1 0.0.0
.0
[R1-acl-adv-xx]int g0/0/0 #调用
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl name xx