访问控制列表(Access Control List,ACL) 是路由器和交换机接口的指令列表,用来控制端口进出的数据包。ACL适用于所有的被路由协议,如IP、IPX、AppleTalk等。本次实验主要配置基本的ACL控制
工具/原料
方法/步骤
1一、搭建本次实验环境的拓扑本次环境下的五台路由器模拟总部与分部,SW1、SW2仅做透明转发工作,不配置任何信息
2二、配置本次实验的设备接口信息[Huawei]sysname R1 [R1]interface GigabitEthernet 0/0/0 [R1-GigabitEthernet0/0/0]ip address 10.0.0.1 24 [R1-GigabitEthernet0/0/0]interface Serial 3/0/0 [R1-GigabitEthernet0/0/1]ip add 10.0.12.1 24[Huawei]sysname R2 [R2]interface GigabitEthernet 0/0/0 [R2-GigabitEthernet0/0/0]ip address 10.0.0.2 24 [R2-GigabitEthernet0/0/0]quit [R2]ip route-static 0.0.0.0 0 10.0.0.1 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ip address 10.0.0.6 24 [R3-GigabitEthernet0/0/0]quit [R3]ip route-static 0.0.0.0 0 10.0.0.1 system-view Enter system view, return user view with Ctrl+Z.[Huawei]sysname R4 [R4]inter g0/0/1 [R4-GigabitEthernet0/0/1]ip address 10.0.24.4 24 [R4-GigabitEthernet0/0/1]interface Serial 1/0/0 [[R4-GigabitEthernet0/0/0]ip add 10.0.12.4 24[Huawei]sysname R5 [R5]interface GigabitEthernet 0/0/0 [R5-GigabitEthernet0/0/0]ip address 10.0.0.8 24 [R5-GigabitEthernet0/0/0]quit [R5]ip route-static 0.0.0.0 0 10.0.0.1 system-view Enter system view, return user view with Ctrl+Z. [Quidway]sysname SW3[SW3]interface Vlanif 1 [SW3-Vlanif1]ip address 10.0.24.1 24 [SW3-Vlanif1]quit [SW3]ip route-static 0.0.0.0 0 10.0.24.4
3三、配置好接口信息后,测试各个网段的连通性ping -c 1 10.0.12.4 PING 10.0.12.4: 56 data bytes, press CTRL_C to break Reply from 10.0.12.4: bytes=56 Sequence=1 ttl=255 time=130 ms --- 10.0.12.4 ping statistics --- 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 130/130/130 msping 10.0.24.1 PING 10.0.24.1: 56 data bytes, press CTRL_C to break Request time out Request time out此时没有配置路由协议,各个不同网段无法互通
4四、配置OSPF实现网络互通[R1]ospf 1 router-id 10.0.12.1 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 10.0.12.1 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0 [R4]ospf 1 router-id 10.0.12.4[R4-ospf-1]area 0 [R4-ospf-1-area-0.0.0.0]network 10.0.12.4 0.0.0.0 [R4-ospf-1-area-0.0.0.0]network 10.0.24.4 0.0.0.0
5五、检查此时的网络连通性[R1]ping -c 2 10.0.24.1 PING 10.0.24.1: 56 data bytes, press CTRL_C to break Reply from 10.0.24.1: bytes=56 Sequence=1 ttl=254 time=50 ms Reply from 10.0.24.1: bytes=56 Sequence=2 ttl=254 time=50 ms --- 10.0.24.1 ping statistics --- 2 packet(s) transmitted 2 packet(s) received 0.00% packet loss round-trip min/avg/max = 50/50/50 ms[SW3]ping -c 2 10.0.0.6 PING 10.0.0.6: 56 data bytes, press CTRL_C to break Reply from 10.0.0.6: bytes=56 Sequence=1 ttl=253 time=110 ms Reply from 10.0.0.6: bytes=56 Sequence=2 ttl=253 time=110 ms --- 10.0.0.6 ping statistics --- 2 packet(s) transmitted 2 packet(s) received 0.00% packet loss round-trip min/avg/max = 110/110/110 ms
6六、配置基本ACL的条目阻止10.0.0.0段访问S1[R4]acl 2000 [R4-acl-basic-2000]rule deny source 10.0.0.0 0.0.0.255 [R4-acl-basic-2000]rule permit source any此时阻止R2、R3、R5访问S1
7七、配置outside、inside并设置优先级[R4]firewall zone outside [R4-zone-outside]priority 1 [R4-zone-outside]quit [R4]firewall zone inside [R4-zone-inside]priority 10
8八、将接口加入区域内,配置ACL的包过滤[R4-GigabitEthernet0/0/0]zone outside[R4-GigabitEthernet0/0/1]zone inside[R4]firewall interzone inside outside [R4-interzone-inside-outside]packet-filter 2000 inbound [R4-interzone-inside-outside]firewall enable
9九、验证此时的ACL的作用ping 10.0.24.1 PING 10.0.24.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.24.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet lossping 10.0.0.6 PING 10.0.0.6: 56 data bytes, press CTRL_C to break Reply from 10.0.0.6: bytes=56 Sequence=1 ttl=253 time=140 ms Reply from 10.0.0.6: bytes=56 Sequence=2 ttl=253 time=80 ms Reply from 10.0.0.6: bytes=56 Sequence=3 ttl=253 time=80 ms Reply from 10.0.0.6: bytes=56 Sequence=4 ttl=253 time=100 ms Reply from 10.0.0.6: bytes=56 Sequence=5 ttl=253 time=90 ms --- 10.0.0.6 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 80/98/140 ms策略生效后S1能访问到R2、R3、R5,而R2、R3、R5无法访问S1
注意事项
