该文详细介绍了如何通过华为路由器上的ACL(访问控制列表)来实现特定的网络访问策略。具体包括阻止client1的telnet到server,允许client1的ping,禁止client2的ping到server,以及允许client2的telnet。配置涉及ICMP和TCP协议,以及路由和端口的设置,并通过实际测试验证了配置的正确性。
ACL分类
一、题目要求
1 、 client1能够 ping通server,但是不能telnet
2 、 client2能够 telnet, 但是不能 ping 通server
3 、 使用一张 ACL列表
二、题目分析
使用高级ACL在AR3的0/0/0接口进行访问控制,阻止和允许相应的报文
ping使用了ICMP报文
telnet使用了TCP报文
关键代码:
[Huawei-acl-adv-3100]rule deny tcp source 192.168.1.2 0 destination 12.1.1.2 0 destination-port eq 23
[Huawei-acl-adv-3100]rule permit icmp source 192.168.1.2 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule deny icmp source 192.168.1.3 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule permint tcp source 192.168.1.3 0 destination 12.1.1.2 0
三、拓扑结构
四、基本配置
client1:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys client1
[client1]un in en
Info: Information center is disabled.
[client1]int g0/0/0
[client1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
#添加路由表
[client1-GigabitEthernet0/0/0]q
[client1]ip route-static 12.1.1.0 255.255.255.0 192.168.1.1
client2:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys client2
[client2]un in en
Info: Information center is disabled.
[client2]int g0/0/0
[client2-GigabitEthernet0/0/0]ip add 192.168.1.3 24
#添加路由表
[client2-GigabitEthernet0/0/0]q
[client2]ip route-static 12.1.1.0 255.255.255.0 192.168.1.1
AR1:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.1.1.1 24
#配置ACL
[Huawei]acl 3100
[Huawei-acl-adv-3100]rule deny tcp source 192.168.1.2 0 destination 12.1.1.2 0 destination-port eq 23
[Huawei-acl-adv-3100]rule permit icmp source 192.168.1.2 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule deny icmp source 192.168.1.3 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule permint tcp source 192.168.1.3 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]q
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3100
telnet server:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 12.1.1.2 24
#添加路由表
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 192.168.1.0 255.255.255.0 12.1.1.1
#配置telnet服务端
[Huawei]telnet server enable
Error: TELNET server has been enabled
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]q
[Huawei]aaa
[Huawei-aaa]local-user test password cipher 1234
[Huawei-aaa]local-user test privilege level 15
[Huawei-aaa]local-user test service-type telnet
五、测试验证
1.client1能够 ping通server,但是不能telnet
<client1>ping 12.1.1.2
PING 12.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 12.1.1.2: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 12.1.1.2: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 12.1.1.2: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 12.1.1.2: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 12.1.1.2: bytes=56 Sequence=5 ttl=254 time=40 ms
--- 12.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/46/50 ms
<client1>telnet 12.1.1.2
Press CTRL_] to quit telnet mode
Trying 12.1.1.2 ...
Error: Can't connect to the remote host
<client1>
2 . client2能够 telnet, 但是不能 ping 通server
<client2>ping 12.1.1.2
PING 12.1.1.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 12.1.1.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<client2>telnet 12.1.1.2
Press CTRL_] to quit telnet mode
Trying 12.1.1.2 ...
Connected to 12.1.1.2 ...
Login authentication
Username:test
Password:
<Huawei>
扫一扫
1047
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
