|
|
今天主要说一下关于ACL的知识,初次接触,如有不足,请各位大神提出宝贵意见,谢谢。
**ACL:Access Control List 访问控制列表
-定义:是用来实现流量识别功能的。
-作用:网络设备为了对特定的报文进行操作,需要配置一系列的匹配规则,以识别 出特定的报文,然后根据预先设定的策略对该报文进行操作。(可以简单的 理解为匹配感兴趣的流量)
-实现:
1.制定规则
2.规定动作(允许/拒绝)
- 事件(例如:在某个端口下实施acl的配置内容) -类型:
--标准ACL/基本ACL
--扩展ACL/高级ACL
配置思路:
1.确保现有网络的连通性
2.查看现有的ACL
3.创建ACL
4.调用ACL
5.验证、测试、保存
下面为大家带来一个小小的拓扑实际性的操作一下
实验目的:PC1与PC3不通,但PC1和PC3都和PC2、PC4互通
实验拓扑:
地址规划:
设备IP地址及子网网关PC1192.168.10.1/24192.168.10.254PC2192.168.20.2/24192.168.20.254PC3192.168.30.3/24192.168.30.254PC4192.168.40.4/24192.168.40.254实验步骤:
1.配置设备IP地址
2.配置网关
R1:
<Huawei>system\进入系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1\修改名字
[R1]vlan batch 10 20 30 40 50\创建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[R1]interface Vlanif 10\进入虚拟端口
[R1-Vlanif10]undo shutdown \开启虚拟端口
Info: Interface Vlanif10 is not shutdown
[R1-Vlanif10]ip address 192.168.10.254 255.255.255.0\创建虚拟网关
[R1-Vlanif10]q\退出
[R1]interface Vlanif 20\进入虚拟端口
[R1-Vlanif20]undo shutdown \虚拟端口
Info: Interface Vlanif20 is not shutdown.
[R1-Vlanif20]ip address 192.168.20.254 255.255.255.0\创建虚拟网关
[R1-Vlanif20]q\退出
[R1]interface Vlanif 50\进入虚拟端口
[R1-Vlanif50]undo shutdown \开启端口
Info: Interface Vlanif50 is not shutdown.
[R1-Vlanif50]ip address 192.168.50.1 255.255.255.0\创建虚拟IP
[R1-Vlanif50]q\退出
[R1]interface GigabitEthernet 0/0/1\进入端口
[R1-GigabitEthernet0/0/1]port link-type trunk \配置链路模式trunk
[R1-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允许所有vlan通过
[R1-GigabitEthernet0/0/1]q\退出
[R1]interface GigabitEthernet 0/0/2\进入端口
[R1-GigabitEthernet0/0/2]port link-type trunk \配置链路模式trunk
[R1-GigabitEthernet0/0/2]port trunk allow-pass vlan all\允许所有vlan通过
[R1-GigabitEthernet0/0/2]q\退出
R2:
<Huawei>system-view \进入到系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2\修改名字
[R2]vlan batch 10 20 30 40 50\创建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[R2]interface Vlanif 30\进入虚拟端口
[R2-Vlanif30]undo shutdown \开启虚拟端口
Info: Interface Vlanif30 is not shutdown.
[R2-Vlanif30]ip address 192.168.30.254 255.255.255.0\创建虚拟网关
[R2-Vlanif30]q\退出
[R2]interface Vlanif 40\进入虚拟端口
[R2-Vlanif40]undo shutdown \开启虚拟端口
Info: Interface Vlanif40 is not shutdown.
[R2-Vlanif40]ip address 192.168.40.254 255.255.255.0\创建虚拟网关
[R2-Vlanif40]q\退出
[R2]interface Vlanif 50\进入虚拟端口
[R2-Vlanif50]undo shutdown \开启虚拟端口
Info: Interface Vlanif50 is not shutdown.
[R2-Vlanif50]ip address 192.168.50.2 255.255.255.0\创建虚拟IP
[R2-Vlanif50]q\退出
[R2]interface GigabitEthernet 0/0/2\进入端口
[R2-GigabitEthernet0/0/2]port link-type trunk \配置链路方式trunk
[R2-GigabitEthernet0/0/2]port trunk allow-pass vlan all\允许所有vlan通过
[R2-GigabitEthernet0/0/2]q\退出
[R2]interface GigabitEthernet 0/0/1\进入端口
[R2-GigabitEthernet0/0/1]port link-type trunk \配置链路方式trunk
[R2-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允许所有vlan通过
[R2-GigabitEthernet0/0/1]q\退出
3.配置交换机,创建vlan配置链路方式并将端口加入到vlan
sw1:
<Huawei>system-view\进入系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname sw1\修改名字
[ sw1]vlan batch 10 20 30 40 50\创建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[ sw1]interface GigabitEthernet 0/0/1进入端口
[ sw1-GigabitEthernet0/0/1]port link-type access \配置链路模式access
[ sw1-GigabitEthernet0/0/1]port default vlan 10\将端口加入VLAN
[ sw1-GigabitEthernet0/0/1]q\退出
[ sw1]interface GigabitEthernet 0/0/2 \进入端口
[ sw1-GigabitEthernet0/0/2]port link-type access \配置链路模式access
[ sw1-GigabitEthernet0/0/2]port default vlan 20\将端口加入VLAN
[ sw1-GigabitEthernet0/0/2]q\退出
[ sw1]interface GigabitEthernet 0/0/3 \进入端口
[ sw1-GigabitEthernet0/0/3]port link-type trunk \配置链路模式trunk
[ sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan all\允许所有vlan通过
[ sw1-GigabitEthernet0/0/3]q\退出
[ sw1]
sw2:
<Huawei>system-view \进入系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname sw2\修改名字
[sw2]vlan batch 10 20 30 40 50\创建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw2]interface GigabitEthernet 0/0/1\进入端口
[sw2-GigabitEthernet0/0/1]port link-type trunk \配置链路模式trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允许所有vlan通过
[sw2-GigabitEthernet0/0/1]q\退出
[sw2]interface GigabitEthernet 0/0/2 \进入端口
[sw2-GigabitEthernet0/0/2]port link-type access \配置链路模式access
[sw2-GigabitEthernet0/0/2]port default vlan 30\将端口加入vlan
[sw2-GigabitEthernet0/0/2]q\退出
[sw2]interface GigabitEthernet 0/0/3\进入端口
[sw2-GigabitEthernet0/0/3]port link-type access \配置链路模式access
[sw2-GigabitEthernet0/0/3]port default vlan 40\将端口加入vlan
[sw2-GigabitEthernet0/0/3]q\退出
[sw2]
4.配置rip保证全网互通
R1:
[R1]rip\配置rip协议
[R1-rip-1]version 2\选择版本2
[R1-rip-1]network 192.168.10.0\宣告网络范围
[R1-rip-1]network 192.168.20.0\宣告网络范围
[R1-rip-1]q\退出
[R1]
R2:
[R2]rip \配置rip协议
[R2-rip-1]version 2\选择版本2
[R2-rip-1]network 192.168.30.0\宣告网络范围
[R2-rip-1]network 192.168.40.0\宣告网络范围
[R2-rip-1]q\退出
此时,验证一下是否全网互通,以PC1为例:
5.创建ACL
创建acl可以在任何一个接口,在本次试验中是让PC1和PC3不通,其他网络互通,所以我选择在R2创建ACL,如下:
[R2]acl name denypc1-3 \创建acl并命名
[R2-acl-adv-denypc1-3]rule deny ip source 192.168.10.1 0.0.0.0 destination 192.1
68.30.3 0.0.0.0\规定动作确定源和目标
[R2-acl-adv-denypc1-3]q\退出
6.调用ACL
[R2]interface GigabitEthernet 0/0/2\进入端口
[R2-GigabitEthernet0/0/2]traffic-filter outbound acl name denypc1-3\调用Acl
[R2-GigabitEthernet0/0/2]q\退出
7.验证、测试、保存
验证:
测试:
PC1:
测试与PC2连通性:
测试与PC4连通性:
测试与PC3连通性:
PC3:
测试与PC2连通性:
测试与PC4连通性:
测试与PC1连通性:
实验完成,完成实验目的。
注意:
ACL对设备本身发起的流量,是不起作用的。
ACL对设备的穿越流量,是起作用的。
操作比较简单,我尽可能把每一步的步骤操作介绍清楚,希望大家可以理解。 |
|
|
|
|
|
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-7-22 14:15:28
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡