一.ACL功能和特点
1.功能
2.特点
二.ACL种类
1.基础ACL:
2.增强ACL:
三.配置演示
1.基础ACL:
2.增强ACL:
一.ACL功能和特点
1.功能
对感兴趣的路由 (控制层面)进行设置策略
对感兴趣的流量 (数据层面)进行设置策略
2.特点
(1)自上而下匹配(编号由小到大执行),一旦匹配,立即执行
(2)ACL 列表的调用分为in(进入路由器的方向) ,先匹配ACL再查看路由。out ,离开路由器的方向,先查看路由,再匹配ACL。
(3)ACL 分为 标准 ACL 和 扩展 ACL
(4)在华为设备中若没有匹配到ACL 则假装认为没有这个ACL,需要明确写清策略为拒绝或允许
二.ACL种类
1.基础ACL:
关注源IP地址 ,只要源IP在ACL条目内,就执行相应的ACL规则,在配置时尽量靠近目标路由器,避免误伤其他路径
2.增强ACL:
关注源IP地址 、目标IP地址 、协议种类,在使用时尽量靠近源(ACL不能过滤自身产生的流量,所以不能位于源之上 )
三.配置演示
1.基础ACL:
实现AR1环回0ping不通AR4环回,但环回1和AR1出接口G0/0/0可以ping通
(1)创建acl,设置acl规则,调用acl
[r4]acl 2000
#INTEGER<2000-2999>基础acl
#INTEGER<3000-3999>增强acl
[r4-acl-basic-2000]rule deny source 1.1.1.0 0.0.0.255 #指明源IP
源IP后缀参数是通配符,0代表固定位,1代表可变位,permit允许,deny拒绝
[r4]interface GigabitEthernet 0/0/1
[r4-GigabitEthernet0/0/1]traffic-filter inbound acl 2000 #调用ACL
#inbound为in方向,outbound为out方向(2)查看测试
[r4]display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 1.1.1.0 0.0.0.255 (3 matches)
[r1]ping -a 1.1.1.1 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
--- 4.4.4.4 ping statistics ---
3 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[r1]ping -a 1.1.2.1 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=50 ms
--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/44/50 ms
[r1]ping 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=50 ms
Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=40 ms
--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/50 ms2.增强ACL:
实现AR1环回0ping不通AR4环回0但可以telnet,AR1环回1可以ping通AR4环回0但不可以telnet
(1)AR4配置开启telnet
[r4]user-interface vty 0 4
[r4-ui-vty0-4]set authentication password cipher hw
[r4-ui-vty0-4]q(2)AR2配置扩展ACL(靠近源但不能位于源上),acl调用
[r2]acl 3000
[r2-acl-adv-3000]rule deny icmp source 1.1.1.0 0.0.0.255 destination 4.4.4.4 0.0.0.0 icmp-type echo
[r2-acl-adv-3000]rule deny tcp source 1.1.2.0 0.0.0.255 destination 4.4.4.4 0.0.0.0 destination-port eq 23
[r2-acl-adv-3000]q
[r2]display acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 deny icmp source 1.1.1.0 0.0.0.255 destination 4.4.4.4 0 icmp-type echo
rule 10 deny tcp source 1.1.2.0 0.0.0.255 destination 4.4.4.4 0 destination-port eq telnet
[r2]interface GigabitEthernet 0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000(3)测试
[r1]ping -a 1.1.1.1 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[r1]ping -a 1.1.2.1 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=30 ms
--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/40 ms
[r1]q
<r1>telne
<r1>telnet -a 1.1.1.1 4.4.4.4
Press CTRL_] to quit telnet mode
Trying 4.4.4.4 ...
Connected to 4.4.4.4 ...
Login authentication
Password:
<r4>q
Configuration console exit, please retry to log on
The connection was closed by the remote host
<r1>telnet -a 1.1.2.1 4.4.4.
Press CTRL_] to quit telnet mode
Trying 4.4.4.4 ...
Error: Can't connect to the remote host
