ACL分类

文章目录

ACL分类
- 一、题目要求
- 二、题目分析
- 三、拓扑结构
- 四、基本配置
- 五、测试验证

一、题目要求

1 、 client1能够 ping通server，但是不能telnet
2 、 client2能够 telnet, 但是不能 ping 通server
3 、使用一张 ACL列表

在这里插入图片描述

二、题目分析

使用高级ACL在AR3的0/0/0接口进行访问控制，阻止和允许相应的报文

ping使用了ICMP报文

telnet使用了TCP报文

关键代码：

[Huawei-acl-adv-3100]rule deny tcp source 192.168.1.2 0 destination 12.1.1.2 0 destination-port eq 23
[Huawei-acl-adv-3100]rule permit icmp source 192.168.1.2 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule deny icmp source 192.168.1.3 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule permint tcp source 192.168.1.3 0 destination 12.1.1.2 0

三、拓扑结构

在这里插入图片描述

四、基本配置

client1:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys client1
[client1]un in en
Info: Information center is disabled.
[client1]int g0/0/0
[client1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
#添加路由表
[client1-GigabitEthernet0/0/0]q
[client1]ip route-static 12.1.1.0 255.255.255.0 192.168.1.1

client2:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys client2
[client2]un in en
Info: Information center is disabled.
[client2]int g0/0/0
[client2-GigabitEthernet0/0/0]ip add 192.168.1.3 24
#添加路由表
[client2-GigabitEthernet0/0/0]q
[client2]ip route-static 12.1.1.0 255.255.255.0 192.168.1.1

AR1:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.1.1.1 24
#配置ACL
[Huawei]acl 3100
[Huawei-acl-adv-3100]rule deny tcp source 192.168.1.2 0 destination 12.1.1.2 0 destination-port eq 23
[Huawei-acl-adv-3100]rule permit icmp source 192.168.1.2 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule deny icmp source 192.168.1.3 0 destination 12.1.1.2 0
[Huawei-acl-adv-3100]rule permint tcp source 192.168.1.3 0 destination 12.1.1.2 0   
[Huawei-acl-adv-3100]q
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3100

telnet server:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 12.1.1.2 24
#添加路由表
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 192.168.1.0 255.255.255.0 12.1.1.1
#配置telnet服务端
[Huawei]telnet server enable 
 Error: TELNET server has been enabled
[Huawei]user-interface vty 0 4 
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]q
[Huawei]aaa
[Huawei-aaa]local-user test password cipher 1234
[Huawei-aaa]local-user test privilege level 15
[Huawei-aaa]local-user test service-type telnet

五、测试验证

1.client1能够 ping通server，但是不能telnet

<client1>ping 12.1.1.2
  PING 12.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 12.1.1.2: bytes=56 Sequence=1 ttl=254 time=50 ms
    Reply from 12.1.1.2: bytes=56 Sequence=2 ttl=254 time=40 ms
    Reply from 12.1.1.2: bytes=56 Sequence=3 ttl=254 time=50 ms
    Reply from 12.1.1.2: bytes=56 Sequence=4 ttl=254 time=50 ms
    Reply from 12.1.1.2: bytes=56 Sequence=5 ttl=254 time=40 ms

  --- 12.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/46/50 ms

<client1>telnet 12.1.1.2
  Press CTRL_] to quit telnet mode
  Trying 12.1.1.2 ...
  Error: Can't connect to the remote host
<client1>

2 . client2能够 telnet, 但是不能 ping 通server

<client2>ping 12.1.1.2
  PING 12.1.1.2: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 12.1.1.2 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

<client2>telnet 12.1.1.2
  Press CTRL_] to quit telnet mode
  Trying 12.1.1.2 ...
  Connected to 12.1.1.2 ...

Login authentication


Username:test
Password:
<Huawei>