网络学习-eNSP配置ACL

news/2024/9/17 7:46:25/ 标签: 网络, 学习

在这里插入图片描述

AR1路由器配置

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.1.254 24
[Huawei-GigabitEthernet0/0/1]quit

ACL

分类            端口       参数
1.基本ACL    2000-2999    源IP地址
2.高级ACL    3000-3999    源IP地址、目的IP地址、端口、协议

基本ACL

#----------------------实验1----------------拒绝2.1客户端访问服务器
#定义ACL 端口号
[Huawei]acl 2000
#规则： rule deny|permit source ip 反掩码(0表示匹配，1表示非匹配)
#规则策略：匹配即停止，
[Huawei-acl-basic-2000]rule deny source 192.168.2.1 0.0.0.0
#查询定义的规则
[Huawei-acl-basic-2000]display this
[V200R003C00]
#
acl number 2000  rule 5 deny source 192.168.2.1 0 
#
return
[Huawei]interface gigabitethernet 0/0/0
#在入口方向激活acl规则
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 2000#----------------------实验2----------------只允许2.1客户端可以访问，其它客户端都不能访问
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule permit source 192.168.2.1 0
[Huawei-acl-basic-2000]rule deny source any
[Huawei-acl-basic-2000]display this
[V200R003C00]
#
acl number 2000  rule 5 permit source 192.168.2.1 0 rule 10 deny 
#
return
[Huawei-acl-basic-2000]quit
[Huawei]interface gigabitethernet 0/0/1
#清空以前gigabitethernet0/0/1上面的Acl规则
[Huawei-GigabitEthernet0/0/1]undo traffic-filter inbound
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 2000#-----清空所有ACL规则
[Huawei]undo acl allInfo: Now deleting all ACL configurations, please wait......
Deleting operation has finished!

高级ACL

#--------------实验1：通过高级acl限制相应终端不能访问服务器http服务
[Huawei]acl 3000
#定义高级acl规则，使用源地址，目的地址和目标端口进行更细粒度限制
[Huawei-acl-adv-3000]rule deny tcp source 192.168.2.2 0 destination 192.168.1.1 
0 destination-port eq 80
[Huawei-acl-adv-3000]quit
[Huawei]interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0]display this
[V200R003C00]
#
interface GigabitEthernet0/0/0ip address 192.168.2.254 255.255.255.0 traffic-filter inbound acl 2000
#
return
[Huawei-GigabitEthernet0/0/0]undo traffic-filter inbound
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000