ACL访问过滤

ACL访问过滤

实验拓扑

配置只有PC1能访问,但是R4路由器不能访问telnet R3路由器的远程访问

四个路由器之间配置ospf

 

R4的路由器配置

[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.2 24
[Huawei]ospf 1 
[Huawei-ospf-1]area 0 
[Huawei-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

R1路由器的配置

[Huawei]interface GigabitEthernet 0/0/0 	
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.254 24 
[Huawei]interface GigabitEthernet 0/0/1 
[Huawei-GigabitEthernet0/0/1]ip address 10.0.3.1 24 
[R1]ospf 1 
[R1-ospf-1]area 0 
[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255

R2的路由器配置

[Huawei]interface GigabitEthernet 0/0/1 
[Huawei-GigabitEthernet0/0/1]ip address 10.0.3.2 24 
[Huawei]interface GigabitEthernet 0/0/0 
[Huawei-GigabitEthernet0/0/0]ip address 10.0.4.254 24
[R2]ospf 1 
[R2-ospf-1]area 0 
[R2-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255

R3路由器配置

[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 10.0.4.1 24
[R3]ospf 1
[R3-ospf-1]area  0 
[R3-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[R3]user-interface vty 0 4 
[R3-ui-vty0-4]set authentication password cipher huawei 
[R3-ui-vty0-4]user privilege level 3

配置R2的ACL访问控制

[R2]acl 3000
[R2-acl-adv-3000]rule 5 deny tcp  source 192.168.1.2 0.0.0.0 destination 10.0.4.1 0.0.0.0 destination-port eq 23  //拒绝192.168.1.2网段telnet访问
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000          //将acl访问策略添加端口



===================================================================================================
配置ACL
[R2]acl 2000
[R2-acl-basic-2000]rule 5 deny source 192.168.1.2 0.0.0.0 //拒绝192.168.1.0网段
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 //在g0/0/2入口启用acl2000

扩展ACL命令:
[Huawei]acl 3000
[Huawei-acl-adv-2000]rule 5 deny ip source 192.168.2.2 0 destination 192.168.6.1 0 //拒绝192.168.2.2到达192.168.6.1服务器
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 3000 //在g0/0/2入口启用acl3000

 R4路由器测试

<Huawei>tel	
<Huawei>telnet 10.0.4.1
  Press CTRL_] to quit telnet mode
  Trying 10.0.4.1 ...
  Error: Can't connect to the remote host
<Huawei>ping 10.0.4.1
  PING 10.0.4.1: 56  data bytes, press CTRL_C to break
    Reply from 10.0.4.1: bytes=56 Sequence=1 ttl=253 time=60 ms
    Reply from 10.0.4.1: bytes=56 Sequence=2 ttl=253 time=50 ms
    Reply from 10.0.4.1: bytes=56 Sequence=3 ttl=253 time=60 ms
    Reply from 10.0.4.1: bytes=56 Sequence=4 ttl=253 time=40 ms
posted @ 2021-08-11 21:40  isicman  阅读(169)  评论(0)    收藏  举报