H3CNE 25 配置高级ACL 实现包过滤

admin 发表于 2021-12-3 23:56:53

25 配置高级ACL 实现包过滤实验要求：拒绝PC1与PC2及PC2所在网段之间通信；允许PC1与PC3通信；R1开启Telnet服务，允许PC2登录，但拒绝PC3登录。R1基本配置<H3C>system-viewsysname r1interface gigabitethernet 0/0ip address 192.168.10.1 24interface gigabitethernet 0/1ip address 10.10.12.1 24quit配置Telnet服务telnet server enable//开启Telnet服务user-interface vty 0 63//VTY用户视图authentication-mode scheme//身份认证为计划（AAA）quitlocal-user zurkj //创建用户password simple Aa123456789//配置密码service-type telnet//配置服务类型为telnetauthorization-attributeuser-role network-admin//配置授权属性角色为网络管理员（Privilege Level 15）quit配置默认路由ip route-static 192.168.20.0 255.255.255.0 10.10.12.2//配置默认路由ip route-static 192.168.30.0 255.255.255.010.10.12.2配置高级ACLacl number 3000 //创建ACL 3000step 20//配置规则步长20description deny pc1-pc2//配置ACL描述rule deny ip source192.168.10.100 0.0.0.0 destination 192.168.20.0 0.0.0.255//规则拒绝源IP 访问目标IPquitacl number 3001description permit telnetpc2-pc1step 20rule 0 permit tcp source192.168.20.100 0 destination-port eq 23//规则允许TCP协议源IP访问本目标端口23（Telnet协议端口=23）rule 20 deny tcp source anydestination-port eq 23//拒绝所有TCP协议源IP访问本目标端口23quit配置接口引用ACLinterface gigabitethernet 0/1packet-filter 3000 outbound//接口出方向引用ACL 3000packet-filter 3001 inbound//接口入方向引用ACL 3001quit关于方向简单描述下：ACL 3000的规则主要是针对PC1 拒绝访问PC2及PC2的所在网段，所以数据流的方向是从R1的G 0/1接口入站，再由G 0/0接口出站。所以把ACL 3000引用在G 0/0接口的出站方向即实现数据包过滤。ACL 3001的规则主要是针对PC2 telnet R1不可达，所以对于R1 telnet 服务器来说，这是数据的入站方向，在R1 G 0/0接口的入站方向引用即可实现。R2<H3C>system-viewsysname r2interface gigabitethernet 0/0ip address 10.10.12.2 24interface gigabitethernet 0/1ip address 192.168.20.1 24interface gigabitethernet 0/2ip address 192.168.30.1 24quitip route-static 192.168.10.0 255.255.255.010.10.12.1 验证结果：<PC1>ping 192.168.20.100Ping 192.168.20.100 (192.168.20.100): 56 data bytes,press CTRL_C to breakRequest time out --- Ping statistics for 192.168.20.100 ---PC1与PC2及PC2的所在网段通信失败！ <H3C>ping 192.168.30.100Ping 192.168.30.100 (192.168.30.100): 56 data bytes,press CTRL_C to break56 bytes from 192.168.30.100: icmp_seq=0 ttl=253time=2.000 ms56 bytes from 192.168.30.100: icmp_seq=1 ttl=253time=2.000 ms56 bytes from 192.168.30.100: icmp_seq=2 ttl=253time=2.000 ms56 bytes from 192.168.30.100: icmp_seq=3 ttl=253time=2.000 ms56 bytes from 192.168.30.100: icmp_seq=4 ttl=253time=2.000 ms --- Ping statistics for 192.168.30.100 ---PC1与PC3通信成功！ <PC2>telnet 10.10.12.1Trying 10.10.12.1 ...Press CTRL+K to abortConnected to 10.10.12.1 ... ******************************************************************************* Copyright (c) 2004-2021 New H3C Technologies Co.,Ltd. All rights reserved.** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall beallowed. ******************************************************************************* Login: zurkjPassword:<r1>PC2 telnet R1成功！ <PC3>telnet 10.10.12.1Trying 10.10.12.1 ...Press CTRL+K to abortConnected to 10.10.12.1 ...PC3 telnet R1失败！实验完成！

页: [1]

祖瑞科技 全国计算机 网络IT运维社区！'s Archiver

H3CNE 25 配置高级ACL 实现包过滤

祖瑞科技全国计算机网络IT运维社区！'s Archiver