H3CNE 25 配置高级ACL 实现包过滤

admin

25 配置高级ACL 实现包过滤

实验要求：

拒绝PC1与PC2及PC2所在网段之间通信；允许PC1与PC3通信；

R1开启Telnet服务，允许PC2登录，但拒绝PC3登录。

R1

基本配置

<H3C>system-view

[H3C]sysname r1

[r1]interface gigabitethernet 0/0

[r1-GigabitEthernet0/0]ip address 192.168.10.1 24

[r1-GigabitEthernet0/0]interface gigabitethernet 0/1

[r1-GigabitEthernet0/1]ip address 10.10.12.1 24

[r1-GigabitEthernet0/1]quit

配置Telnet服务

[r1]telnet server enable  //开启Telnet服务

[r1]user-interface vty 0 63  //VTY用户视图

[r1-line-vty0-63]authentication-mode scheme  //身份认证为计划（AAA）

[r1-line-vty0-63]quit

[r1]local-user zurkj //创建用户

[r1-luser-manage-zurkj]password simple Aa123456789  //配置密码

[r1-luser-manage-zurkj]service-type telnet  //配置服务类型为telnet

[r1-luser-manage-zurkj]authorization-attributeuser-role network-admin  //配置授权属性 角色为网络管理员（Privilege Level 15）

[r1-luser-manage-zurkj]quit

配置默认路由

[r1]ip route-static 192.168.20.0 255.255.255.0 10.10.12.2  //配置默认路由

[r1]ip route-static 192.168.30.0 255.255.255.010.10.12.2

配置高级ACL

[r1]acl number 3000 //创建ACL 3000

[r1-acl-ipv4-adv-3000]step 20  //配置规则步长20

[r1-acl-ipv4-adv-3000]description deny pc1-pc2  //配置ACL描述

[r1-acl-ipv4-adv-3000]rule deny ip source192.168.10.100 0.0.0.0 destination 192.168.20.0 0.0.0.255  //规则拒绝源IP 访问目标IP

[r1-acl-ipv4-adv-3000]quit

[r1]acl number 3001

[r1-acl-ipv4-adv-3001]description permit telnetpc2-pc1

[r1-acl-ipv4-adv-3001]step 20

[r1-acl-ipv4-adv-3001]rule 0 permit tcp source192.168.20.100 0 destination-port eq 23  //规则允许TCP协议源IP访问本目标端口23（Telnet协议端口=23）

[r1-acl-ipv4-adv-3001]rule 20 deny tcp source anydestination-port eq 23  //拒绝所有TCP协议源IP访问本目标端口23

[r1-acl-ipv4-adv-3001]quit

配置接口引用ACL

[r1]interface gigabitethernet 0/1  

[r1-GigabitEthernet0/1]packet-filter 3000 outbound  //接口出方向引用ACL 3000

[r1-GigabitEthernet0/1]packet-filter 3001 inbound  //接口入方向引用ACL 3001

[r1-GigabitEthernet0/1]quit

关于方向简单描述下：

ACL 3000的规则主要是针对PC1 拒绝访问PC2及PC2的所在网段，所以数据流的方向是从R1的G 0/1接口入站，再由G 0/0接口出站。所以把ACL 3000引用在G 0/0接口的出站方向即实现数据包过滤。

ACL 3001的规则主要是针对PC2 telnet R1不可达，所以对于R1 telnet 服务器来说，这是数据的入站方向，在R1 G 0/0接口的入站方向引用即可实现。

R2

<H3C>system-view

[H3C]sysname r2

[r2]interface gigabitethernet 0/0

[r2-GigabitEthernet0/0]ip address 10.10.12.2 24

[r2-GigabitEthernet0/0]interface gigabitethernet 0/1

[r2-GigabitEthernet0/1]ip address 192.168.20.1 24

[r2-GigabitEthernet0/1]interface gigabitethernet 0/2

[r2-GigabitEthernet0/2]ip address 192.168.30.1 24

[r2-GigabitEthernet0/2]quit

[r2]ip route-static 192.168.10.0 255.255.255.010.10.12.1

验证结果：

<PC1>ping 192.168.20.100

Ping 192.168.20.100 (192.168.20.100): 56 data bytes,press CTRL_C to break

Request time out

--- Ping statistics for 192.168.20.100 ---

PC1与PC2及PC2的所在网段通信失败！

<H3C>ping 192.168.30.100

Ping 192.168.30.100 (192.168.30.100): 56 data bytes,press CTRL_C to break

56 bytes from 192.168.30.100: icmp_seq=0 ttl=253time=2.000 ms

56 bytes from 192.168.30.100: icmp_seq=1 ttl=253time=2.000 ms

56 bytes from 192.168.30.100: icmp_seq=2 ttl=253time=2.000 ms

56 bytes from 192.168.30.100: icmp_seq=3 ttl=253time=2.000 ms

56 bytes from 192.168.30.100: icmp_seq=4 ttl=253time=2.000 ms

--- Ping statistics for 192.168.30.100 ---

PC1与PC3通信成功！

<PC2>telnet 10.10.12.1

Trying 10.10.12.1 ...

Press CTRL+K to abort

Connected to 10.10.12.1 ...

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co.,Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall beallowed.                    *

******************************************************************************

Login: zurkj

Password:

<r1>

PC2 telnet R1成功！

<PC3>telnet 10.10.12.1

Trying 10.10.12.1 ...

Press CTRL+K to abort

Connected to 10.10.12.1 ...

PC3 telnet R1失败！

实验完成！