H3C ACL包过滤设置 视频学习教程
https://wenku.baidu.com/view/b4400fc4b14e852458fb57a7.html
了解ACL的简单工作原理
掌握ACL的基本配置方法
掌握ACL的常用配置命令
实验过程
实验任务一:配置基本ACL
本实验任务主要是通过在路由器上实施基本ACL来禁止pca访问pcb,来使学生熟悉基本ACL的配置和作用
步骤一:建立物理连接
按照图13-1进行连接,并检查设备的软件版本及配置信息,确保各设备软件版本符合要求,所有配置为初始状态。如果配置不符合要求,请在用户模式下擦除设备中的配置文件,然后重启设备以使系统采用缺省的配置参数进行初始化。
以上步骤会用到以下命令:
display version
reset saved-configuration
reboot
步骤二:配置IP地址及路由
表13-1 IP地址列表
设备名称接口IP地址网关
RtaS6/0192.168.1.1/24--
G6/0192.168.0.1/24--
RtaS6/0192.168.1.2/24--
G6/0192.168.2.1/24--
PCA192.168.0.2/24192.168.0.1/24
PCB192.168.2.2/24192.168.2.1/24
[rta] int GigabitEthernet 0/0
[rta-GigabitEthernet0/0]ip add 192.168.0.1 24
[rta-GigabitEthernet0/0]int s6/0
[rta-Serial6/0]ip add 192.168.1.1 24
[rtb]int GigabitEthernet 0/0
[rtb-GigabitEthernet0/0]ip add 192.168.2.1 24
[rtb-GigabitEthernet0/0]int s6/0
[rtb-Serial6/0]ip add 192.168.1.2 24
学生可自己选择在路由器上配置静态路由或动态路由,来达到全网互通。
[rta]rip
[rta-rip-1]network 192.168.0.0
[rta-rip-1]network 192.168.1.0
[rtb]rip
[rtb-rip-1]network 192.168.1.0 0.0.0.255
[rtb-rip-1]network 192.168.2.0
步骤三:ACL应用规划
本实验的目的是使pca不能访问pcb,也就是pc间不可达。请学生考虑如何在网络中应用ACL包过滤的相关问题:
需要使用何种ACL?
ACL规则的动作时deny还是permit?
ACL规则中的反掩码应该是什么?
ACL包过滤应该应用在路由器的哪个接口的哪个方向上?
步骤四:配置基本ACL并应用
[rta]acl number 2001
[rta-acl-basic-2001]rule deny source 192.168.0.2 0.0.0.0
[rta]firewall enable
[rta]firewall default permit
[rta]int g0/0
[rta-GigabitEthernet0/0]firewall packet-filter 2001 inbound
步骤五:验证防火墙作用及查看
在pca上ping命令来测试与pcb的可达性,结果如下:
C:Documents and SettingsAdministrator>ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
同时,在rta上通过命令行查看ACL及防火墙的状态和统计:
[rta]display acl 2001
Basic ACL 2001, named -none-, 1 rule,
ACL's step is 5
rule 0 deny source 192.168.0.2 0 (4 times matched)
可以看到,有数据报文命中了ACL中定义的规则。
[rta]display firewall-statistics all
Firewall is enable, default filtering method is 'permit'.
Interface: GigabitEthernet0/0
In-bound Policy: acl 2001
Fragments matched normally
From 2009-09-06 18:52:58 to 2009-09-06 18:54:29
0 packets, 0 bytes, 0% permitted,
4 packets, 240 bytes, 100% denied,
0 packets, 0 bytes, 0% permitted default,
0 packets, 0 bytes, 0% denied default,
Totally 0 packets, 0 bytes, 0% permitted,
Totally 4 packets, 240 bytes, 100% denied.
可以看到,路由器启用了防火墙功能,使用ACL2001来匹配进入接口G0/0的报文,过滤方向是inbound。
实验任务二:配置高级ACL
本实验任务是通过在路由器上实施高级ACL来禁止从pca到网络192.168.2.0的FTP数据流,来使学生熟悉高级ACL的配置和作用。
步骤一:ACL应用规划
需要使用何种ACL?
ACL规则的动作时deny还是permit?
ACL规则中的反掩码应该是什么?
ACL包过滤应该应用在路由器的哪个接口的哪个方向上?
步骤二:配置高级ACL并应用
在路由器rta上定义ACL如下:
[rta]acl number 3002
[rta-acl-adv-3002]rule deny tcp source 192.168.0.2 0.0.0.0 destination 192.168.2.1 0.0.0.255 destination-port eq ftp
[rta-acl-adv-3002]rule permit ip source 192.168.0.2 0.0.0.0 destination 192.168.2.0 0.0.0.255
在rta接口上应用ACL
[rta-GigabitEthernet0/0]firewall packet-filter 3002 inbound
步骤三:验证防火墙作用及查看
C:Documents and SettingsAdministrator>ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Reply from 192.168.2.2: bytes=32 time=20ms TTL=126
Reply from 192.168.2.2: bytes=32 time=19ms TTL=126
Reply from 192.168.2.2: bytes=32 time=19ms TTL=126
Reply from 192.168.2.2: bytes=32 time=19ms TTL=126
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 20ms, Average = 19ms
在rta上可以通过命令来查看ACL及防火墙的状态和统计:
[rta]dis acl 3002
Advanced ACL 3002, named -none-, 2 rules,
ACL's step is 5
rule 0 deny tcp source 192.168.0.2 0 destination 192.168.2.0 0.0.0.255 destination-port eq ftp
rule 5 permit ip source 192.168.0.2 0 destination 192.168.2.0 0.0.0.255 (1 times matched)