访问控制列表配置实验(4.1实验一访问控制列表配置实验)
如组网图所示,R3为服务器,R1为客户端,客户端与服务器之间路由可达。其中R1和R2间互联物理接口地址分别为10.1.2.1/24和10.1.2.2/24,R2和R3间互联物理接口地址分别为10.1.3.2/24和10.1.3.1/24。另外,R1上创建两个逻辑接口Loopback 0和LoopBack 1分别模拟两个客户端用户,地址分别为10.1.1.1/24和10.1.4.1/24。
二、eNSP实验视频
三、配置思路
1.配置设备IP地址
2.配置OSPF,使得网络路由可达
3.配置ACL,匹配特定流量
4.配置流量过滤
四、配置步骤设备基础配置
R1:GE0/0/0:10.1.2.1/24,Loopback0:10.1.1.1/24,loopback1:10.1.4.1/24
R2:GE0/0/0:10.1.2.2/24,GE0/0/1:10.1.3.2/24
R3:GE0/0/1:10.1.3.1/24
步骤 1 配置设备IP地址
# 配置R1、R2和R3的IP地址
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.1.2.1 24
[R1-GigabitEthernet0/0/0]quit
[R1]interface LoopBack 0
[R1-LoopBack0]ip address 10.1.1.1 24
[R1-LoopBack0]quit
[R1]interface LoopBack 1
[R1-LoopBack1]ip address 10.1.4.1 24
[R1-LoopBack0]quit
[R2]interface GigabitEthernet 0/0/3
[R2-GigabitEthernet0/0/0]ip address 10.1.2.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.1.3.2 24
[R2-GigabitEthernet0/0/1]quit
[R3]interface GigabitEthernet0/0/1
[R3-GigabitEthernet0/0/1]ip address 10.1.3.1 24
[R3-GigabitEthernet0/0/1]quit
步骤 2 配置OSPF使网络互通
# 在R1、R2和R3上配置OSPF,三台设备均在区域0中,实现全网互联互通
[R1]ospf
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.2.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.4.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]return
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.1.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.3.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]return
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.1.3.1 0.0.0.0
[R3-ospf-1-area-0.0.0.0]return
# 在R3上执行PING命令,检测网络的连通性
<R3>ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/34/40 ms
<R3>ping 10.1.2.1
PING 10.1.2.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=254 time=50 ms
--- 10.1.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/50 ms
<R3>ping 10.1.4.1
PING 10.1.4.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.4.1: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 10.1.4.1: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.1.4.1: bytes=56 Sequence=3 ttl=254 time=40 ms
Reply from 10.1.4.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.1.4.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 10.1.4.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/50 ms
步骤 3 配置R3为telnet服务器
# 在R3使能Telnet功能,配置用户权限等级为3级,登录密码为Huawei@123
[R3]Telnet server enable
telnet server enable命令用来使能Telnet服务器。
[R3]user-interface vty 0 4
user-interface命令用来进入一个用户界面视图或多个用户界面视图。
VTY(Virtual Type Terminal)用户界面,用来管理和监控通过Telnet或SSH方式登录的用户。
[R3-ui-vty0-4]user privilege level 3
[R3-ui-vty0-4] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly recommended to use "aaa" authentication mode.
Enter Password(<8-128>):Huawei@123
Confirm password:Huawei@123
[R3-ui-vty0-4] quit
步骤 4 配置ACL进行流量过滤
方式一:在R3的VTY接口匹配ACL,允许R1通过LoopBack 1口地址Telnet到R3。
# 在R3上配置ACL
[R3]acl 3000
[R3-acl-adv-3000]rule 5 permit tcp source 10.1.4.1 0.0.0.0 destination 10.1.3.1 0.0.0.0 destination-port eq 23
[R3-acl-adv-3000]rule 10 deny tcp source any
[R3-acl-adv-3000]quit
# 在R3的VTY接口上进行流量过滤
[R3]user-interface vty 0 4
[R3-ui-vty0-4]acl 3000 inbound
# 在R3上查看ACL配置信息
[R3]display acl 3000
display acl命令用来查看ACL的配置信息。
Advanced ACL 3000, 2 rules
高级访问控制列表,序号为3000,共2条规则。
Acl's step is 5
ACL的步长为5。
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet
规则5,允许特定的流量通过,当没有匹配的报文时,不显示matches字段。
rule 10 deny tcp
方式二:在R2的物理接口匹配ACL,只允许R1通过物理接口地址Telnet到R3。
# 在R2上配置ACL
[R2]acl 3001
[R2-acl-adv-3001]rule 5 permit tcp source 10.1.4.1 0.0.0.0 destination 10.1.3.1 0.0.0.0 destination-port eq 23
[R2-acl-adv-3001]rule 10 deny tcp source any
[R2-acl-adv-3001]quit
# 在R2的GE0/0/3接口上进行流量过滤
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001
# 在R2上查看ACL配置信息
[R2]display acl 3001
Advanced ACL 3001, 2 rules
Acl's step is 5
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet (21 matches)
规则5,允许特定的流量通过,匹配的报文数目为21。
rule 10 deny tcp (1 matches)
五、结果验证检测Telnet访问,验证ACL配置结果
1) 在R1上带源地址10.1.1.1 telnet到服务器。
<R1>telnet -a 10.1.1.1 10.1.3.1
telnet命令用来从当前设备使用Telnet协议登录到其它设备。
-a source-ip-address :通过指定源地址,用户可以用指定的IP地址与服务端通信。
Press CTRL_] to quit telnet mode
Trying 10.1.3.1 ...
Error: Can't connect to the remote host
2) 在R1上带源地址10.1.4.1 telnet到服务器。
<R1>telnet -a 10.1.4.1 10.1.3.1
Press CTRL_] to quit telnet mode
Trying 10.1.3.1 ...
Connected to 10.1.3.1 ...
Login authentication
Password:
<R3>quit
六、配置参考(方式一)R1的配置
#
sysname R1
#
interface GigabitEthernet0/0/0
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.1.4.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.1.2.1 0.0.0.0
network 10.1.4.1 0.0.0.0
#
return
R2的配置
#
sysname R2
#
interface GigabitEthernet0/0/0
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.3.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.2 0.0.0.0
network 10.1.3.2 0.0.0.0
#
return
R3的配置
#
sysname R3
#
acl number 3000
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet
rule 10 deny tcp
#
interface GigabitEthernet0/0/1
ip address 10.1.3.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.3.1 0.0.0.0
#
telnet server enable
#
user-interface vty 0 4
acl 3000 inbound
authentication-mode password
user privilege level 3
set authentication password cipher %^%#Z5)H#8cE(YJ6YZ:='}c-;trp&784i>HtKl~pLnn>2zL16cs<6E}xj.FmK5(8%^%#
#
return
1.1.1 配置参考(方式二)R1的配置
#
sysname R1
#
interface GigabitEthernet0/0/3
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.1.4.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.1.2.1 0.0.0.0
network 10.1.4.1 0.0.0.0
#
return
R2的配置
#
sysname R2
#
acl number 3001
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet
rule 10 deny tcp
#
interface GigabitEthernet0/0/3
ip address 10.1.2.2 255.255.255.0
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/4
ip address 10.1.3.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.2 0.0.0.0
network 10.1.3.2 0.0.0.0
#
return
R3的配置
#
sysname R3
#
interface GigabitEthernet0/0/3
ip address 10.1.3.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.3.1 0.0.0.0
#
telnet server enable
#
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password cipher %^%#Z5)H#8cE(YJ6YZ:='}c-;trp&784i>HtKl~pLnn>2zL16cs<6E}xj.FmK5(8%^%#
#
return
,免责声明:本文仅代表文章作者的个人观点,与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺,请读者仅作参考,并自行核实相关内容。文章投诉邮箱:anhduc.ph@yahoo.com
