ACL基本/高级配置

原创

大广西杨旭 2019-06-10 20:32:37 ©著作权

©著作权归作者所有：来自51CTO博客作者大广西杨旭的原创作品，如需转载，请与作者联系，否则将追究法律责任

1.前段配置： r1: <Huawei>u t m <Huawei>system-view [Huawei]sysname r1 [r1]interface GigabitEthernet 0/0/1 [r1-GigabitEthernet0/0/1]ip address 192.168.12.1 24 [r1]interface GigabitEthernet 0/0/2 [r1-GigabitEthernet0/0/2]ip address 192.168.13.1 24 [r1]interface GigabitEthernet 0/0/0 [r1-GigabitEthernet0/0/0]ip address 1.1.1.254 24 [r1]display ip interface brief [r1]ip route-static 192.168.1.0 24 192.168.12.2 [r1]ip route-static 192.168.10.0 24 192.168.12.2 [r1]ip route-static 192.168.20.0 24 192.168.12.2 [r1]ip route-static 192.168.30.0 24 192.168.13.2 [r1]ip route-static 192.168.1.0 24 192.168.13.2 R2: <Huawei>u t m <Huawei>system-view [Huawei]sysname r2 [r2]interface GigabitEthernet 0/0/1 [r2-GigabitEthernet0/0/1]ip address 192.168.10.254 24 [r2]interface GigabitEthernet 0/0/2 [r2-GigabitEthernet0/0/2]ip address 192.168.20.254 24 [r2]interface GigabitEthernet 0/0/0 [r2-GigabitEthernet0/0/0]ip address 192.168.12.2 24 <r2>display ip interface brief [r2]ip route-static 0.0.0.0 0.0.0.0 192.168.12.1 R3: <Huawei>u t m <Huawei>system-view [Huawei]sysname r3 [r3]interface GigabitEthernet 0/0/1 [r3-GigabitEthernet0/0/1]ip address 192.168.30.254 24 [r3]interface GigabitEthernet 0/0/2 [r3-GigabitEthernet0/0/2]ip address 192.168.1.254 24 [r3]interface GigabitEthernet 0/0/0 [r3-GigabitEthernet0/0/0]ip address 192.168.13.2 24 <r3>display ip interface brief [r3]ip route-static 0.0.0.0 0.0.0.0 192.168.13.1 WG: <Huawei>u t m <Huawei>system-view [Huawei]sysname WG [WG]interface GigabitEthernet 0/0/0 [WG-GigabitEthernet0/0/0]ip address 192.168.10.1 24 [WG]ip route-static 0.0.0.0 0.0.0.0 192.168.10.254

2.在r1设置远程与基本ACL： [r1]acl 2000 [r1-acl-basic-2000]rule 5 permit source 192.168.10.1 0.0.0.0 [r1-acl-basic-2000]rule 10 deny source any [r1-acl-basic-2000]quit [r1]user-interface vty 0 4 [r1-ui-vty0-4]acl 2000 inbound [r1-ui-vty0-4]authentication-mode aaa [r1-ui-vty0-4]user privilege level 3 [r1-ui-vty0-4]aaa [r1-aaa]local-user tata password cipher 123 [r1-aaa]local-user tata service-type telnet

3.设置高级ACL: R2: [r2]acl 3000 [r2-acl-adv-3000]rule 5 permit ip source 192.168.20.1 0 destination 192.168.10.1 0 [r2-acl-adv-3000]rule 10 permit ip source 192.168.20.1 0 destination 1.1.1.1 0 [r2-acl-adv-3000]rule 15 permit tcp source 192.168.20.1 0 destination 192.168.1.1 0 destination-port eq 80 [r2-acl-adv-3000]rule 20 deny ip source any [r2-acl-adv-3000]quit [r2]interface GigabitEthernet 0/0/2 [r2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

R3: [r3]acl 3000 [r3-acl-adv-3000]rule 5 permit ip source 192.168.30.1 0 destination 192.168.10.1 0 [r3-acl-adv-3000]rule 10 permit tcp source 192.168.30.1 0 destination 192.168.1. 1 0 destination-port eq 80 [r3-acl-adv-3000]rule 15 deny ip source any [r3-acl-adv-3000]quit [r3]interface GigabitEthernet 0/0/1 [r3-GigabitEthernet0/0/1]traffic-filter inbound acl 3000