今天主要說一下關於ACL的知識,初次接觸,如有不足,請各位大神提出寶貴意見,謝謝。
**ACL:Access Control List 訪問控制列表
-定義:是用來實現流量識別功能的。
-作用:網絡設備爲了對特定的報文進行操作,需要配置一系列的匹配規則,以識別 出特定的報文,然後根據預先設定的策略對該報文進行操作。(可以簡單的 理解爲匹配感興趣的流量)
-實現:
1.制定規則
2.規定動作(允許/拒絕)
- 事件(例如:在某個端口下實施acl的配置內容)
-類型:
--標準ACL/基本ACL
--擴展ACL/高級ACL
配置思路:
1.確保現有網絡的連通性
2.查看現有的ACL
3.創建ACL
4.調用ACL
5.驗證、測試、保存
下面爲大家帶來一個小小的拓撲實際性的操作一下
實驗目的:PC1與PC3不通,但PC1和PC3都和PC2、PC4互通
實驗拓撲:
地址規劃:
| 設備 | IP地址及子網 | 網關 |
|---|---|---|
| PC1 | 192.168.10.1/24 | 192.168.10.254 |
| PC2 | 192.168.20.2/24 | 192.168.20.254 |
| PC3 | 192.168.30.3/24 | 192.168.30.254 |
| PC4 | 192.168.40.4/24 | 192.168.40.254 |
實驗步驟:
1.配置設備IP地址
2.配置網關
R1:
<Huawei>system\進入系統視圖
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1\修改名字
[R1]vlan batch 10 20 30 40 50\創建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[R1]interface Vlanif 10\進入虛擬端口
[R1-Vlanif10]undo shutdown \開啓虛擬端口
Info: Interface Vlanif10 is not shutdown
[R1-Vlanif10]ip address 192.168.10.254 255.255.255.0\創建虛擬網關
[R1-Vlanif10]q\退出
[R1]interface Vlanif 20\進入虛擬端口
[R1-Vlanif20]undo shutdown \虛擬端口
Info: Interface Vlanif20 is not shutdown.
[R1-Vlanif20]ip address 192.168.20.254 255.255.255.0\創建虛擬網關
[R1-Vlanif20]q\退出
[R1]interface Vlanif 50\進入虛擬端口
[R1-Vlanif50]undo shutdown \開啓端口
Info: Interface Vlanif50 is not shutdown.
[R1-Vlanif50]ip address 192.168.50.1 255.255.255.0\創建虛擬IP
[R1-Vlanif50]q\退出
[R1]interface GigabitEthernet 0/0/1\進入端口
[R1-GigabitEthernet0/0/1]port link-type trunk \配置鏈路模式trunk
[R1-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允許所有vlan通過
[R1-GigabitEthernet0/0/1]q\退出
[R1]interface GigabitEthernet 0/0/2\進入端口
[R1-GigabitEthernet0/0/2]port link-type trunk \配置鏈路模式trunk
[R1-GigabitEthernet0/0/2]port trunk allow-pass vlan all\允許所有vlan通過
[R1-GigabitEthernet0/0/2]q\退出
R2:
<Huawei>system-view \進入到系統視圖
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2\修改名字
[R2]vlan batch 10 20 30 40 50\創建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[R2]interface Vlanif 30\進入虛擬端口
[R2-Vlanif30]undo shutdown \開啓虛擬端口
Info: Interface Vlanif30 is not shutdown.
[R2-Vlanif30]ip address 192.168.30.254 255.255.255.0\創建虛擬網關
[R2-Vlanif30]q\退出
[R2]interface Vlanif 40\進入虛擬端口
[R2-Vlanif40]undo shutdown \開啓虛擬端口
Info: Interface Vlanif40 is not shutdown.
[R2-Vlanif40]ip address 192.168.40.254 255.255.255.0\創建虛擬網關
[R2-Vlanif40]q\退出
[R2]interface Vlanif 50\進入虛擬端口
[R2-Vlanif50]undo shutdown \開啓虛擬端口
Info: Interface Vlanif50 is not shutdown.
[R2-Vlanif50]ip address 192.168.50.2 255.255.255.0\創建虛擬IP
[R2-Vlanif50]q\退出
[R2]interface GigabitEthernet 0/0/2\進入端口
[R2-GigabitEthernet0/0/2]port link-type trunk \配置鏈路方式trunk
[R2-GigabitEthernet0/0/2]port trunk allow-pass vlan all\允許所有vlan通過
[R2-GigabitEthernet0/0/2]q\退出
[R2]interface GigabitEthernet 0/0/1\進入端口
[R2-GigabitEthernet0/0/1]port link-type trunk \配置鏈路方式trunk
[R2-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允許所有vlan通過
[R2-GigabitEthernet0/0/1]q\退出
3.配置交換機,創建vlan配置鏈路方式並將端口加入到vlan
sw1:
<Huawei>system-view\進入系統視圖
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname sw1\修改名字
[ sw1]vlan batch 10 20 30 40 50\創建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[ sw1]interface GigabitEthernet 0/0/1進入端口
[ sw1-GigabitEthernet0/0/1]port link-type access \配置鏈路模式access
[ sw1-GigabitEthernet0/0/1]port default vlan 10\將端口加入VLAN
[ sw1-GigabitEthernet0/0/1]q\退出
[ sw1]interface GigabitEthernet 0/0/2 \進入端口
[ sw1-GigabitEthernet0/0/2]port link-type access \配置鏈路模式access
[ sw1-GigabitEthernet0/0/2]port default vlan 20\將端口加入VLAN
[ sw1-GigabitEthernet0/0/2]q\退出
[ sw1]interface GigabitEthernet 0/0/3 \進入端口
[ sw1-GigabitEthernet0/0/3]port link-type trunk \配置鏈路模式trunk
[ sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan all\允許所有vlan通過
[ sw1-GigabitEthernet0/0/3]q\退出
[ sw1]
sw2:
<Huawei>system-view \進入系統視圖
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname sw2\修改名字
[sw2]vlan batch 10 20 30 40 50\創建vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw2]interface GigabitEthernet 0/0/1\進入端口
[sw2-GigabitEthernet0/0/1]port link-type trunk \配置鏈路模式trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan all\允許所有vlan通過
[sw2-GigabitEthernet0/0/1]q\退出
[sw2]interface GigabitEthernet 0/0/2 \進入端口
[sw2-GigabitEthernet0/0/2]port link-type access \配置鏈路模式access
[sw2-GigabitEthernet0/0/2]port default vlan 30\將端口加入vlan
[sw2-GigabitEthernet0/0/2]q\退出
[sw2]interface GigabitEthernet 0/0/3\進入端口
[sw2-GigabitEthernet0/0/3]port link-type access \配置鏈路模式access
[sw2-GigabitEthernet0/0/3]port default vlan 40\將端口加入vlan
[sw2-GigabitEthernet0/0/3]q\退出
[sw2]
4.配置rip保證全網互通
R1:
[R1]rip\配置rip協議
[R1-rip-1]version 2\選擇版本2
[R1-rip-1]network 192.168.10.0\宣告網絡範圍
[R1-rip-1]network 192.168.20.0\宣告網絡範圍
[R1-rip-1]q\退出
[R1]
R2:
[R2]rip \配置rip協議
[R2-rip-1]version 2\選擇版本2
[R2-rip-1]network 192.168.30.0\宣告網絡範圍
[R2-rip-1]network 192.168.40.0\宣告網絡範圍
[R2-rip-1]q\退出
此時,驗證一下是否全網互通,以PC1爲例:
5.創建ACL
創建acl可以在任何一個接口,在本次試驗中是讓PC1和PC3不通,其他網絡互通,所以我選擇在R2創建ACL,如下:
[R2]acl name denypc1-3 \創建acl並命名
[R2-acl-adv-denypc1-3]rule deny ip source 192.168.10.1 0.0.0.0 destination 192.1
68.30.3 0.0.0.0\規定動作確定源和目標
[R2-acl-adv-denypc1-3]q\退出
6.調用ACL
[R2]interface GigabitEthernet 0/0/2\進入端口
[R2-GigabitEthernet0/0/2]traffic-filter outbound acl name denypc1-3\調用Acl
[R2-GigabitEthernet0/0/2]q\退出
7.驗證、測試、保存
驗證:
測試:
PC1:
測試與PC2連通性:
測試與PC4連通性:
測試與PC3連通性:
PC3:
測試與PC2連通性:
測試與PC4連通性:
測試與PC1連通性:
實驗完成,完成實驗目的。
注意:
ACL對設備本身發起的流量,是不起作用的。
ACL對設備的穿越流量,是起作用的。
操作比較簡單,我儘可能把每一步的步驟操作介紹清楚,希望大家可以理解。