ACL包过滤
一、实验目的
了解访问控制列表的简单工作原理
掌握基本ACL的配置
掌握高级ACL的配置
二、实验描述及组网图
将两台路由器相连,配置ACL,以实现jiance1上不能Ping通jiance2。
图1-1
三、实验过程
实验任务一:用基本ACL实现
步骤一:搭建环境
按图1-1建立物理连接,配置IP地址。
步骤二:测试连通性
在jiance1上Ping jiance2,显示如下:
[jiance1]ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
在jiance2 上开启telnet server,配置见实验手册telnet部分。
Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 10.1.1.2 ... ****************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. *************************************************************************** Welcome! Login authentication Username:h3c Password: 步骤三:创建基本ACL [jiance2]acl number 2000 [jiance2-acl-basic-2000]rule 0 deny source 10.1.1.1 0.0.0.0 步骤四:应用ACL 基本ACL应部署在靠近目的的地方。因此,部署在jiance2的E0/0.。 [jiance2]firewall enable [jiance2]firewall default permit [jiance2]interface Ethernet 0/0 [jiance2-Ethernet0/0]firewall packet-filter ? INTEGER<2000-2999> Apply basic acl INTEGER<3000-3999> Apply advanced acl INTEGER<4000-4999> Apply ethernet frame header acl ipv6 ACL IPv6 name Specify a named acl [jiance2-Ethernet0/0]firewall packet-filter 2000 ? inbound Apply the acl to filter in-bound packets outbound Apply the acl to filter out-bound packets [jiance2-Ethernet0/0]firewall packet-filter 2000 inbound ? [jiance2-Ethernet0/0]firewall packet-filter 2000 inbound 步骤五:验证 用在jiance1上Ping路由器jiance2: [jiance1]ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.1.1.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss 远程登录jiance2, 如下: Trying 10.1.1.2 ... Press CTRL+K to abort Can't connect to the remote host! 分析:应用基本ACL后,jiance1所有访问jiance2的数据流都被禁止了。 实验任务二:用高级ACL实现 步骤一:搭建环境 按图1-1建立物理连接,配置IP地址。 步骤二:测试连通性 在jiance1上Ping jiance2,显示如下: [jiance1]ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms 步骤三:创建高级ACL [jiance1]acl number 3000 [jiance1-acl-adv-3000]rule 0 deny icmp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0 步骤四:部署ACL 高级ACL应部署在靠近源的的地方。因此,部署在jiance1的E0/0.。 [jiance1]firewall enable [jiance1]firewall default permit [jiance1]interface Ethernet 0/0 =[jiance1-Ethernet0/0]firewall packet-filter 3000 outbound 步骤五:验证 [jiance1]ping 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.1.1.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss 显示配置的ACL [jiance1]display acl 3000 Advanced ACL 3000, named -none-, 1 rule, ACL's step is 5 rule 0 deny icmp source 10.1.1.1 0 destination 10.1.1.2 0 (5 times matched) 查看防火墙的统计信息 [jiance1]display firewall-statistics all Firewall is enable, default filtering method is 'permit'. Interface: Ethernet0/0 Out-bound Policy: acl 3000 Fragments matched normally From 2010-04-03 9:57:39 to 2010-04-03 10:06:10 0 packets, 0 bytes, 0% permitted, 5 packets, 420 bytes, 100% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 0% denied default, Totally 0 packets, 0 bytes, 0% permitted, Totally 5 packets, 420 bytes, 100% denied. 远程登录测试: Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 10.1.1.2 ... ****************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. *************************************************************************** Welcome! Login authentication Username: Password: 可见远程登录成功! 因篇幅问题不能全部显示,请点此查看更多更全内容