基本ACL与高级ACL配置

我们先来了解ACL的作用

什么是ACL
访问控制列表( Access Control List , ACL )是应用在路由器接口的指令列表
读取第三层、第四层报文头信息
根据预先定义好的规则对报文进行过滤

ACL的规则
每个ACL可以包含多个规则,路由器根据规则对数据流量进行过滤

华为基本ACL
-基于源IP地址过滤数据包
-列表号是2000~2999

华为高级ACL
-基于源IP地址、目的IP地址、源端口、目的端口、协议号过滤数据包
-列表号是3000~3999

基本ACL与高级ACL配置

配置终端设备

PC1 地址: 192.168.1.1
掩码: 255.255.255.0
网关: 192.168.1.254

配置终端设备

PC2 地址: 192.168.2.1
掩码: 255.255.255.0
网关: 192.168.2.254

配置终端设备

Server1 地址: 192.168.100.1
掩码: 255.255.255.0
网关:192.168.100.254

=================================================================================

< Huawei>system-view
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.100.254 24
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.1.254 24
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 deny source 192.168.1.1 0.0.0.0 // 拒绝源为 PC1的流量
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000 // 调用在端口的出方向

=================================================================================

基本ACL与高级ACL配置

配置终端设备

Client1 地址：192.168.1.1
掩码：255.255.255.0
网关：192.168.1.254

配置终端设备

PC1 地址：192.168.2.1
掩码：255.255.255.0
网关：192.168.2.254

配置终端设备

Server1 地址：192.168.3.1
掩码：255.255.255.0
网关：192.168.3.254
配置 HTTP 服务

=================================================================================

< Huawei>system-view
[Huawei]sysname AR1
[AR1]interface g0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.1.254 24
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[AR1]ip route-static 0.0.0.0 0.0.0.0 192.168.12.2
[AR1]acl 3000
[AR1-acl-adv-3000]rule 5 permit tcp source 192.168.1.1 0 destination 192.168.3.1
0 destination-port eq 80
[AR1-acl-adv-3000]rule 10 permit ip source 192.168.1.1 0 destination 192.168.2.0
0.0.0.255
[AR1-acl-adv-3000]rule 15 deny ip source 192.168.1.1 0 destination any
[AR1]interface g0/0/2
[AR1-GigabitEthernet0/0/2]traffic-filter inbound acl 3000

=================================================================================

< Huawei>system-view
[Huawei]sysname AR2
[AR2]interface g0/0/2
[AR2-GigabitEthernet0/0/2]ip address 192.168.2.254 24
[AR2]interface g0/0/1
[AR2-GigabitEthernet0/0/1]ip address 192.168.12.2 24
[AR2]interface g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 192.168.23.2 24
[AR2]ip route-static 192.168.1.0 255.255.255.0 192.168.12.1
[AR2]ip route-static 192.168.1.0 255.255.255.0 192.168.23.3

=================================================================================

< Huawei>system-view
[Huawei]sysname AR3
[AR3]interface g0/0/2
[AR3-GigabitEthernet0/0/2]ip address 192.168.3.254 24
[AR3]interface g0/0/1
[AR3-GigabitEthernet0/0/1]ip address 192.168.23.3 24
[AR3]ip route-static 0.0.0.0 0.0.0.0 192.168.23.2

=================================================================================