Shulou(Shulou.com)06/01 Report--

Lab Topology:

Experimental requirements:

1. Configure standard ACL on Huawei equipment to realize that the vlan 10 host can not exchange access to the vlan20 host, but can surf the Internet normally.

two。 Configure extended ACL on Huawei equipment to realize that the host of vlan 10 can not exchange visits with the host of vlan 20, but can surf the Internet normally; C2 in vlan 10 needs to communicate with C3 in vlan 20, C1 in vlan 10 cannot open web pages, and others are not affected.

3. Configure named ACL on Huawei devices to realize that router R1 can only be managed remotely by 192.168.1.10 hosts.

ACL principle:

1.ACL matches one by one from top to bottom, and once the match is successful, it no longer matches down.

2.ACL finally implies a rule that rejects all.

3. A router can apply at most one ACL to an interface in one direction, but it can have N entries.

Experimental steps and verification:

1. Interface and ip address planning:

C1RV 192.168.1.10 (vlan 10)

C2VR 192.168.1.20 (vlan 10)

C3VR 192.168.2.10 (vlan 20)

C4RV 192.168.2.20 (vlan 20)

Server:13.0.0.2

R1:

G0/0/1.10:192.168.1.1

G0/0/1.20:192.168.2.1

G0/0/2:12.0.0.2

R2:

G0/0/2:12.0.0.1

G0/0/0:13.0.0.1

two。 Configuration script:

SW1

[SW1] vlan batch 10 20 (add vlan 10 20)

[SW1] int e0/0/1

[SW1-Ethernet0/0/1] port hybrid pvid vlan 10

[SW1-Ethernet0/0/1] port hybrid untagged vlan 10 (add the interface to vlan 10 as untagged)

[SW1] int e0/0/2

[SW1-Ethernet0/0/2] porthybrid pvid vlan 10

[SW1-Ethernet0/0/2] port hybrid untagged vlan 10

[SW1] int e0/0/3

[SW1-Ethernet0/0/3] port link-type access

[SW1-Ethernet0/0/3] port default vlan 20 (add interface to vlan 20 as access)

[SW1] int e0/0/4

[SW1-Ethernet0/0/4] port link-type access

[SW1-Ethernet0/0/4] port default vlan 20

[SW1] int g0/0/1

[SW1-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20 (tagged the interface to allow frames marked with vlan 10 20 to pass)

R1

[R1] int g0/0/1.10

[R1-GigabitEthernet0/0/1.10] dot1q termination vid 10 (specifies the vlan encapsulated by the subinterface)

[R1-GigabitEthernet0/0/1.10] ip add 192.168.1.1 24

[R1-GigabitEthernet0/0/1.10] arp broadcast enable (enable arp broadcast of subinterface)

[R1] int g0/0/1.20

[R1-GigabitEthernet0/0/1.20] dot1qtermination vid 20

[R1-GigabitEthernet0/0/1.20] ip add 192.168.2.1 24

[R1-GigabitEthernet0/0/1.20] arp broadcast enable

[R1] int g0/0/2

[R1-GigabitEthernet0/0/2] ip add 12.0.0.2 24

R2

[R2] int g0/0/2

[R2-GigabitEthernet0/0/2] ip add 12.0.0.1 24

[R2] int g0/0/0

[R2-GigabitEthernet0/0/0] ip add 13.0.0.1 24

-above is the IP address and vlan configuration--

R1

[R1] ip route-static 13.0.0.0 255.255.255.0 12.0.0.1

R2

[R2] ip route-static192.168.1.0 255.255.255.0 12.0.0.2

[R2] ip route-static 192.168.2.0 255.255.255.0 12.0.0.2

-- above is the routing configuration--

C1 can communicate with vlan 20 host and Server without any ACL.

Standard ACL:

R1

[R1] acl 2000 (define a standard ACL2000)

[R1-acl-basic-2000] rule 5 deny source 192.168.1.0 0.0.0.255 (the first statement rejects all traffic from the 192.168.1.0 Universe 24 network segment)

[R1-acl-basic-2000] rule 10 permit source any (note that ACL matches one by one from top to bottom, so follow the first reject statement with all allowed to ensure the passage of other traffic)

[R1] int g0 / vlan10 / 0 / 20 (because only hosts of vlan10 and 20 cannot access each other, ACL is applied in the out direction of the vlan 20 gateway so as not to affect the upstream Internet traffic)

[R1-GigabitEthernet0/0/1.20] traffic-filteroutbound acl 2000 (apply ACL in the out direction of the interface)

The result verifies:

You can see that C1 can still access the Server, but cannot communicate with the vlan20 host, and the standard ACL is in effect.

Extended ACL:

C1 can access Server's FTP and WWW services without ACL.

R1:

[R1] acl 3000 (define an extended ACL3000)

[R1-acl-adv-3000] rule 5 permit ip source 192.168.1.20 0.0.0.0 destination192.168.2.10 0.0.0.0 (allow traffic destined for C2 as source C3)

[R1-acl-adv-3000] rule 10 deny ip source 192.168.1.0 0.0.255 destination192.168.2.0 0.0.0.255 (note the position of this statement! Deny all traffic with vlan 10 as source vlan 20 as destination)

[R1-acl-adv-3000] rule 15 deny tcp source 192.168.1.10 0.0.0.0 destination13.0.0.2 0.0.0.0 destination-port eq 80 (deny C1 as the source to access the TCP 80 port with the destination Server)

[R1-acl-adv-3000] rule 20 permit ip source any (finally allows all unmatched traffic)

[R1] int g0/0/1.10

[R1-GigabitEthernet0/0/1.10] traffic-filter inboundacl 3000 (call ACL in the in direction of the vlan 10 gateway)

Experimental verification:

Communicate with C3 on C2 but can not communicate with other hosts of vlan 20, and can access Server and surf the Internet normally.

Server's WWW service cannot be accessed on C1, but the FTP service can still be accessed, so the extended ACL takes effect.

Name ACL:

R1:

[R1] user-interface vty 0 4

[R1-ui-vty0-4] authentication-modepassword

Please configure the login password (maximum length26): abc

By default, any device that can communicate with R1 can telnet to R1.

R1:

[R1] acl name novty 2001

[R1-acl-basic-2001] rule 5 permit source 192.168.1.100.0.0.0 (allow traffic from C1)

[R1] user-interface vty 04

[R1-ui-vty0-4] acl 2001inbound (apply ACL in the in direction of the VTY port)

Experimental verification:

Only C1 can telnet to R1, nothing else can telnet, and named ACL takes effect.

Summary of the experiment:

1.ACL can be understood as a packet filtering firewall, which can control traffic based on entries configured by the administrator. It can also define a time range through the time-rang command, which can be called after the list to achieve flexible network control.

2.ACL can also be used to define addresses of interest or ranges of network segments for use in other applications (such as NAT).

3.ACL is also a necessary tool for flow classification in QoS.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.