Shulou(Shulou.com)06/02 Report--

Today is mainly about the knowledge of ACL, the first contact, if there is any deficiency, please give your valuable advice, thank you.

* * ACL:Access Control List access control list

-definition: it is used to realize the traffic identification function.

-function: in order to operate on a specific message, the network device needs to configure a series of matching rules to identify the specific message, and then operate the message according to the pre-set policy. (it can be simply understood as matching the traffic of interest)

-implement:

1. Make rules

two。 Prescribe action (allow / deny)

Events (for example, implementing the configuration content of acl under a port)

-Type:

-- Standard ACL/ basic ACL

-- extend ACL/ Advanced ACL

Configuration ideas:

1. Ensure connectivity of the existing network

two。 View existing ACL

3. Create ACL

4. Call ACL

5. Verify, test, save

Let's bring you a little bit of topology and practical operation.

Purpose: PC1 is not connected with PC3, but both PC1 and PC3 are interconnected with PC2 and PC4.

Address planning: device IP address and subnet gateway PC1192.168.10.1/24192.168.10.254PC2192.168.20.2/24192.168.20.254PC3192.168.30.3/24192.168.30.254PC4192.168.40.4/24192.168.40.254 experimental steps: 1. Configure the device IP address

two。 Configure the gateway

R1:

System\ enter the system view

Enter system view, return user view with Ctrl+Z.

[Huawei] sysname R1\ change name

[R1] vlan batch 10 20 30 40 50\ create vlan

Info: This operation may take a few seconds. Please wait for a moment...done.

[R1] interface Vlanif 10\ enters the virtual port

[R1-Vlanif10] undo shutdown\ Open the virtual port

Info: Interface Vlanif10 is not shutdown

[R1-Vlanif10] ip address 192.168.10.254 255.255.255.0\ create a virtual gateway

[R1-Vlanif10] Q\ exit

[R1] interface Vlanif 20\ enter the virtual port

[R1-Vlanif20] undo shutdown\ virtual port

Info: Interface Vlanif20 is not shutdown.

[R1-Vlanif20] ip address 192.168.20.254 255.255.255.0\ create a virtual gateway

[R1-Vlanif20] Q\ exit

[R1] interface Vlanif 50\ enter the virtual port

[R1-Vlanif50] undo shutdown\ Open the port

Info: Interface Vlanif50 is not shutdown.

[R1-Vlanif50] ip address 192.168.50.1 255.255.255.0\ create a virtual IP

[R1-Vlanif50] Q\ exit

[R1] interface GigabitEthernet 0ramram1\ entry port

[R1-GigabitEthernet0/0/1] port link-type trunk\ configure Link Mode trunk

[R1-GigabitEthernet0/0/1] port trunk allow-pass vlan all\ allow all vlan to pass through

[R1-GigabitEthernet0/0/1] Q\ exit

[R1] interface GigabitEthernet 0ramram2\ entry port

[R1-GigabitEthernet0/0/2] port link-type trunk\ configure Link Mode trunk

[R1-GigabitEthernet0/0/2] port trunk allow-pass vlan all\ allow all vlan to pass through

[R1-GigabitEthernet0/0/2] Q\ exit

R2:

System-view\ go to the system view

Enter system view, return user view with Ctrl+Z.

[Huawei] sysname R2\ change the name

[R2] vlan batch 10 20 30 40 50\ create vlan

Info: This operation may take a few seconds. Please wait for a moment...done.

[R2] interface Vlanif 30\ enter the virtual port

[R2-Vlanif30] undo shutdown\ Open the virtual port

Info: Interface Vlanif30 is not shutdown.

[R2-Vlanif30] ip address 192.168.30.254 255.255.255.0\ create a virtual gateway

[R2-Vlanif30] Q\ exit

[R2] interface Vlanif 40\ enter the virtual port

[R2-Vlanif40] undo shutdown\ Open the virtual port

Info: Interface Vlanif40 is not shutdown.

[R2-Vlanif40] ip address 192.168.40.254 255.255.255.0\ create a virtual gateway

[R2-Vlanif40] Q\ exit

[R2] interface Vlanif 50\ enter the virtual port

[R2-Vlanif50] undo shutdown\ Open the virtual port

Info: Interface Vlanif50 is not shutdown.

[R2-Vlanif50] ip address 192.168.50.2 255.255.255.0\ create a virtual IP

[R2-Vlanif50] Q\ exit

[R2] interface GigabitEthernet 0Universe 2\ entry port

[R2-GigabitEthernet0/0/2] port link-type trunk\ configure link mode trunk

[R2-GigabitEthernet0/0/2] port trunk allow-pass vlan all\ allow all vlan to pass through

[R2-GigabitEthernet0/0/2] Q\ exit

[R2] interface GigabitEthernet 0ramram1\ entry port

[R2-GigabitEthernet0/0/1] port link-type trunk\ configure link mode trunk

[R2-GigabitEthernet0/0/1] port trunk allow-pass vlan all\ allow all vlan to pass through

[R2-GigabitEthernet0/0/1] Q\ exit

3. Configure the switch, create vlan configure link mode, and add ports to vlan

Sw1:

System-view\ enter the system view

Enter system view, return user view with Ctrl+Z.

[Huawei] sysname sw1\ change the name

[sw1] vlan batch 10 20 30 40 50\ create vlan

Info: This operation may take a few seconds. Please wait for a moment...done.

[sw1] interface GigabitEthernet 0ram 0ram 1 entry port

[sw1-GigabitEthernet0/0/1] port link-type access\ configure Link Mode access

[sw1-GigabitEthernet0/0/1] port default vlan 10\ add Port to VLAN

[sw1-GigabitEthernet0/0/1] Q\ exit

[sw1] interface GigabitEthernet 0ram 0ram 2\ entry port

[sw1-GigabitEthernet0/0/2] port link-type access\ configure Link Mode access

[sw1-GigabitEthernet0/0/2] port default vlan 20\ add Port to VLAN

[sw1-GigabitEthernet0/0/2] Q\ exit

[sw1] interface GigabitEthernet 0ram 0ram 3\ entry port

[sw1-GigabitEthernet0/0/3] port link-type trunk\ configure Link Mode trunk

[sw1-GigabitEthernet0/0/3] port trunk allow-pass vlan all\ allow all vlan to pass through

[sw1-GigabitEthernet0/0/3] Q\ exit

[sw1]

Sw2:

System-view\ enter the system view

Enter system view, return user view with Ctrl+Z.

[Huawei] sysname sw2\ change the name

[sw2] vlan batch 10 20 30 40 50\ create vlan

Info: This operation may take a few seconds. Please wait for a moment...done.

[sw2] interface GigabitEthernet 0Uniple 1\ entry port

[sw2-GigabitEthernet0/0/1] port link-type trunk\ configure Link Mode trunk

[sw2-GigabitEthernet0/0/1] port trunk allow-pass vlan all\ allow all vlan to pass through

[sw2-GigabitEthernet0/0/1] Q\ exit

[sw2] interface GigabitEthernet 0ram 0ram 2\ entry port

[sw2-GigabitEthernet0/0/2] port link-type access\ configure Link Mode access

[sw2-GigabitEthernet0/0/2] port default vlan 30\ add Port to vlan

[sw2-GigabitEthernet0/0/2] Q\ exit

[sw2] interface GigabitEthernet 0ram 0ram 3\ entry port

[sw2-GigabitEthernet0/0/3] port link-type access\ configure Link Mode access

[sw2-GigabitEthernet0/0/3] port default vlan 40\ add Port to vlan

[sw2-GigabitEthernet0/0/3] Q\ exit

[sw2]

4. Configure rip to ensure interconnection of the whole network

R1:

[R1] rip\ configure rip protocol

[R1-rip-1] version 2\ Select version 2

[R1-rip-1] network 192.168.10.0\ declares network scope

[R1-rip-1] network 192.168.20.0\ declares network scope

[R1-rip-1] Q\ exit

[R1]

R2:

[R2] rip\ configure rip protocol

[R2-rip-1] version 2\ Select version 2

[R2-rip-1] network 192.168.30.0\ declares network scope

[R2-rip-1] network 192.168.40.0\ declares network scope

[R2-rip-1] Q\ exit

At this point, verify whether the entire network is interconnected. Take PC1 as an example:

5. Create ACL

Acl can be created on any interface. In this experiment, PC1 and PC3 are not connected and other networks are interconnected, so I chose to create ACL in R2, as follows:

[R2] acl name denypc1-3\ create an acl and name it

[R2-acl-adv-denypc1-3] rule deny ip source 192.168.10.1 0.0.0.0 destination 192.1

68.30.3 0.0.0.0\ specify the action to determine the source and target

[R2-acl-adv-denypc1-3] Q\ quit

6. Call ACL

[R2] interface GigabitEthernet 0Universe 2\ entry port

[R2-GigabitEthernet0/0/2] traffic-filter outbound acl name denypc1-3\ call Acl

[R2-GigabitEthernet0/0/2] Q\ exit

7. Verify, test, save

Verify:

Test:

PC1:

Test connectivity to PC2:

Test connectivity to PC4:

Test connectivity to PC3:

PC3:

Test connectivity to PC2:

Test connectivity to PC4:

Test connectivity to PC1:

The experiment is completed and the purpose of the experiment is completed.

Note: ACL has no effect on traffic initiated by the device itself. ACL has an effect on the traversing traffic of the device.

The operation is relatively simple, I try my best to introduce each step of the operation clearly, I hope you can understand.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.