ACL配置

基本ACL配置

• acl [ number ] 命令用来创建一个ACL，并进入ACL视图。
• rule [ rule-id ] { deny | permit } source { source-address source-wildcard | any } 命令用来增加或修改ACL的规则。deny用来指定拒绝符合条件的数据包，permit用来指定允许符合条件的数据包，source用来指定ACL规则匹配报文的源地址信息，any表示任意源地址。
• traffic-filter { inbound | outbound }acl{ acl-number }命令用来在接口上配置基于ACL对报文进行过滤。
• 本示例中，PC1发送的流量到达AR1后，会匹配ACL2000中创建的规则rule deny source 192.168.1.0 0.0.0.255，因而将被拒绝继续转发到AR2。PC2发送的流量不匹配任何规则，所以会被AR1正常转发到Internet。

配置

AR1路由器配置

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip address 10.1.1.1 24
[R1-GigabitEthernet0/0/0]q

[Huawei]int g0/0/1.1

[Huawei-GigabitEthernet0/0/1.1]dot1q termination vid 10

[Huawei-GigabitEthernet0/0/1.1]ip address 192.168.1.254 24

[Huawei-GigabitEthernet0/0/1.1]arp broadcast enable 

[Huawei-GigabitEthernet0/0/1.1]int g0/0/1.2

[Huawei-GigabitEthernet0/0/1.2]dot1q termination vid 20

[Huawei-GigabitEthernet0/0/1.2]ip address 192.168.2.254 24

[Huawei-GigabitEthernet0/0/1.2]arp broadcast enable 
[Huawei-GigabitEthernet0/0/1.2]q

[Huawei]acl 2000

[Huawei-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2000]q
[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 2000

交换机配置

<Huawei>sy
Enter system view, return user view with Ctrl+Z.

[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei]int g0/0/2

[Huawei-GigabitEthernet0/0/2]port link-type access 

[Huawei-GigabitEthernet0/0/2]port default vlan 10

[Huawei-GigabitEthernet0/0/2]int g0/0/3

[Huawei-GigabitEthernet0/0/3]port link-type access 

[Huawei-GigabitEthernet0/0/3]port default vlan 20

[Huawei-GigabitEthernet0/0/3]int g0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type trunk 

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

AR2配置

<Huawei>ip ad	
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy R2
[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]ip address 10.1.1.2 24

[R2-GigabitEthernet0/0/0]q

[R2]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

测试

高级ACL配置

• 基本ACL可以依据源IP地址进行报文过滤，而高级ACL能够依据源/目的IP地址、源/目的端口号、网络层及传输层协议以及IP流量分类和TCP标记值等各种参数（SYN|ACK|FIN等）进行报文过滤。
• 本示例中，AR1上定义了高级ACL3000，其中第一条规则“rule deny icmp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0”用于限制源地址范围是192.168.1.0/24，目的IP地址为172.16.10.1的所有ICMP报文；第二条规则“rule deny icmp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0 ”用于限制源地址范围是192.168.2.0/24，目的地址是172.16.10.2的所有ICMP报文；第三条规则“rule permit ”用于匹配所有报文，并对报文执行允许动作。

配置

AR1路由器配置

<Huawei>sy
Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/1.1

[Huawei-GigabitEthernet0/0/1.1]dot1q termination vid 10

[Huawei-GigabitEthernet0/0/1.1]ip address 192.168.1.254 24

[Huawei-GigabitEthernet0/0/1.1]arp broadcast enable 

[Huawei-GigabitEthernet0/0/1.1]int g0/0/1.2

[Huawei-GigabitEthernet0/0/1.2]dot1q termination vid 20

[Huawei-GigabitEthernet0/0/1.2]ip address 192.168.2.254 24

[Huawei-GigabitEthernet0/0/1.2]arp broadcast enable 
[Huawei-GigabitEthernet0/0/1.2]q

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip address 172.16.10.254 24

[Huawei-GigabitEthernet0/0/0]q

[Huawei]acl 3000

[Huawei-acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 172
.16.10.1 0



[Huawei-acl-adv-3000]rule deny icmp source 192.168.2.0 0.0.0.255 destination 172
.16.10.2 0


[Huawei-acl-adv-3000]rule permit 

[Huawei-acl-adv-3000]q

[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000

交换机配置

<Huawei>sy
Enter system view, return user view with Ctrl+Z.

[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.

[Huawei]int g0/0/2

[Huawei-GigabitEthernet0/0/2]port link-type access 

[Huawei-GigabitEthernet0/0/2]port default vlan 10

[Huawei-GigabitEthernet0/0/2]int g0/0/3

[Huawei-GigabitEthernet0/0/3]port link-type access 

[Huawei-GigabitEthernet0/0/3]port default vlan 20

[Huawei-GigabitEthernet0/0/3]int g0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type trunk 

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

测试