华为配置案例9：ACL-摩杜云开发者社区

ACL访问控制列表

（1）ACL分类

分类	编号范围	参数
基本ACL	2000～2999	使用源地址定义数据流
高级ACL	3000～3999	使用源地址、目的地址、源端口号、目的端口号、上层协议号等多种元素组合定义数据流
二层ACL	4000~4999	源MAC地址、目的MAC地址、以太帧协议类型等

（2）ACL规则

华为配置案例9：ACL_ACL

每个ACL可以包含多个规则，RTA根据规则来对数据流量进行过滤。

ACL规则按顺序逐条匹配。最后默认隐藏permit any。

（3）基本ACL配置

华为配置案例9：ACL_ACL_02

需求：配置acl使192.168.1.0/24不能访问192.168.2.0/24

华为配置案例9：ACL_ACL_03

华为配置案例9：ACL_ACL_04

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 192.168.1.1 24

[AR1-GigabitEthernet0/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 12.1.1.1 24

[AR2]int g0/0/0

[AR2-GigabitEthernet0/0/0]ip add 12.1.1.2 24

[AR2-GigabitEthernet0/0/0]int g0/0/1

[AR2-GigabitEthernet0/0/1]ip add 192.168.2.1 24

[AR1]ip route-static 192.168.2.0 255.255.255.0 12.1.1.2

[AR2]ip route-static 192.168.1.0 255.255.255.0 12.1.1.1

PC1能ping通PC2

PC>ping 192.168.2.2

Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break

Request timeout!

From 192.168.2.2: bytes=32 seq=2 ttl=126 time=93 ms

From 192.168.2.2: bytes=32 seq=3 ttl=126 time=63 ms

From 192.168.2.2: bytes=32 seq=4 ttl=126 time=47 ms

From 192.168.2.2: bytes=32 seq=5 ttl=126 time=32 ms

--- 192.168.2.2 ping statistics ---

5 packet(s) transmitted

4 packet(s) received

20.00% packet loss

round-trip min/avg/max = 0/58/93 ms

配置基本acl

[AR1]acl ?

INTEGER<2000-2999> Basic access-list(add to current using rules)

INTEGER<3000-3999> Advanced access-list(add to current using rules)

INTEGER<4000-4999> Specify a L2 acl group

ipv6 ACL IPv6

name Specify a named ACL

number Specify a numbered ACL

[AR1]acl 2000

[AR1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000

说明：

看流量的走向对于端口来说的相对方向来判断in或out方向。

192.168.1.0/24→192.168.2.0/24的流量对于AR1的g0/0/0来说是in方向。所以如上配置。建议将acl应用在in方向，匹配到的流量在最近位置就被丢弃。

192.168.1.0/24→192.168.2.0/24的流量对于AR1的g0/0/1来说是out方向。

如acl应用在端口g0/0/1，配置应为:

[AR1]int g0/0/1

[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000

PC1 ping不通PC2了，说明acl 2000生效了

PC>ping 192.168.2.2

Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break

Request timeout!

--- 192.168.2.2 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

[AR1]dis acl 2000

Basic ACL 2000, 3 rules

Acl's step is 5

rule 5 deny source 192.168.1.0 0.0.0.255 (5 matches)

rule 10 deny source 192.168.3.0 0.0.0.255

rule 15 deny source 192.168.4.0 0.0.0.255

[AR1]dis traffic-filter applied-record

-----------------------------------------------------------

Interface Direction AppliedRecord

-----------------------------------------------------------

GigabitEthernet0/0/0 inbound acl 2000

-----------------------------------------------------------

（4）高级ACL配置

华为配置案例9：ACL_ACL_05

要求：AR2上配置ACL使12.1.1.0/24网段不能telnet 23.1.1.3，但能ping通23.1.1.3。

AR1：

interface GigabitEthernet0/0/1

ip address 12.1.1.1 255.255.255.0

ip route-static 23.1.1.0 255.255.255.0 12.1.1.2

AR2：

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.0

interface GigabitEthernet0/0/1

ip address 23.1.1.2 255.255.255.0

AR3：

interface GigabitEthernet0/0/0

ip address 23.1.1.3 255.255.255.0

ip route-static 12.1.1.0 255.255.255.0 23.1.1.2

user-interface vty 0 4

authentication-mode password

user privilege level 3

set authentication password cipher huawei

当前AR1可以telnet到AR3

<AR1>telnet 23.1.1.3

Press CTRL_] to quit telnet mode

Trying 23.1.1.3 ...

Connected to 23.1.1.3 ...

Password:huawei

<AR3>

AR2上配置acl

[AR2]acl 3000

[AR2-acl-adv-3000]rule deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0.0.0.0 destination-port eq 23

[AR2-acl-adv-3000]rule permit ip

[AR2-acl-adv-3000]int g0/0/0

[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

AR1已经不能telnet到AR3了

<AR1>telnet 23.1.1.3

Press CTRL_] to quit telnet mode

Trying 23.1.1.3 ...

Error: Can't connect to the remote host

AR1仍能ping通AR3

<AR1>ping 23.1.1.3

PING 23.1.1.3: 56 data bytes, press CTRL_C to break

Reply from 23.1.1.3: bytes=56 Sequence=1 ttl=254 time=210 ms

Reply from 23.1.1.3: bytes=56 Sequence=2 ttl=254 time=90 ms

Reply from 23.1.1.3: bytes=56 Sequence=3 ttl=254 time=120 ms

Reply from 23.1.1.3: bytes=56 Sequence=4 ttl=254 time=160 ms

Reply from 23.1.1.3: bytes=56 Sequence=5 ttl=254 time=90 ms

--- 23.1.1.3 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/134/210 ms

[AR2]dis acl 3000

Advanced ACL 3000, 2 rules

Acl's step is 5

rule 5 deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0 destination-po

rt eq telnet (6 matches)

rule 10 permit ip (5 matches)

[AR2]dis traffic-filter applied-record

-----------------------------------------------------------

Interface Direction AppliedRecord

-----------------------------------------------------------

GigabitEthernet0/0/0 inbound acl 3000

-----------------------------------------------------------