ACL访问控制列表
(1)ACL分类
分类 |
编号范围 |
参数 |
基本ACL |
2000~2999 |
使用源地址定义数据流 |
高级ACL |
3000~3999 |
使用源地址、目的地址、源端口号、目的端口号、上层协议号等多种元素组合定义数据流 |
二层ACL |
4000~4999 |
源MAC地址、目的MAC地址、以太帧协议类型等 |
(2)ACL规则
每个ACL可以包含多个规则,RTA根据规则来对数据流量进行过滤。
ACL规则按顺序逐条匹配。最后默认隐藏permit any。
(3)基本ACL配置
需求:配置acl使192.168.1.0/24不能访问192.168.2.0/24
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 192.168.2.1 24
[AR1]ip route-static 192.168.2.0 255.255.255.0 12.1.1.2
[AR2]ip route-static 192.168.1.0 255.255.255.0 12.1.1.1
PC1能ping通PC2
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.2: bytes=32 seq=2 ttl=126 time=93 ms
From 192.168.2.2: bytes=32 seq=3 ttl=126 time=63 ms
From 192.168.2.2: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.2.2: bytes=32 seq=5 ttl=126 time=32 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/58/93 ms
配置基本acl
[AR1]acl ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
ipv6 ACL IPv6
name Specify a named ACL
number Specify a numbered ACL
[AR1]acl 2000
[AR1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000
说明:
看流量的走向对于端口来说的相对方向来判断in或out方向。
192.168.1.0/24→192.168.2.0/24的流量对于AR1的g0/0/0来说是in方向。所以如上配置。建议将acl应用在in方向,匹配到的流量在最近位置就被丢弃。
192.168.1.0/24→192.168.2.0/24的流量对于AR1的g0/0/1来说是out方向。
如acl应用在端口g0/0/1,配置应为:
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
PC1 ping不通PC2了,说明acl 2000生效了
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[AR1]dis acl 2000
Basic ACL 2000, 3 rules
Acl's step is 5
rule 5 deny source 192.168.1.0 0.0.0.255 (5 matches)
rule 10 deny source 192.168.3.0 0.0.0.255
rule 15 deny source 192.168.4.0 0.0.0.255
[AR1]dis traffic-filter applied-record
-----------------------------------------------------------
Interface Direction AppliedRecord
-----------------------------------------------------------
GigabitEthernet0/0/0 inbound acl 2000
-----------------------------------------------------------
(4)高级ACL配置
要求:AR2上配置ACL使12.1.1.0/24网段不能telnet 23.1.1.3,但能ping通23.1.1.3。
AR1:
interface GigabitEthernet0/0/1
ip address 12.1.1.1 255.255.255.0
ip route-static 23.1.1.0 255.255.255.0 12.1.1.2
AR2:
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 23.1.1.2 255.255.255.0
AR3:
interface GigabitEthernet0/0/0
ip address 23.1.1.3 255.255.255.0
ip route-static 12.1.1.0 255.255.255.0 23.1.1.2
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password cipher huawei
当前AR1可以telnet到AR3
<AR1>telnet 23.1.1.3
Press CTRL_] to quit telnet mode
Trying 23.1.1.3 ...
Connected to 23.1.1.3 ...
Login authentication
Password:huawei
<AR3>
AR2上配置acl
[AR2]acl 3000
[AR2-acl-adv-3000]rule deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0.0.0.0 destination-port eq 23
[AR2-acl-adv-3000]rule permit ip
[AR2-acl-adv-3000]int g0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
AR1已经不能telnet到AR3了
<AR1>telnet 23.1.1.3
Press CTRL_] to quit telnet mode
Trying 23.1.1.3 ...
Error: Can't connect to the remote host
AR1仍能ping通AR3
<AR1>ping 23.1.1.3
PING 23.1.1.3: 56 data bytes, press CTRL_C to break
Reply from 23.1.1.3: bytes=56 Sequence=1 ttl=254 time=210 ms
Reply from 23.1.1.3: bytes=56 Sequence=2 ttl=254 time=90 ms
Reply from 23.1.1.3: bytes=56 Sequence=3 ttl=254 time=120 ms
Reply from 23.1.1.3: bytes=56 Sequence=4 ttl=254 time=160 ms
Reply from 23.1.1.3: bytes=56 Sequence=5 ttl=254 time=90 ms
--- 23.1.1.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 90/134/210 ms
[AR2]dis acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 deny tcp source 12.1.1.0 0.0.0.255 destination 23.1.1.3 0 destination-po
rt eq telnet (6 matches)
rule 10 permit ip (5 matches)
[AR2]dis traffic-filter applied-record
-----------------------------------------------------------
Interface Direction AppliedRecord
-----------------------------------------------------------
GigabitEthernet0/0/0 inbound acl 3000
-----------------------------------------------------------