ACL简单配置

---

前言

小实验带大家了解ACL的简单配置。

实验

1、需求

• 仅允许PC1访问192.168.2.0/24网络
• 禁止192.168.1.0/24网络ping web服务
• 仅允许Clinet1 访问web服务器的www服务

2、命令

AR1：

先配置基础命令：

<Huawei>undo terminal monitor 
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]user-interface console 0
[Huawei-ui-console0]idle-timeout 0 0
[Huawei-ui-console0]q
[Huawei] int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 192.168.3.254 24
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip add 192.168.2.254 24

接着用基础ACL配置需求1、仅允许PC1访问192.168.2.0/24网络

[Huawei]acl 2000
[Huawei-acl-basic-2000]rule permit source 192.168.1.1 0
[Huawei-acl-basic-2000]rule deny
[Huawei-acl-basic-2000]int g0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter outbound acl 2000

最后我们用高级ACL配置下接下来的需求2和3

[Huawei]acl 3000
[Huawei-acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192
.168.3.1 0
[Huawei-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.
1 0 destination-port eq 80
[Huawei-acl-adv-3000]rule deny tcp source any destination 192.168.3.1 0 destinat
ion-port eq 80
[Huawei-acl-adv-3000]int g0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

3、结果

PC1

PC>ping 192.168.2.1

Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.1: bytes=32 seq=2 ttl=127 time=31 ms
From 192.168.2.1: bytes=32 seq=3 ttl=127 time=47 ms
From 192.168.2.1: bytes=32 seq=4 ttl=127 time=47 ms
From 192.168.2.1: bytes=32 seq=5 ttl=127 time=47 ms

--- 192.168.2.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/43/47 ms

PC>ping 192.168.3.1

Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.3.1 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

PC2

Welcome to use PC Simulator!

PC>ping 192.168.2.1

Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.2.1 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

可见，我们完成了三个需求，实际上，命令配置并不多，也很容易理解。

总结

配置配置很简单，主要在于了解根据需求，了解数据的传输方向，然后知道在出接口还是入接口进行配置，同时也不能妨碍其他计算机的通信。