Huawei eNSP configuration access control list ACL

Access control list ACL: access control list. There are two types of ACLs:
1. Basic ACL (2000-2999): It can only match IP addresses.
2. Advanced ACL (3000-3999): It can match the three-layer and four-layer fields such as IP, destination IP, source port, and destination port.
Only one ACL can be called in the same direction of an interface.
There can be multiple rules in an ACL, which are executed sequentially from top to bottom. Once the data packet is matched by the rule, it will not continue to match downward.
When Huawei ACL rejects data packets, the default configuration is to let go of all data.
Huawei Emulator Router does not support ACL, you can choose AR2220 router.

1. Configure router R1 and R2 interfaces

[R1]interface gi0/0/1
[R1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
[R1]interface gi0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.10.254 24
save

[R2]interface gi0/0/0
[R2-GigabitEthernet0/0/0]ip address 12.1.1.2 24
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 172.16.10.254
configure both ends The default route allows any two PCs to communicate with each other.
[R1]ip route-static 0.0.0.0 0 12.1.1.2
[R2]ip route-static 0.0.0.0 0 12.1.1.1 The
ping test is shown in the figure below:

Two, basic ACL configuration

R2 router denies PC1192.168.10.1 host access to network segment 172.16.10.X
[R2]acl?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list( add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
ipv6 ACL IPv6
name Specify a named ACL
number Specify a numbered ACL
[R2]acl 2000 #Establish access control list 2000
[R2-acl-basic-2000] rule deny source 192.168.10.1?
IP_ADDR<XXXX> Wildcard of source
0 Wildcard bits: 0.0.0.0 (a host)
[R2-acl-basic-2000] rule deny source 192.168.10.1 0
#Reject the host of 192.168.10.1 from accessing the router R2,0 means exact match
[R2-acl-basic-2000]dis this #The
automatically added rule 5 means the execution sequence number, the smaller the priority, the default sequence number of the first rule is 5, and the second is 10.

[V200R003C00]

acl number 2000
rule 5 deny source 192.168.10.1 0

return
system-view
[R2]interface gi0/0/0
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 #Calling ACl2000 from the inbound interface
inbound and outbound depends on the IP address and router interface.
[R2-acl-basic-2000]undo rule 10 #Unconfigure rule10 execution sequence number
[R2-GigabitEthernet0/0/0]undo traffic-filter inbound #Cancel the previous configuration interface ACL

Three, advanced ACL configuration

(1) Configure an advanced ACL on R2 to deny PC1 and PC2 ping server1, but allow them to access Server1 through HTTP.

[R2]acl 3000
[R2-acl-adv-3000]rule deny icmp source 192.168.10.0 0.0.0.255 destination 172.16
.10.1 0
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 #Call
the HTTP configuration of the ACl3000 server 172.16.10.1 from the inbound interface as shown in the figure:

The connection configuration of the client 192.168.10.1 is shown in the figure, and the data obtained means that the HTTP connection is successful.

(2) Reject the source address 192.168.10.2 telnet to access 12.1.1.2.

[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]undo traffic-filter inbound #Cancel the previously configured ACL configuration
[R2]acl 3001
[R2-acl-adv-3001]rule deny tcp source 192.168. 10.2 0 destination 12.1.1.2 0 dest
ination-port eq 23 (telnet) #eq means equal, 23 can be replaced by telnet