H3C实验报告大全【含18个实验】17.0-标准ACL
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
标准ACL 实验人:高承旺
实验名称:标准acl
实验要求:
不让1.1.1.1 ping通3.3.3.3
实验拓扑:
实验步骤:
网络之间开启RIP协议!
[R1]rip
[R1-rip-1]ver 2
[R1-rip-1]undo summary
[R1-rip-1]net 192.168.1.0
[R1-rip-1]net 1.0.0.0
[R1-rip-1]q
[R2]rip
[R2-rip-1]ver 2
[R2-rip-1]undo summary
[R2-rip-1]net 192.168.1.0
[R2-rip-1]net 192.168.2.0
[R2-rip-1]q
[R3]rip
[R3-rip-1]ver 2
[R3-rip-1]net 192.168.2.0
[R3-rip-1]net 3.0.0.0
[R3-rip-1]q
通3.3.3.3
配置好动态路由后,测试能R1ping
配置ACL访问控制列表
[R2]firewall enable
[R2]firewall default permit
[R2]acl number ?
INTEGER<2000-2999> Specify a basic acl
INTEGER<3000-3999> Specify an advanced acl
INTEGER<4000-4999> Specify an ethernet frame header acl
INTEGER<5000-5999> Specify an acl about user-defined frame or packet head [R2]acl number 2000
[R2-acl-basic-2000]rule ?
INTEGER<0-65534> ID of acl rule
deny Specify matched packet deny
permit Specify matched packet permit
[R2-acl-basic-2000]rule deny source 1.1.1.1 ?
0 Wildcard bits : 0.0.0.0 ( a host )
X.X.X.X Wildcard of source
[R2-acl-basic-2000]rule deny source 1.1.1.1 0
[R2]int s0/2/0
[R2-Serial0/2/0]firewall packet-filter 2000 ?
inbound Apply the acl to filter in-bound packets
outbound Apply the acl to filter out-bound packets
[R2-Serial0/2/0]firewall packet-filter 2000 inbound
ACL查看命令
显示配置的访问控制列表的规则
[R2]display acl all
Basic ACL 2000, named -none-, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0 (5 times matched)
[R2]display firewall-statistics all
Firewall is enable, default filtering method is 'permit'.
Interface: Serial0/2/0
In-bound Policy: acl 2000
Fragments matched normally
From 2010-12-17 11:07:09 to 2010-12-17 11:16:29
0 packets, 0 bytes, 0% permitted,
5 packets, 420 bytes, 20% denied,
20 packets, 1072 bytes, 80% permitted default,
0 packets, 0 bytes, 0% denied default,
Totally 20 packets, 1072 bytes, 80% permitted,
Totally 5 packets, 420 bytes, 20% denied.
配置完事ping不通的
[R1]ping -a 1.1.1.1 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break Request time out
Request time out
Request time out
Request time out
Request time out
--- 3.3.3.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
在1上配置出站ACL ,把方法一在R2上的配置去掉![R1]firewall enable
[R1-acl-basic-2000]rule 20 deny source 1.1.1.1 0
[R1-Serial0/2/0]firewall packet-filter 2000 outbound
[R1]int s0/2/0
[R1]ping -a 1.1.1.1 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break Request time out
Request time out
Request time out
Request time out
Request time out
--- 3.3.3.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
注意:标准的acl在应用的时候