目录
一.ACL概念
ACL——访问控制列表
ACL:访问控制列表(ACL)是一种基于包过滤的访问控制技术,它可以根据设定的条件对接口上的数据包进行过滤,允许其通过或丢弃。访问控制列表被广泛地应用于路由器和三层交换机,借助于访问控制列表,可以有效地控制用户对网络的访问,从而最大程度地保障网络安全。
二.ACL作用
读取三层,四层头部信息,根据预先定义好的规则对流量进行筛选、过滤。
三层头部信息:源、目标IP;四层头部信息:TCP/UDP协议、源、目标端口号
三.访问控制列表的调用方向
3.1、入接口
流量将要进入本地路由器,将被本地路由器处理
3.2、出接口
已经被本地路由器处理过了,流量将离开本地路由器
四.入接口调用与出接口调用的区别
策略做好后,在入接口调用和在出接口调用的区别
入接口调用的话,是对本地路由器生效
出接口调用的话,是对本地路由器不生效,流量将在数据转发过程中的下一台路由器生效
五.访问控制列表的处理原则
1.路由条目只会被匹配一次
2.路由条目在ACL访问列表中匹配的顺序是从上往下匹配
3.ACL访问控制列表隐含一个拒绝所有
4.ACL访问控制列表至少要放行一个路由条目
六.访问控制列表类型
6.1、标准访问控制列表
只能基于源IP地址进行过滤;标准访问控制列表的列表号是2000-2999 调用原则:靠近目标
6.2、扩展访问控制列表
可以根据源、目的IP地址,TCP/UDP协议,源、目的端口号进行过滤;相比较标准访问控制列表,流量控制的更加精准;扩展访问控制列表的列表号是3000-3999 调用原则:靠近源
七.ACL配置
7.1、项目测试拓扑图
项目测试目的:用标准访问控制列表让VLAN10的客户机不能访问vlan20的客户机、用扩展ACL访问控制列表禁止Client访问FTP服务器
本次项目测试使用eNSP软件
7.2、Client客户机设置
7.3、二层交换机设置
LSW1:
<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname SW1
[SW1]user-int
[SW1]user-interface c
[SW1]user-interface co
[SW1]user-interface console 0
[SW1-ui-console0]idle-t
[SW1-ui-console0]idle-timeout 0 0
[SW1-ui-console0]q
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port l
[SW1-GigabitEthernet0/0/1]port link-type tr
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port tr
[SW1-GigabitEthernet0/0/1]port trunk allo
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]q
[SW1]int e0/0/1
[SW1-Ethernet0/0/1]port l
[SW1-Ethernet0/0/1]port link-type acc
[SW1-Ethernet0/0/1]port link-type access
[SW1-Ethernet0/0/1]q
[SW1]vlan bat 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]int e0/0/1
[SW1-Ethernet0/0/1]port l
[SW1-Ethernet0/0/1]port link-type access
[SW1-Ethernet0/0/1]port de
[SW1-Ethernet0/0/1]port default vlan 10
[SW1-Ethernet0/0/1]int e0/0/2
[SW1-Ethernet0/0/2]port l
[SW1-Ethernet0/0/2]port link-type acc
[SW1-Ethernet0/0/2]port link-type access
[SW1-Ethernet0/0/2]port de
[SW1-Ethernet0/0/2]port default vlan 20
[SW1-Ethernet0/0/2]int e0/0/3
[SW1-Ethernet0/0/3]port l
[SW1-Ethernet0/0/3]port link-type acc
[SW1-Ethernet0/0/3]port link-type access
[SW1-Ethernet0/0/3]port de
[SW1-Ethernet0/0/3]port default vlan 10
[SW1-Ethernet0/0/3]int e0/0/4
[SW1-Ethernet0/0/4]port l
[SW1-Ethernet0/0/4]port link-type acc
[SW1-Ethernet0/0/4]port link-type acc
[SW1-Ethernet0/0/4]port link-type access
[SW1-Ethernet0/0/4]port de
[SW1-Ethernet0/0/4]port default vlan 20
7.4、路由器设置
AR2:
<Huawei>ter
<Huawei>terminal mo
<Huawei>terminal monitor
Info: Current terminal monitor is on.
<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname R1
[R1]user-in
[R1]user-interface co
[R1]user-interface console 0
[R1-ui-console0]idle-
[R1-ui-console0]idle-timeout 0 0
[R1-ui-console0]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo sh
[R1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/0.1
[R1-GigabitEthernet0/0/0.1]dotq
[R1-GigabitEthernet0/0/0.1]dot1
[R1-GigabitEthernet0/0/0.1]dot1q ter
[R1-GigabitEthernet0/0/0.1]dot1q termination vid 10
[R1-GigabitEthernet0/0/0.1]ip add 192.168.10.1 24
Aug 27 2021 16:53:31-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0.1 has entered the UP state.
[R1-GigabitEthernet0/0/0.1]arp br
[R1-GigabitEthernet0/0/0.1]arp broadcast en
[R1-GigabitEthernet0/0/0.1]arp broadcast enable
[R1-GigabitEthernet0/0/0.1]int g0/0/0.2
[R1-GigabitEthernet0/0/0.2]dot1
[R1-GigabitEthernet0/0/0.2]dot1q ter
[R1-GigabitEthernet0/0/0.2]dot1q termination v
[R1-GigabitEthernet0/0/0.2]dot1q termination vid 20
[R1-GigabitEthernet0/0/0.2]ip add 192.168.20.1 24
Aug 27 2021 16:54:01-08:00 R1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/0.2 has entered the UP state.
[R1-GigabitEthernet0/0/0.2]arp br
[R1-GigabitEthernet0/0/0.2]arp broadcast en
[R1-GigabitEthernet0/0/0.2]arp broadcast enable
[R1-GigabitEthernet0/0/0.2]q
[R1]ac
[R1]acl 2000
[R1-acl-basic-2000]rule de
[R1-acl-basic-2000]rule deny so
[R1-acl-basic-2000]rule deny source 192.168.10.0 0.0.0.255
[R1-acl-basic-2000]rule per
[R1-acl-basic-2000]rule permit sou
[R1-acl-basic-2000]rule permit source any
[R1-acl-basic-2000]q
[R1]int g0/0/0.2
[R1-GigabitEthernet0/0/0.2]traffic
[R1-GigabitEthernet0/0/0.2]traffic-filterou
[R1-GigabitEthernet0/0/0.2]traffic-filter ou
[R1-GigabitEthernet0/0/0.2]traffic-filter outbound acl 2000
[R1-GigabitEthernet0/0/0.2]
Aug 27 2021 17:46:04-08:00 R1 %%01IFPDT/4/IF_STATE(l)[2]:Interface GigabitEthern
et0/0/1 has turned into UP state.
[R1-GigabitEthernet0/0/0.2]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 10.1.1.1 24
Aug 27 2021 18:41:36-08:00 R1 %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[R1-GigabitEthernet0/0/1]ip add 10.1.1.1 24
Error: The address already exists.
[R1-GigabitEthernet0/0/1]undo sh
[R1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]q
[R1]ip rou
[R1]ip route-st
[R1]ip route-static 0.0.0.0 0 10.1.1.2
[R1]acl 3000
[R1-acl-adv-3000]rule de
[R1-acl-adv-3000]rule deny tc
[R1-acl-adv-3000]rule deny tcp sou
[R1-acl-adv-3000]rule deny tcp source 192.168.10.10 0 des
[R1-acl-adv-3000]rule deny tcp source 192.168.10.10 0 destination 201.20.100.100
0 des
[R1-acl-adv-3000]rule deny tcp source 192.168.10.10 0 destination 201.20.100.100
0 destination-port eq 21
[R1-acl-adv-3000]rule pe
[R1-acl-adv-3000]rule permit tcp
[R1-acl-adv-3000]rule permit tcp sour
[R1-acl-adv-3000]rule permit tcp source any de
[R1-acl-adv-3000]rule permit tcp source any destination any de
[R1-acl-adv-3000]rule permit tcp source any destination any destination-port eq
21
[R1-acl-adv-3000]rule pe
[R1-acl-adv-3000]rule permit ip sou
[R1-acl-adv-3000]rule permit ip source an
[R1-acl-adv-3000]rule permit ip source any de
[R1-acl-adv-3000]rule permit ip source any destination any
[R1-acl-adv-3000]dis this
[V200R003C00]
#
acl number 3000
rule 5 deny tcp source 192.168.10.10 0 destination 201.20.100.100 0 destination
-port eq ftp
rule 10 permit tcp destination-port eq ftp
rule 15 permit ip
#
return
[R1-acl-adv-3000]q
[R1]int g0/0/0.1
[R1-GigabitEthernet0/0/0.1]traff
[R1-GigabitEthernet0/0/0.1]traffic-filter in
[R1-GigabitEthernet0/0/0.1]traffic-filter inbound ac;
[R1-GigabitEthernet0/0/0.1]traffic-filter inbound ac
[R1-GigabitEthernet0/0/0.1]traffic-filter inbound acl 3000
AR3:
<Huawei>undo te
<Huawei>undo terminal m
<Huawei>undo terminal monitor
Info: Current terminal monitor is off.
<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname R2
[R2]user-i
[R2]user-interface co
[R2]user-interface console 0
[R2-ui-console0]id
[R2-ui-console0]idle-timeout 0 0
[R2-ui-console0]q
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.1.1.2 24
[R2-GigabitEthernet0/0/0]undo s
[R2-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 201.20.100.2 24
[R2-GigabitEthernet0/0/1]q
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]undo s
[R2-GigabitEthernet0/0/1]undo sh
[R2-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R2-GigabitEthernet0/0/1]q
[R2]ip rou
[R2]ip route-s
[R2]ip route-static 0.0.0.0 0 10.1.1.1
7.5、服务器设置
7.6、测试ACL配置
标准访问控制检测VLAN10不能访问VLAN20:
用扩展ACL访问控制列表禁止Client访问FTP服务器:
原本VLAN10客户机是可以像vlan20客户机一样在服务器上上传文件并下载
设置完扩展ACL访问控制表后就访问不了
