实验八 ACL包过滤.doc
5页
实验八 ACL 包过滤一、实验目的了解访问控制列表的简单工作原理掌握基本 ACL 的配置掌握高级 ACL 的配置二、实验描述及组网图用串口线将两台路由器相连,配置 ACL,以实现 jiance1 上不能 Ping 通 jiance2图 1-1三、实验过程实验任务一:用基本 ACL 实现步骤一:搭建环境按图 1-1 建立物理连接,配置 IP 地址步骤二:测试连通性在 jiance1 上 Ping jiance2,显示如下:[jiance1]ping 10.1.1.2PING 10.1.1.2: 56 data bytes, press CTRL_C to breakReply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms--- 10.1.1.2 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 1/1/1 ms在 jiance2 上开启 telnet server,配置见实验手册 telnet 部分。
telnet 10.1.1.2 23Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 10.1.1.2 ...******************************************************************************* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved. ** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. *******************************************************************************Welcome!Login authenticationUsername:h3cPassword:步骤三:创建基本 ACL[jiance2]acl number 2000[jiance2-acl-basic-2000]rule 0 deny source 10.1.1.1 0.0.0.0步骤四:应用 ACL基本 ACL 应部署在靠近目的的地方。
因此,部署在 jiance2 的 E0/0.[jiance2]firewall enable[jiance2]firewall default permit [jiance2]interface Ethernet 0/0[jiance2-Ethernet0/0]firewall packet-filter ?INTEGER Apply basic aclINTEGER Apply advanced aclINTEGER Apply ethernet frame header aclipv6 ACL IPv6name Specify a named acl[jiance2-Ethernet0/0]firewall packet-filter 2000 ?inbound Apply the acl to filter in-bound packetsoutbound Apply the acl to filter out-bound packets[jiance2-Ethernet0/0]firewall packet-filter 2000 inbound ?[jiance2-Ethernet0/0]firewall packet-filter 2000 inbound 步骤五:验证用在 jiance1 上 Ping 路由器 jiance2:[jiance1]ping 10.1.1.2PING 10.1.1.2: 56 data bytes, press CTRL_C to breakRequest time outRequest time outRequest time outRequest time outRequest time out--- 10.1.1.2 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss远程登录 jiance2, 如下:telnet 10.1.1.2 23Trying 10.1.1.2 ...Press CTRL+K to abortCan't connect to the remote host!分析:应用基本 ACL 后,jiance1 所有访问 jiance2 的数据流都被禁止了。
实验任务二:用高级 ACL 实现步骤一:搭建环境按图 1-1 建立物理连接,配置 IP 地址步骤二:测试连通性在 jiance1 上 Ping jiance2,显示如下:[jiance1]ping 10.1.1.2PING 10.1.1.2: 56 data bytes, press CTRL_C to breakReply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 msReply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms--- 10.1.1.2 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 1/1/1 ms步骤三:创建高级 ACL[jiance1]acl number 3000[jiance1-acl-adv-3000]rule 0 deny icmp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0步骤四:部署 ACL高级 ACL 应部署在靠近源的的地方。
因此,部署在 jiance1 的 E0/0.[jiance1]firewall enable [jiance1]firewall default permit [jiance1]interface Ethernet 0/0[jiance1-Ethernet0/0]firewall packet-filter 3000 outbound 步骤五:验证[jiance1]ping 10.1.1.2PING 10.1.1.2: 56 data bytes, press CTRL_C to breakRequest time outRequest time outRequest time outRequest time outRequest time out--- 10.1.1.2 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss显示配置的 ACL[jiance1]display acl 3000Advanced ACL 3000, named -none-, 1 rule,ACL's step is 5rule 0 deny icmp source 10.1.1.1 0 destination 10.1.1.2 0 (5 times matched)查看防火墙的统计信息[jiance1]display firewall-statistics all Firewall is enable, default filtering method is 'permit'.Interface: Ethernet0/0 Out-bound Policy: acl 3000 Fragments matched normally From 2010-04-03 9:57:39 to 2010-04-03 10:06:10 0 packets, 0 bytes, 0% permitted, 5 packets, 420 bytes, 100% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 0% denied default, Totally 0 packets, 0 bytes, 0% permitted, Totally 5 packets, 420 bytes, 100% denied. 远程登录测试:telnet 10.1.1.2 23Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 10.1.1.2 ...******************************************************************************* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved. ** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. *******************************************************************************Welcome!Login authenticationUsername: Password:可见远程登录成功!。
