實(shí)驗(yàn)二十八：高級(jí)的ACL包過濾

1、實(shí)驗(yàn)二十八：高級(jí)的ACL包過濾一、 理論基礎(chǔ)高級(jí)的ACL包過濾提供了更廣闊的控制范圍，這種擴(kuò)展后的特性給了網(wǎng)絡(luò)管理員更大的靈活性，可以靈活多變的設(shè)計(jì)ACL的測試條件。高級(jí)的ACL和基本的ACL之間的區(qū)別：1、基本的ACL只能根據(jù)數(shù)據(jù)包的源地址進(jìn)行訪問控制；2、高級(jí)的ACL卻可以利用更多的信息，如目的地址，協(xié)議號(hào)等，對(duì)于TCP/UDP數(shù)據(jù)包，還可以根據(jù)端口號(hào)，對(duì)于ICMP包，則還可以根據(jù)ICMP報(bào)文類型進(jìn)行訪問控制。二、 實(shí)驗(yàn)案例高級(jí)ACL包過濾的配置1、實(shí)驗(yàn)拓?fù)浣Y(jié)構(gòu)圖： 2、配置說明：Switch的E0/4<->PC1Switch的E0/8<->PC2Switch的E0

2、/14<->PC3給QUIDWAY S3500三層交換機(jī)做簡單的配置:創(chuàng)建三個(gè)VLAN,即VLAN2,VLAN3,VLAN4,再分別給各個(gè)VLAN加個(gè)管理地址為:IP:192.168.1.1 子網(wǎng)掩碼:255.255.255.0IP:192.168.2.1 子網(wǎng)掩碼:255.255.255.0IP:192.168.3.1 子網(wǎng)掩碼:255.255.255.0并且把E0/1-E0/5加到VLAN2,PC1:192.168.1.15/24 網(wǎng)關(guān)：192.168.1.1E0/6-E0/10加到VLAN3,PC2:192.168.2.15/24 網(wǎng)關(guān)：192.168.2.1E0/11-E0

3、/15加到VLAN4,PC3:192.168.3.15/24 網(wǎng)關(guān)：192.168.3.13、具體配置：實(shí)驗(yàn)一：Quidwayvlan 2Quidway-vlan2port e0/1 to e0/5Quidway-vlan2quitQuidwayint vlan 2Quidway-Vlan-interface2ip address 192.168.1.1 255.255.255.0Quidwayvlan 3Quidway-vlan3port e0/6 to e0/10Quidway-vlan3quitQuidwayint vlan 3Quidway-Vlan-interface3ip addr

4、ess 192.168.2.1 255.255.255.0Quidwayvlan 4Quidway-vlan4port e0/11 to e0/15Quidway-vlan4quitQuidwayint vlan 4Quidway-Vlan-interface4ip address 192.168.3.1 255.255.255.0此時(shí),PC1,PC2,PC3能夠互相PING通.Quidwayacl name sunke advancedQuidway-acl-adv-sunkerule 10 deny ip source 192.168.3.15 0 destination 192.168.

5、2.15 0Quidway-acl-adv-sunkeint e0/14Quidway-Ethernet0/14packet-filter inbound ip-group sunkeQuidway-Ethernet0/14quitQuidwaydis cur sysname Quidwayradius scheme system server-type huawei primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domaindomain syst

6、em radius-scheme system access-limit disable state active idle-cut disable self-service-url disable messenger time disable domain default enable system local-server nas-ip 127.0.0.1 key huawei temperature-limit 0 20 80acl name sunke advanced rule 10 deny ip source 192.168.3.15 0 destination 192.168.

7、2.15 0vlan 1vlan 2vlan 3vlan 4interface Vlan-interface2 ip address 192.168.1.1 255.255.255.0interface Vlan-interface3 ip address 192.168.2.1 255.255.255.0interface Vlan-interface4 ip address 192.168.3.1 255.255.255.0interface Aux0/0interface Ethernet0/1 port access vlan 2interface Ethernet0/2 port a

8、ccess vlan 2interface Ethernet0/3 port access vlan 2interface Ethernet0/4 port access vlan 2interface Ethernet0/5 port access vlan 2interface Ethernet0/6 port access vlan 3interface Ethernet0/7 port access vlan 3interface Ethernet0/8 port access vlan 3interface Ethernet0/9 port access vlan 3interfac

9、e Ethernet0/10 port access vlan 3interface Ethernet0/11 port access vlan 4interface Ethernet0/12 port access vlan 4interface Ethernet0/13 port access vlan 4interface Ethernet0/14 port access vlan 4 packet-filter inbound ip-group sunke rule 10interface Ethernet0/15 port access vlan 4interface Etherne

10、t0/16interface Ethernet0/17interface Ethernet0/18interface Ethernet0/19interface Ethernet0/20interface Ethernet0/21interface Ethernet0/22interface Ethernet0/23interface Ethernet0/24interface GigabitEthernet1/1interface GigabitEthernet1/2interface GigabitEthernet1/3interface GigabitEthernet1/4interfa

11、ce NULL0user-interface aux 0user-interface vty 0 4Return在交換機(jī)上使用高級(jí)ACL包過濾，下圖可以看出，從PC3 Ping PC2的測試變化情況。實(shí)驗(yàn)二：配置說明：院長辦公室:PC1的IP地址:192.168.1.2 接交換機(jī)S3552的E0/4接口系部: PC2的IP地址:192.168.2.2 接交換機(jī)S3552的E0/8接口財(cái)務(wù)部: PC3的IP地址:192.168.3.2 接交換機(jī)S3552的E0/14接口具體配置：<Quidway>clock datetime 19:20:20 2006/01/07<Quidwa

12、y>dis time allCurrent time is 19:21:36 1-6-2006 FridayQuidwaytime-range sunke 8:00 to 17:00 sat working-day(當(dāng)當(dāng)前時(shí)間不屬于這個(gè)時(shí)間段時(shí)，可以通過圖看出前后的測試變化)Quidwayacl name sunke advancedQuidway-acl-adv-sunkerule 1 deny ip source 192.168.2.2 0 destination 192.168.3.2 0 time-range sunkeQuidway-acl-adv-sunkerule 2 pe

13、rmit ip source 192.168.1.2 0 destination 192.168.3.2 0Quidway-acl-adv-sunkeint e0/8Quidway-Ethernet0/8packet-filter inbound ip-group sunkeQuidway-Ethernet0/8int e0/4Quidway-Ethernet0/4packet-filter inbound ip-group sunke<Quidway>dis cur sysname Quidwayradius scheme system server-type huawei pr

14、imary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domaindomain system radius-scheme system access-limit disable state active idle-cut disable self-service-url disable messenger time disable domain default enable system local-server nas-ip 127.0.0.1 key hu

15、awei temperature-limit 0 20 80 time-range sunke 08:00 to 20:00 Satacl name sunke advanced rule 1 deny ip source 192.168.2.2 0 destination 192.168.3.2 0 time-range sunke rule 2 permit ip source 192.168.1.2 0 destination 192.168.3.2 0vlan 1vlan 2vlan 3vlan 4interface Vlan-interface2 ip address 192.168

16、.1.1 255.255.255.0interface Vlan-interface3 ip address 192.168.2.1 255.255.255.0interface Vlan-interface4 ip address 192.168.3.1 255.255.255.0interface Aux0/0interface Ethernet0/1 port access vlan 2interface Ethernet0/2 port access vlan 2interface Ethernet0/3 port access vlan 2interface Ethernet0/4

17、port access vlan 2 packet-filter inbound ip-group sunke rule 1 packet-filter inbound ip-group sunke rule 2interface Ethernet0/5 port access vlan 2interface Ethernet0/6 port access vlan 3interface Ethernet0/7 port access vlan 3interface Ethernet0/8 port access vlan 3 packet-filter inbound ip-group su

18、nke rule 1 packet-filter inbound ip-group sunke rule 2interface Ethernet0/9 port access vlan 3interface Ethernet0/10 port access vlan 3interface Ethernet0/11 port access vlan 4interface Ethernet0/12 port access vlan 4interface Ethernet0/13 port access vlan 4interface Ethernet0/14 port access vlan 4interface Ethernet0/15 port access vl