From e91148011de256c22aa51250d6f10e5bc85f6713 Mon Sep 17 00:00:00 2001 From: Noriu Date: Thu, 29 Aug 2024 16:19:09 +0800 Subject: [PATCH] =?UTF-8?q?2024=E5=B9=B48=E6=9C=8829=E6=97=A5=2016:19:11?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- B. 第二阶段/拓扑练习/0829_ACL.md | 127 +++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 B. 第二阶段/拓扑练习/0829_ACL.md diff --git a/B. 第二阶段/拓扑练习/0829_ACL.md b/B. 第二阶段/拓扑练习/0829_ACL.md new file mode 100644 index 0000000..fb35890 --- /dev/null +++ b/B. 第二阶段/拓扑练习/0829_ACL.md @@ -0,0 +1,127 @@ +# ACL + +![image-20240829150108770](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240829150108770.png) + +### 一、IP + +- **PC & Server** + +- **AR1** + + ``` + [AR1]int g0/0/0 + [AR1-GigabitEthernet0/0/0]ip add 192.168.1.254 24 + [AR1-GigabitEthernet0/0/0]int g0/0/1 + [AR1-GigabitEthernet0/0/1]ip add 192.168.2.254 24 + [AR1-GigabitEthernet0/0/1]int g0/0/2 + [AR1-GigabitEthernet0/0/2]ip add 192.168.3.254 24 + ``` + +### 二、ACL + +- **AR1** + + ``` + [AR1]acl 2000 + [AR1-acl-basic-2000]rule 10 deny source 192.168.1.1 0.0.0.0 + [AR1-acl-basic-2000]quit + [AR1]int g0/0/2 + [AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000 + ``` + + *解释:* + + - `[AR1]acl 2000`:这个命令创建了一个编号为2000的基本ACL。在华为设备上,基本ACL的编号范围是2000-2999。 + + - `[AR1-acl-basic-2000]rule 10 deny source 192.168.1.1 0.0.0.0`:这个命令在ACL 2000中添加了一条规则,规则编号为10。这条规则的作用是拒绝源IP地址为192.168.1.1的所有流量。`0.0.0.0`表示一个通配符掩码,这里它被用来指定一个精确的IP地址匹配,因为0.0.0.0表示所有比特位都必须匹配。 + + 具体来说,这条ACL规则做了以下事情: + + - `rule 10`:定义了规则的编号,规则编号决定了规则的执行顺序,编号越小,优先级越高。 + - `deny`:表示动作是拒绝匹配规则的流量。 + - `source 192.168.1.1 0.0.0.0`:定义了匹配条件,即源IP地址必须精确为192.168.1.1。 + + - `[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000`:在g0/0/0接口上应用ACL 2000,以过滤出站流量。 + +### 三、测试 + +- **PC1** + + - PING PC2 + + ``` + PC>ping 192.168.2.1 + + Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break + Request timeout! + From 192.168.2.1: bytes=32 seq=2 ttl=127 time<1 ms + From 192.168.2.1: bytes=32 seq=3 ttl=127 time=15 ms + From 192.168.2.1: bytes=32 seq=4 ttl=127 time=16 ms + From 192.168.2.1: bytes=32 seq=5 ttl=127 time=15 ms + + --- 192.168.2.1 ping statistics --- + 5 packet(s) transmitted + 4 packet(s) received + 20.00% packet loss + round-trip min/avg/max = 0/11/16 ms + ``` + + - PING Server + + ``` + PC>ping 192.168.3.1 + + Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break + Request timeout! + Request timeout! + Request timeout! + Request timeout! + Request timeout! + + --- 192.168.3.1 ping statistics --- + 5 packet(s) transmitted + 0 packet(s) received + 100.00% packet loss + ``` + +- **PC2** + + - PING PC1 + + ``` + PC>ping 192.168.1.1 + + Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break + From 192.168.1.1: bytes=32 seq=1 ttl=127 time=16 ms + From 192.168.1.1: bytes=32 seq=2 ttl=127 time=16 ms + From 192.168.1.1: bytes=32 seq=3 ttl=127 time=15 ms + From 192.168.1.1: bytes=32 seq=4 ttl=127 time<1 ms + From 192.168.1.1: bytes=32 seq=5 ttl=127 time<1 ms + + --- 192.168.1.1 ping statistics --- + 5 packet(s) transmitted + 5 packet(s) received + 0.00% packet loss + round-trip min/avg/max = 0/9/16 ms + ``` + + - PING Server + + ``` + PC>ping 192.168.3.1 + + Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break + From 192.168.3.1: bytes=32 seq=1 ttl=254 time=16 ms + From 192.168.3.1: bytes=32 seq=2 ttl=254 time=15 ms + From 192.168.3.1: bytes=32 seq=3 ttl=254 time=16 ms + From 192.168.3.1: bytes=32 seq=4 ttl=254 time<1 ms + From 192.168.3.1: bytes=32 seq=5 ttl=254 time=16 ms + + --- 192.168.3.1 ping statistics --- + 5 packet(s) transmitted + 5 packet(s) received + 0.00% packet loss + round-trip min/avg/max = 0/12/16 ms + ``` + + \ No newline at end of file