Noriu/Cyber_Security_Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2024年8月29日 16:19:11

Browse Source
This commit is contained in:
Noriu 2024-08-29 16:19:09 +08:00
parent 641b18e805
commit e91148011d
1 changed files with 127 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
B. 第二阶段/拓扑练习/0829_ACL.md Normal file
View File

@ -0,0 +1,127 @@
# ACL
![image-20240829150108770](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240829150108770.png)
### 一、IP
- **PC & Server**
- **AR1**
```
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.254 24
[AR1-GigabitEthernet0/0/1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 192.168.3.254 24
```
### 二、ACL
- **AR1**
```
[AR1]acl 2000
[AR1-acl-basic-2000]rule 10 deny source 192.168.1.1 0.0.0.0
[AR1-acl-basic-2000]quit
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
```
*解释:*
- `[AR1]acl 2000`这个命令创建了一个编号为2000的基本ACL。在华为设备上基本ACL的编号范围是2000-2999。
- `[AR1-acl-basic-2000]rule 10 deny source 192.168.1.1 0.0.0.0`这个命令在ACL 2000中添加了一条规则规则编号为10。这条规则的作用是拒绝源IP地址为192.168.1.1的所有流量。`0.0.0.0`表示一个通配符掩码这里它被用来指定一个精确的IP地址匹配因为0.0.0.0表示所有比特位都必须匹配。
具体来说这条ACL规则做了以下事情
- `rule 10`:定义了规则的编号,规则编号决定了规则的执行顺序,编号越小,优先级越高。
- `deny`:表示动作是拒绝匹配规则的流量。
- `source 192.168.1.1 0.0.0.0`定义了匹配条件即源IP地址必须精确为192.168.1.1。
- `[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000`在g0/0/0接口上应用ACL 2000以过滤出站流量。
### 三、测试
- **PC1**
- PING PC2
```
PC>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.1: bytes=32 seq=2 ttl=127 time<1 ms
From 192.168.2.1: bytes=32 seq=3 ttl=127 time=15 ms
From 192.168.2.1: bytes=32 seq=4 ttl=127 time=16 ms
From 192.168.2.1: bytes=32 seq=5 ttl=127 time=15 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/11/16 ms
```
- PING Server
```
PC>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
```
- **PC2**
- PING PC1
```
PC>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=127 time=16 ms
From 192.168.1.1: bytes=32 seq=2 ttl=127 time=16 ms
From 192.168.1.1: bytes=32 seq=3 ttl=127 time=15 ms
From 192.168.1.1: bytes=32 seq=4 ttl=127 time<1 ms
From 192.168.1.1: bytes=32 seq=5 ttl=127 time<1 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/9/16 ms
```
- PING Server
```
PC>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
From 192.168.3.1: bytes=32 seq=1 ttl=254 time=16 ms
From 192.168.3.1: bytes=32 seq=2 ttl=254 time=15 ms
From 192.168.3.1: bytes=32 seq=3 ttl=254 time=16 ms
From 192.168.3.1: bytes=32 seq=4 ttl=254 time<1 ms
From 192.168.3.1: bytes=32 seq=5 ttl=254 time=16 ms
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/12/16 ms
```